Pablo Grueso, CEO of the technology consulting firm TecnoFor, published a thread on Twitter yesterday that began like this: “I just witnessed the most sophisticated online scam I have seen so far”. Next, Grueso recounted his recent experience on Vinted, detailing step by step how this user fell into the scammers’ trap.
It all started when the user in question, practically new to the platform, put a garment for sale on Vinted. A simple step that quickly became complicated when she received an email supposedly from the “Vinted Team.”
This is, received an email from the address “[email protected]” (Remember that it is possible to spoof legitimate email addresses, although that does not mean that it comes from that address). The e-mail simulated collecting an internal message from an interested buyer…
…message that includes a screenshot of the mobile phone of said ‘buyer’ in which you can see how the Vinted app asks for the seller’s mobile phone (that is, the aforementioned novice user).
And this is where we get to the key part of the scam, because in addition to the text message and the screenshot, the email (remember, supposedly official) includes a link that, when clicked, took the user directly within the Vinted application… or, rather, an almost perfectly duplicated website.
“A screen where you don’t notice the difference, where you can’t click on ‘info’ but you can navigate to the Inbox, for example”
The seller, confident that he is operating within Vinted’s own platform, ‘completes’ his data by entering his phone number… in such a way that the information goes directly to the cyber fraudster who sent you the email in the first place. And now this one, having the number of his victim, sends you an SMS (again, supposedly coming from Vinted).
In said SMS, the user/victim is informed that, to verify their credit card, “they will make the typical virtual charge that they later cancel…”…a practice commonly used to confirm the authenticity of a card, with the particularity that this time “the charge is €500“.
Another user, also affected by the scam, expands the information about said SMS:
“One of my daughters put some things up for sale, it was the first time and it was as if they suddenly wanted to buy everything. The following was what you describe, a message within the app to enter the mobile phone and an SMS to enter the data of the card”.
That is, a textbook phishing strategy in two rounds, impersonating Vinted, to provide the scammers with our personal data, first, and our financial data, later. And, furthermore, when we receive the authorization notice of the supposed voidable charge to Vinted, The victim of the scam will authorize it because he believes it is legitimate and that it will be returned to him. Oh, innocent.
Result and data to take into account to avoid falling yourself
Result of all this story? 500 euros less, and the item for which the victim registered on Vinted will remain unsold because there was never an interested buyer. Always remember to take these data into account:
- Make sure that any data you enter in an app you are actually doing it on the official domain of the appnot just on a “look-alike” website.
- To facilitate the above, never access the platforms through third-party links (even if they seem to be your real interlocutor): access the website/app yourself and look for the section in question.
- Remember that, if entering data is necessary to operate on a trading platform, it will have warned you about it during registration. You will not receive a message afterwards.
- Ask yourself some obvious questions: “Why would they spend money on sending SMS when you can send a notification to the mobile app?” or “Why would Vinted ask the seller’s number… from the buyer?”
