You can seemingly get a scam sent your way anywhere, and while emails and text messages are common, selling something online also appears to make you a target.
There’s no shortage of scams con artists will happily lob your way, so staying on guard is pretty important these days.
Scams where people pretending to be Microsoft call you, ploys to get you to click on fake Australia Post links, the regularity of tax scams aplenty each and every year, and so many more. There are scams all the time and they don’t seem to stop.
But one recent scam had us surprised, as cybercriminals turn to Australia’s used market to attempt to sell vendors on a different type of scam: one where they think they’re getting payment sent to their credit card, as opposed to a bank account.
The approach is a little crazy, with a scammer contacting sellers through WhatsApp and advising that they’ve paid through Gumtree, but using a Gumtree sub domain through a different medium. From there, the site asks for the seller’s credit or debit card details, which will then reportedly send the payment back to the card.
Except that’s not how this works. Debit and credit cards typically only receive money when a refund has been authorised. They’re not like a bank account and don’t receive funds, being used to charge them instead.
Essentially, this scam plays on this, expecting you to receive your funds by providing your credit or debit card details.
To make it worse and easier to fall for, scammers have created a fake Gumtree website for taking money, setting it up as a sub domain (the address before the main site) to make the website more convincing.
According to the reader who sent this in, the scammer attempted to push the idea they had already paid through this site, and that they were in lockdown in Dubbo and couldn’t come and pick it up, giving it a bit of a local flavour, it seems.
“Classified scams targeting both buyers and sellers on platforms like Gumtree and Facebook Marketplace aren’t new by any means. In fact, Australians lost more than a whopping $5.5 million to almost 8000 reports of classified scams in 2020,” said Alex Merton-McCann, Cyber Safety Ambassador for McAfee in Australia and New Zealand.
“However, this is certainly a new approach and one of the more sophisticated scam tactics we’ve seen targeting users of classified platforms,” she told Pickr.
“Many buyers and sellers know to be on the lookout for fake ads for goods that don’t exist, doctored receipts for payments that were never made, or overpayment scams whereby a buyer sends an invalid cheque for more than the agreed price and requests a refund for the extra amount. A fake subdomain that copies the look and feel of a genuine website definitely has the potential to trick many unsuspecting Aussies into handing over their credit card information.”
Savvy people may pick up on the sub domain not being legit, noted in the top of the screenshots, but that’s one of the only indications, with the rest being on your knowledge.
Everything else about the fake Gumtree site is pure phishing, and by the time you’ve entered credit card details on the fake Gumtree site, it is essentially too late. As it is, Gumtree uses PayPal, and so an external money system isn’t something you should be seeing.
However this approach does mean you probably need to read website domains more clearly, because using “gumtree.com.au” as a sub domain for something else is more convincing than just another website altogether.
“As a general rule of thumb, there is no need to ever share your credit card information with someone on these platforms,” Merton-McCann told Pickr.
“If a buyer or seller insists your most valuable personal information is required for payment, or that an unusual payment method is used—from prepaid debit or gift cards to even cryptocurrency— your alarm bells should be ringing. Where in-person, cash exchanges aren’t safe or possible, platforms like Gumtree recommend that you use services like PayPal to securely complete transactions,” she said.
