Systematic Fraud on Private Sale Apps - Cyber Foundry
Apps and websites like Gumtree are uncomplicated platforms for selling pre-owned items – they are today’s Buy/Sell notice boards. Sellers can offer goods of any kind, from household items to bicycles. Interested buyers then contact the seller via chat or other means, facilitated by the platform. However, unlike eBay, for example, money exchange is left to the buyer/seller and is not managed by the platform. This enables bad actors to exploit this weakness. One such means of exploitation is described next (personal experience of the author).
When posting high-value items for sale, such as laptops, the seller has to decide how the money exchange is handled. One option is to request personal pickup of the item and cash payment. Usually, this is explained in the item description when posted. The fraud scheme starts here.
The bad actor scans the platform for promising items. Possibly, they use alert features to get informed automatically. Then, they pose as an interested buyer but request that the seller posts the item via courier in exchange for a higher sales price. If the seller is interested, the bad actor suggests continuing the conversation on a private chat platform (e.g., WhatsApp). This prevents a traceable chat history. Although the platform tries to block this by filtering phone numbers from the chat, this can be easily circumvented (by using spaces, for example: 0 1 2 3 6 5 4 8 9 0).
The supposed buyer then suggests using PayPal for money exchange, giving the seller a wrong sense of security. The bad actor, in this particular case, also requested a very quick drop off at the post office, probably trying to avoid much deliberation by the seller. After investigating payment options on PayPal, the seller suggested a private invoice. The buyer then quickly said that this is not necessary, they only needed the PayPal email address.
At the core of the scam, the bad actor then sends a fake PayPal confirmation email, saying that the funds have been transferred and the seller can post the item to the address stated (a PO box). A naive seller might not question this further and post the item, never actually receiving any money. The receiving party can then sell the item elsewhere.
Closer inspection of the email’s headers quickly exposed the fraud, and the seller withdrew. It can only be concluded that selling high-value items privately poses a significant risk. Inexperienced users might very well have become a victim of this fraud scheme.
To minimise the risk of fraud, the following options should be considered:
- Use a platform that has an escrow service such as eBay (holding the funds until the sale is concluded).
- Sell the item to a second-hand shop (such as CEX). The price will be lower in exchange for a virtually no-risk sale.
- If delivered via courier, insist on pre-payment by the buyer and validate that the funds have been received (this shifts the risk to the buyer).
- Sell for cash (exchange in person, in a public place, if feasible).