So, you have some old furniture to sell on eBay or Facebook marketplace, or Craigslist, or GumTree? Great! you go on, take great photos of that small side table, create your listing, you describe your table as the best one ever … and you hope for the best.

Great! But I have a few things to mention. I’ve always been bothered by these kind of large items sales on online classifieds, because they are generally collection only, unless you are willing to travel for a couple of hours to deliver a 100kg side cabinet. You are likely to have to give away your name and address, and you never know who is going to knock on your door. I have sold a few pickup only items, but every time, I can’t help but feel somewhat vulnerable when someone is suppose to come and pick up a large piece of furniture.

But either way, that is not even the main story of this post. I want to speak about online scams that happen with these “high value” items. I’ve seen this happen a couple of times, to people close to me. And considering my mission to educate people how to stay safe online, I found it very disconcerting that someone in my close surroundings might get scammed, even though I constantly and repeatedly have told them and trained them how to recognize these scams.

Long story short. This is how this scam works:

• You list your items for sale. the first time it was a bicycle, the second time it was a piece of furniture
• The attacker contacts you and tells you they want to buy your stuff. (All legit until here)
• The attacker tells you that they are home bound because (use your imagination, they are disabled, they had heart surgery, they have blood pressure issues, etc) and they will organize someone to pickup the item. (Still all legit, cause these things might happen)
• They tell you to remove your items from the listing (now it’s starting to get fishy) because the item is a gift for their niece/nephew/grandson and they don’t want to lose it. (Still sort of legit, but let’s move on)

• If they think you are biting by now, they will try to engage you even more. They will tell you that they have to organize pickup with a courier and they will pay you with PayPal, but because they are unable to pay the courier, they will pay you the courier pickup fee, and then before the courier arrives, you will have to pay that fee to the courier. So say, you are selling your stuff for £300, they will send you £600, and ask you to send £300 to the courier. At this point they will ask for your full name, your PayPal email and your home address. (I mean, it seems a little out of the ordinary, but it still could be a legitimate request, right?) NO. Never give away your details unless it’s absolutely necessary.

• Well, now they send you an email that they’ve paid the money to you in your PayPal. This is where the scam is. They don’t actually send you the money. They just send you an email that looks like it came from PayPal and they hope you will go ahead and send the other £300 into their account.

• If you didn’t check your PayPal balance by actually logging into your PayPal account, you might be fooled by this and send them your £300 to never be seen again.

This one is pretty easy to be recognized, but one of my friends was almost fooled into sending that money. In that case, the attacker asked a Western Union transfer and my friend Tom actually went to WU to send this money. Luckily the service representative at Western Union was trained enough to tell him that this is a scam and to advise him not to send the money unless he knows and trusts the person on the other side. Good work WU!

So there is some protection on the way, and my friend Tom got lucky, people can easily be scammed with this, if they are not vigilant enough.

Right after the first message was in, I knew it was a scam, but decided to just a very basic research anyway. I only googled the email address, and needless to say, it seemed like someone else had similar experience on the same website with the same person, who was posing with different name for them.

Here’s what you should do if this happens to you.

Report the attacker to the police. The Met Police in the UK has a very good advisory site on how to stay safe, but if you were scammed, or even attempted to be scammed, please report it.

If you are not in the UK, check your local policing websites, there is likely to be information available. The US has information on this FBI page. And Australia has a report page here.

Talk to your bank and explain you’ve been scammed and ask for a pay back – they might be able to get your money back

Report the user to the online market place you were using, and report their email address to their email provider (report as spam).

Now going to back to the story, I knew this was a scam from the first email the sent me, so for the sake of being able to write this post, I decided to play along. When they asked for an email address, name and address, I gave them fake information. And needless to say, the email did come through. Luckily, Google has made significant progress in fighting fake accounts, fake emails, phished emails, etc, so this email did not even come to my Inbox – went straight into Spam, with a big red warning by Gmail that this message is dangerous. Thank you Google, you probably helped most of the people receiving this message and protected them from being scammed. If you get a sign like that, please do not ignore it, even if it comes from a person you know and trust.

But this guy needs to get his money too – so he actually had to give away his bank account number and his full name for that. Not a very smart attacker this one. Because, to take my own advise, I did report him to the Police – with this full name and bank account number. Considering he was willing to give away his details in this manner, I thought I’d go a bit further and tell him that the bank had some verification issues and they need this date of birth and full address to complete the transaction.

By this time – the email address was disabled by Google. Again good work Google. Thanks to Google this guy will not be able to scam any more people with this email address, and hopefully, the police will follow up and investigate him. However, as they are too well aware this kind of crime is very hard to prosecute, because a lot of people feel ashamed for being scammed, so a lot of it never ends up being reported, and even if it is reported the investigation and prosecution is very hard.

Now, if you look at the pictures above, you will see that I have blurred his personal details. I was very tempted to expose him with his full name and bank details, but that would potentially make him a target. And while he really is deserving of that, I as an Information Security professional am bound by certain ethics. So I decided not to expose his personal information, but instead to go the legal way and report him to the police.

As a final word, I would say, be vigilant. Always take things with a grain of salt. While I don’t say don’t trust anyone and become paranoid, most people are still good, but at least try to filter the bad ones to the best of your ability.

Be safe. Educate others. Share.