After faking the services of carriers or social networks, Internet fraudsters also targeted scattered users of fashion bazaars, such as the Vinted platform. They are able to steal up to hundreds of thousands of crowns within a few clicks. Similar tricks by thieves are not new in the online world, but according to experts, their methods are becoming increasingly difficult to detect. In addition, fraudsters will only get the stolen money back very rarely.
It was supposed to be an easy extra income for a few hundred crowns, but ended up with a loss of tens of thousands of crowns. Twenty-eight-year-old Veronika (her identity is known to the editors, but she did not wish to state her full name, editor’s note) set up an account on the Vinted platform at the end of last year. It is one of the most used applications for selling second-hand clothes and is used by over a million users in the Czech Republic.
Veronika also planned to send a few pieces of clothing from her wardrobe to the world. “I used Vinted a few years ago, but because the application was changing, I had to set up a new account and learn everything again, there were a lot of new things,” Veronika describes.
At the beginning of 2022, the Lithuanian company launched a new payment system through a secure payment method, or the so-called Vinted wallet directly inside the application, to increase the comfort and safety of users. While previously buyers and sellers agreed on the payment method and the method of transport, now the entire sale is handled through the platform of this online bazaar.
Only at your own risk
However, users can also make arrangements outside the portal system. However, both parties lose the security that Vinted offers through support. “Persons who decide to make a transaction outside of Vinted are not covered by our protection, and do so at their own risk,” points out Vinted spokeswoman Magdalena Szlazová. However, the company charges a fee for a transaction through Vinted, namely five percent of the product price.
And it is precisely the ignorance of the new environment, the inattention of users and their great interest in the service that gives fraudsters credit. “It was the weekend, I was doing several things at home at the same time, I was flustered. At that moment, a lady wrote to me on Vinted saying she would like one of my jackets,” recalls Veronika.
Under the pretext of completing the purchase process, the fraudster demanded a phone number: “Good day! I’m in 3 out of 4 stages of the order. but the window shows a request for a phone number. Can you please give me your TEL-Cislo.?” At first glance, the report was characterized by several grammatical errors.
Veronika entered her phone into the application when she first logged in, but only privately for security reasons. That’s why she didn’t get suspicious and finally sent the phone number to the interested person. “At that moment, I received a link to a page in an SMS that looked like it was from Vinted, and a confirmation code that I entered there. It looked credible,” the woman describes further. After clicking on the link, the payment gateway opened with a request to enter the card number and other data.
There was even a chat window with support, which, when asked by Veronica if this was an official and safe payment, replied that there was nothing to worry about.
But after entering the data and confirming the required amount for the jacket, Veronika lost more than 20 thousand crowns in her internet banking. “The fact that I was confirming the amount that was leaving my account, instead of coming into my account, did not occur to me at the time. In retrospect, I say to myself that I do not understand how I could have missed it,” the woman describes.
Phishing is on the rise
But Veronika is far from the only one who ran into fraudsters on Vinted. And at the same time, this platform is not the only one whose users are targeted by thieves.
So-called phishing, i.e. an attack during which the fraudster tries to profile himself as a trustworthy authority and thus obtain sensitive data of the victims, also threatens users of Facebook Market, LinkedIn, Bazoš or transport services such as Zásilkovna and DHL. Attacks on Microsoft accounts, Netflix and more or less all email addresses are also common. Attackers also often use Whatsapp for communication.
“We most often see various winning frauds, attacks on Czech Post and other delivery services. Last but not least, these are frauds on advertising portals,” comments phishing expert Alexej Savčin for Gen Digital, formerly Avast.
Although it is difficult for attackers to bypass banking systems, they manage to bypass the trust of individual users successfully. According to data from the Czech Banking Association (ČBA), the number of attacks on bank clients has increased fourfold in the last two years. At the same time, their scams are becoming more sophisticated, well-thought-out and responding to current trends. “The language level of these frauds has also improved. It has long been no longer a rule that a phishing attack is always full of grammatical errors and looks amateurish,” Savčin points out.
