The global market for second-hand clothes is booming. According to GlobalData, the apparel resale market increased by 109% from 2016 to 2021, with an expected growth of another 85% by 2026. Reasons for this growth include the cost of living crisis and an awareness of the connection between throwaway fashion and climate change.
Hands up, I love selling and buying second-hand clothes: My reason is that I get a thrill out of buying designer clothing at a fraction of the cost just because someone else has worn the item a few times. What's not to like? Well, the scammers are intent on spoiling one of life's pleasures and a way for some of us to make a little money on the side and recycle.
They scammed me out of a pair of shoes!
This week, I had a rude awakening to the world of consumer app scamming. I had a bad experience on one of my favorite apps, Vinted: it began with selling a pair of really nice cream brogue shoes. The money was paid, and I posted them. Vinted has put a lot of effort into making the buying and selling process on the app smooth, and I can confirm that they’ve got that part right.
However, the next step was not so sweet. The buyer received the shoes and then complained extremely angrily to me via the messaging system about the shoes not fitting correctly. She demanded that a refund be processed, and if I didn't do this immediately (followed by !!!!!), she would complain to Vinted and have me thrown off the app. She continued a tirade of angry messages until I gave in and refunded her – she even said that she would not be returning the shoes as it would put her out of pocket.
“So what?” I hear you ask. Maybe she was in the right; perhaps she was. But the discourse was highly aggressive, with some warning signals of a scam, such as a refusal to return the shoes.
It is not just Vinted where this is happening. I also found a deluge of scammers on a similar app called Depop. Again, it's a great app designed for easy use by buyers and sellers who want to indulge in their clothing hobby (addiction) and make a little money. I opened an account on Depop, and within minutes of putting a designer skirt up for sale, I had three scam attempts – this time, they were obvious. But then, I do work in the security industry.
I decided to do some more digging into the extent of scams on consumer apps: it’s not a pretty picture.
The online app scam and the consumer
Scams range from small-time scammers, such as my shoe experience, to sophisticated data theft scams. The forums on consumer apps like Vinted and Depop are a rich source of information about scams doing the rounds. People sharing scam info is heart-warming to see as a security professional – it’s the people fighting back.
To execute a successful fraud on a consumer app, a scammer must create the element of trust. Bait and switch accounts and consumer account takeover (ATO) are fundamental to a scam targeting the consumer.
Trust is the word for buying and selling, and scammers know this more than most. Scams manipulate trust and use it to steal data, money, and goods. On consumer apps, it’s easy for a scammer to set up an account, then perform some legitimate purchases (or buy from other scammers) to create some 'genuine' reviews.
Alternatively, scammers may use techniques such as credential stuffing to take over existing accounts on targeted resale goods platforms. The cuckolded accounts often have existing good reviews that a scammer can use to signal trust. Once a scammer has a foothold on an account, they’re in a prime position to strike.
Here are two of the scam types found on consumer resale apps. These scams came from seemingly legitimate accounts on the app:
Pay-complain-refund scam
I’m not alone in losing an item to a small-time scammer. The pay-complain-refund scam is not a Vinted issue. eBay and, no doubt, many other apps will have the same problem.
It’s all too easy for buyers to create fake accounts, make a few legitimate purchases, build up a seemingly positive profile, and then go on a buying spree where they intend to refund all purchases. This type of scam is much easier to prevent as the buyer will only get away with it a few times before being caught out.
However, the ease of setting up accounts will allow them to spin up a new account and scam a few more sellers. Many app account creation processes require no verification of who you are, just an email address where a code can be sent. Sure, if you want to buy something, you must add a payment method, but this doesn't stop someone from creating multiple accounts, one after the other, to pay-complain-refund.
You might think that the app would take up the slack, but the process for sellers to complain about illegitimate refund requests seems buyer-centric, with sellers having little recourse. A forum discussion on this topic on eBay shines a light on the lack of protection for sellers.
This is a reply from eBay to a seller who had a similar issue with a fraudulent refund. The buyer returned the item, stripped of its parts, to the seller:
"I know these situations can be concerning for you as a seller, but due to our platform being completely online, we have no way of verifying the condition of the item that has been returned to you. After reviewing this case thoroughly, I will have to deny your appeal on this occasion.
Our advice to all sellers on site is to be set up for the possibility that returns of a faulty nature may happen. While it is unlikely, it is a risk associated with selling online, and the costs associated should be built into your selling plans. I generally compare it to how the high street stores have a budget put aside for theft, damage, or items being returned in a lesser condition than sent."
Great, but the problem is that the sellers on consumer apps are generally small brands or individuals.
Data theft scam
A scammer uses phishing to attempt to extract information such as personal data, email addresses, and more. Minutes into my account setup on Depop, I had three attempts at phishing my data. Here are the screenshots to show you the varying types of data theft scams. Note the time of the scams – it took six minutes for all three to come in, each from a different account on Depop.
Scam attempt 1 and 2: Data harvesting
Often, the scammer targets new sellers. They may not be aware of the sales process and might fall for rouses such as: "Just send me your email address, and I'll buy your item."
Once the scammer has your email address, an email will be sent to you requesting further data. The email may also contain a link to a malicious website. The scammer will likely also add your email address to a list of targets.
Scam attempt 2 is a similar scam to scam 1, but whereas scam 1 asks you to place your email into your account bio, this scam requests that it be sent via the messaging platform. Chances are, this is the same scammer using two separate accounts and two different tricks, hoping that one will work.
Scam attempt 3: phishing link
Scam 3 is slightly different and almost caught me out because I was unaware of the sales process. When I saw the link come in with a suspicious URL, I knew it was a scam. But not everyone would. The URL uses HTTPS, and it does have the word 'depop' included, so it’s a cleverly composed scam. A professional scammer is likely behind this one.
I used a few URL scanners to check out the URL in the message, and the site was set as 'Caution' and 'Suspicious,' but some found no unsafe content. However, as many URL checkers rely on manual addition to the database, scammers stay one step ahead by spinning up new malicious sites as they scam.
Source: Author’s Bepop account
Source: Veritas URL scanner
Can consumer apps scammers be stopped?
In an ideal world, consumer apps would be scam-proof. People who use them wouldn’t have to worry about being scammed and could trade to their heart's delight.
However, scammers are adept at finding ways around security. As buyers and sellers, we must keep abreast of scams on our platforms. Fortunately, those who have been scammed before us keep a record of the tricks used and put the details up on the forums. It’s always worthwhile to check out the forums of apps you intend to use and do a search for scams. Also, be aware of how the sales process on the app works.
However, while it may be consumers that scammers are targeting, the reputation of the app suffers too. Consumers must wake up to the scams perpetrated on these apps, but the app designers, developers, and owners must also play their part.
This starts with robust, layered security that’s consumer-focused. Accounts that carry the weight of trust make life easier for scammers, so the app must be hardened against the misuse of accounts. Balancing account security with usability is a challenge, but app designers should look at the various new technologies that can help. These include open banking and data orchestration systems to double-check new account creators by reusing already checked bank data. FIDO authentication is another layer, which has become more consumer-centric and can help with ATO.
The second-hand market space is set to soar, and I, for one, want to embrace this. Let's not let the scammers spoil our fun.
Your email address will not be published. Required fields are markedmarked