Following the growing popularity of online shopping, cases of fraud in such transactions have become more frequent in Russia, reports Kaspersky Lab. Fraudsters pose as bank employees, send fake links to pay for goods, and extract card details. Avito experts explained what rules must be followed to make online purchases safely.
Photo: Pixel-Shot/shutterstock
One of the important results of self-isolation for the Russian e-commerce market was the influx of new customers into online shopping: people who had not previously made purchases on the Internet or did so infrequently.
According to the analytical agency Data Insight, 3 months of quarantine led at least 10 million people to online shopping. Against this background, the number of attempts to deceive customers online has also increased. In the summer of 2021, experts discovered hundreds of new phishing sites masquerading as popular services for the sale and delivery of goods and services.
Avoiding fraud on the Internet is quite simple: just strictly follow the key security rules - do not follow external links that other users may send, do not share payment card details with anyone (CVV/CVC code and codes from SMS messages from the bank ), do not make an advance payment.
“In most cases of online fraud, users independently and voluntarily provide scammers with personal data that allows them to commit theft or make an advance payment. Fraudsters use very similar schemes over and over again on different resources, and when they manage to succeed and steal other people’s money, the reason is most often the banal inattention and ignorance of users,” emphasizes senior specialist of the Avito security department Kirill Lavrov .
Below are the most common schemes used by scammers and rules that will help you avoid theft.
What's happened?
At the end of the year, almost all online stores announce discounts - all sorts of “black” days of the week on which you can buy things, equipment or gifts for the New Year and Christmas.
During sales, the problem of online fraud also worsens: criminals “announce discounts” and create fake websites. According to media reports, this year, in just one day, 192 sites were registered on the RuNet, which disguise themselves as domains of popular stores using the “OFF” prefix. For example, FAMILIYA-OFF.RU instead of FAMILIYA.RU. Experts say they will be used for phishing resources.
Phishing (from the English word “fishing” - fishing, fishing) is a type of Internet fraud when attackers try to obtain users’ personal data.
Simply put, scam sites are designed to “catch” inattentive buyers who will buy en masse during sales. Using such clone sites, scammers can gain access to users’ personal bank cards and then reset their accounts. Or receive money for goods that exist only on the pages of a fake website.
According to the Sberbank Cyber Security Service, 48% of people who receive letters from unknown sources went to phishing resources where they entered their logins, passwords and card details.
If you make a purchase on a scammer’s website, it will be almost impossible to defend your rights in court. The thing is that, as expected, there is no written agreement, cash receipt or other proof of purchase between the fake store and the buyer. All that remains is to be vigilant and learn to recognize fake resources. This is what we will learn today.
Please make an advance payment
A sought-after product is put up for sale, for example the iPhone 11 - it can be rare or at an attractive price. When a buyer expresses interest, the seller makes it clear that there are other suitors. He begins to hurry the buyer with a decision and asks to transfer an advance payment to an account in an online bank or payment system - usually part of the cost of the goods. Having received the money, the fraudster disappears from sight and adds the buyer to the blacklist.
You can protect yourself in the same way as with the substitution of payment forms - transfer money personally when receiving the goods, use the built-in function of a secure transaction or purchase with delivery on the platform itself (no links!). Such functions “freeze” the buyer’s money on the site, and the seller receives payment only after the buyer has received the goods and is convinced that everything is in order. If upon delivery at the point of issue it turns out that there is something wrong with the product, you can refuse the purchase. In this case, the money is returned to the buyer.
How to identify a scam site?
The creators of phishing resources distract the buyer from studying the page and looking for any signs of fraud. Therefore, scammers track “hype” topics and try to play on human emotions. And there’s a whole spectrum of them: you can put pressure on greed and offer to win a cool gadget or a cash prize, or you can play on the feeling of fear. For example, the site may offer to check whether a bank card is included in the registry of data stolen by hackers. And to do this, all you need to do is enter your data.
So, how to recognize a phishing site? Let's talk!
Check the SSL certificate
This is the simplest check that can be performed if a web resource seems suspicious. First of all, look at the presence of an SSL certificate - whether there is the coveted letter “s” after http or not. In addition, pay attention to the images of the “lock” in the address bar to see if there is one.
A secure connection to the server is especially important when transferring confidential information and personal data, for example, passport data. But if the site starts with “https://”, this is a reason to doubt the originality of the page.
Unfortunately, along with the development of technology, scammers are also developing their arsenal. And today it will not be difficult for them to obtain a valid SSL certificate even for a fake one. Therefore, in order to accurately verify the legitimacy of the resource, you will have to dig a little deeper.
Click on the “lock” to find out detailed information about the certificate:
- It is important to check the type of certificate. If you see an OV or EV certificate, this is a 99.999% guarantee that this is the original site. This will also prove that the organization indicated in the information for which the certificate was issued is not a fake.
DV certificate (Domain Validation) is a basic level of certificate that confirms the existence of a domain, but does not confirm the existence of an organization.
OV certificate (Organization Validation) is a certificate that confirms the existence of an organization.
EV certificate (Extended Validation) is an effective and prestigious solution that is actively used in online business.
- Pay attention to the provider (vendor/CA - certification authority). Today it is possible to independently obtain a free SSL certificate from the Let's Encrypt (LE) project; it is issued for 3 months and then requires renewal. If you see that in front of you is a site with an LE certificate, think about it, quite often they are chosen by scammers in order to instill trust in users. Fraudsters are unlikely to contact a reputable CA and even pay for something they can get for free.
Never, never, never go to a website if the browser tells you there are problems or that the CA that issued the certificate is unknown to the browser.
Do you remember? Let's go check the site further.