More and more thoughtful
Previously, the attackers could also reveal the special domain of the payment gateway where they brought their victims. Even in this case, the attackers have already worked on their practices. Hard-to-recognize methods include, for example, so-called homograph attacks, where letters in web addresses are replaced by other characters or characters from other alphabets.
For example, the words “LinkedIn” and “Linkedln” look exactly the same at first glance. However, in the first case, the penultimate letter is a capital “i”, while in the second case, it is a small “L”. “In such cases, only high-quality security software can prevent phishing fraud,” cyber security specialist Vladimíra Žáčková explains for Eset.
According to the banking association, the total damage caused by phishing scams reaches hundreds of millions of crowns, with an average of 161,500 crowns per damaged client. According to surveys by Eset and the Police of the Czech Republic, in May 2022 a third of internet bazaar users encountered fraud. For the whole year, the police recorded damages for fraud in the Internet environment of over 1.9 billion crowns, phishing frauds make up a significant share.
“Every month, we identify hundreds of clients who have become victims of phishing attacks, while the amount of funds stolen by fraudsters rises to the higher units of millions of crowns every month,” adds Filip Hrubý for Česká spořitelna.
The money will not be returned
Whether the bank will be able to intercept the payment and return the money depends on individual cases and the level of misconduct of the victims. The institution assesses the degree of so-called gross negligence of the client when handling his data. This means that it does not take the risk if the user gives their sensitive data to attackers – even if unknowingly.
“Unfortunately, in most cases, on the basis of the investigation, we are forced to state that there really was gross negligence on the part of the client in the handling of his personal data when he passed it on to a third party,” Hrubý explains, adding that only in the lower tens of cases annually do they compensate clients money that was stolen from them.
Veronika was no exception, she doesn’t have her savings even after two months, although she solved the problem with Vinted, her bank and the police. “Vinted never sends emails or private messages asking you to click a link to enter payment information or complete a payment,” reminds Szlazová.
A spokesperson for Vinted adds that the company is in contact with its users and informs them about how to conduct transactions safely. The platform has already warned its users in special e-mails, and information about ongoing fraud can also be read in the application. “New members are introduced to safety advice after registration,” adds the spokesperson.
However, some users who have become victims of fraud do not agree with this. “Right after download (application, editor’s note) you get a lesson on how to upload clothes. Why don’t you be the first to inform immediately after downloading that these scams are happening?” Czech model Barbora Podzimková, who shared a similar experience to Veronika a few months ago, asked Vinted publicly on her Instagram profile. The model then lost 150 thousand crowns.
Banks also continuously engage in client education. For example, in this context, ČSOB initiated the campaign Defend with Reason, which focuses on fraud on internet bazaars, offers of advantageous investments and fraudulent calls, e-mails and text messages. “It is important to be careful. Do not be lured by a seemingly advantageous offer. Check everything carefully and do not allow yourself to be manipulated into a time crunch,” ČSOB press spokesman Patrik Madle repeats the basic rules.
Customers pressed for time and money
According to experts, people often succumb to the vision of a quick and carefree transaction, where the attacker offers to handle the transport and payment for them. Other times, they may be swayed by the scammer’s repeated appeals, forcing them to act in a hurry. People then ignore warning signs that might normally stop them.
“At such a moment, it is worthwhile to slow down, re-read the communication and pay attention to the Czech language. The communication may be machine translated or contain bad word order or grammar. If you do not like the communication and the other party’s offer seems suspiciously advantageous or demands payment in advance, feel free to end it ” advises Žáčková from Eset.
In case of suspicion of transport companies, users can simply open the company’s official website. A number of them offer a short list of the most common fraudulent methods that their services mimic. It does, for example DPD, GLS, Post office i Czech Post. Similar information can be found at twenty whether Facebook. Insuring your finances with a bank can also be a solution.
Banks repeatedly advise their clients not to share their internet banking credentials with anyone. “No bank or banker will ever ask you to know this information,” comments Hrubý from Česká spořitelna.
People should access their internet banking only through the company’s official website, or via a mobile application. When using a bank identity, every page where a person enters data should have a lock symbol in the address – this means that the connection to the server is secure. After clicking the lock, everyone can make sure that the security certificate is issued to the institution that requires a person to log in via a bank identity.
