My Ice-Cream was Too Cold!

Basically We Only See the Tip of the Iceberg With Scams
Lucky’s in Featherstall Road, Oldham

My Ice-Cream was Too Cold!

Basically We Only See the Tip of the Iceberg With Scams

I meet so many people who have been scammed recently, and basically we are not seeing the full picture for scamming. Let’s look at a couple of recent examples, and see that it is not only customers that are being hit by scammers, but also small businesses.

My Ice Cream is cold

This week an ice cream take-away (Lucky’s) had to give up delivering on Just East, as they just could cope with the number of scams that lost them money. One of the fake customers reported that “The ice cream was cold”, and demanded a refund. The order was four milkshakes, a cheesecake and an ice cream” and the scammer rejected the order, and 45 minutes later, the demanded a refund because the food was cold. This was just one of many that the take-away had received.

Basically this scam happens as the scammer will use a fake bank account to purchase the food, and then demand a refund, and which goes into their account. In most cases, it is there first order, and have no previous history of ordering. Once Just Eat discovers them, the account is most likely to be closed down.

Previously, Just Eat would contact the restaurants to check that a refund should be granted, but they have changed to provide a refund based on the customer’s action, and with 30 days notice for the restaurant to challenge the refund.

Etsy Scam

I heard from someone a few weeks ago who had their Etsy account hacked. The first they saw of it, was rapid transactions for purchases from their account appearing on their banking app. These were all in the range of £50 to £100, and there were many of them.

The person tried to contact Etsy, but received a ticket saying that they would get back within 24 hours. Luckily they also called their bank, and they were able to catch the transactions as they went through. The bank could see exactly what the suspect transactions were, and immediately stopped them, and reassured the person.

The way the fraud seems to work is that the scammers setup fake sites in Etsy and are able to purchase their own goods with them. Money is quickly transferred to the scammer’s bank account, and then moved quickly on to money launders. These account may actually be compromised bank accounts, or ones that the scammers have managed to create for short-term gain. The sites are, of course, fake, and the shop names are fairly generic. Here is one, and which has two sales (both related to the scam):

But some of the shops for the purchases are still on-line. The following was one of the transactions that do not go through, but the site is still available:

The shop and the seller has now been taken down, yet. Overall the fraudsters get round the detection of their country of origin by using VPNs and proxies. In this case the log of the details showed various places in the UK:

And here is one of the purchases — two coathangers for £140 (!!!!!):

But, it makes you think, and here are the some of the flaws:

  • Esty doesn’t ask for a CVV number when a purchase is made. In this case, the credit card details were not compromised, it was just the account. While storing the CVV number is great for ease-of-use, but not good for security. In PCI-DSS, an ecommerce site should not store all the details of the credit card on the site, and should leave some details to be prompted for. Unfortunately, many sites do not implement this, including Amazon.
  • There is no two-factor authentication on the site. This must become a standard for all e-Commerce sites that store your credit card details. Many users feel reassured when they have to confirm something from their mobile phone, even if it is just an SMS message. The difficulty level that this adds for a scammer, significantly slows them down.
  • Etsy should have a hotline for fraud. The stress caused by users is high, and every minute users can see new transactions going through. I do not understand why there isn’t an immediate hotline connection to Etsy, and do put a stop on a user’s account.

There are other questions that relate to this:

  • Surely coathangers selling for £70 each looks a bit strange? All of the other goods, eg a rubic cube, were selling in the £50-£100 range and look extremely over priced.
  • Surely sellers with no feedback yet should have additional checks on the sales, and multiple transactions on the same account to new sellers should be checked.
  • Where is the feedback from the site to the buyer that something strange is going on?
  • How are the scammers able to create fake bank accounts?
  • How were the fake sellers not detected on the site? There was no photograph of the seller or details of the shop given. It is obvious they were quickly faked.
  • Etsy should have in place detection software that detect a rapid amount of purchase and put a pause on them. I appreciate that this might have enventually kicked-in, but there was no sign of this in this case.
  • Did Etsy employ other methods to check the transaction, such as location tracking on the IP address? While they were all UK-based, they were from different places in the UK. Surely if someone was purchasing on the site on a short time, the locations would all be the same?

Conclusions

We only see the tip of the ice-berg. The banks are typically detecting fraud well, but if the cost of these frauds starts to lose them too much money, we may end up be liable for them.