For information and advice about safe online shopping, click here
What happened, and how
As reported on The One Show on 6th March, an unfortunate member of the public was duped by an elaborate and convincing scam by a fake seller on Amazon Marketplace.
For information and advice for small businesses about keeping your website safe, click here
Chris was manipulated into a situation where he was asked by the ‘seller’ to contact him through an email address that seemed like an Amazon address, but actually contained some additional letters. The fraudster had also created a fake but authentic-looking website to add to the illusion (see the picture at the bottom of this page).
Deciding to buy a top of the range TV in the new year, Chris looked online to compare models and prices, and settled on a Samsung 55in 3D Smart TV that seemed reasonably priced on the Amazon Marketplace at £920. He is a regular Amazon Marketplace customer and therefore familiar with the buying process.
He completed the regular Amazon order form, selecting ‘credit card’ as the payment method. However, the form highlighted an error, shown in red near the top, saying that the seller did not deliver to his area.
He had never encountered this problem before, and emailed Amazon, who replied with a link to contact the seller. The ‘seller’ responded that delivery was not a problem, and emailed him another order form (see photo), which he completed.
He was then told that because of free delivery, the ‘seller’ was unable to accept payment by credit card, and instead should pay via bank transfer to Amazon’s A-Z Services. He checked that Amazon does have an actual A-Z Service (which it does), saw that the site carried the trusted Amazon logo and paid the £920 into a Barclays Banks account held in the name of A to Z Services. The emailed communications from the ‘seller’ had been from an a-z-amazon.co.uk address.
Chris first became concerned when he called the courier firm City Link on the day the delivery was due, to find out what time his new TV would arrive. City Link had no record of the delivery, and told him that the delivery reference he quoted did not exist.
He immediately tried to contact the ‘seller’ via amazon.co.uk, and received an email informing him that they no longer traded with Amazon. Checking the website again, he spotted that the address was a-z-amazon.co.uk It was then that he realised that he had been scammed.
Chris had not used the a-z-amazon.co.uk website itself to provide any details, but went to it to check the email address that the invoice had been sent from was a genuine Amazon one. The fake website was simply used to make the transaction seem legitimate.
How the fraud worked
A key element of any fraud is the ability of the criminal to gain the victim’s trust, in this case achieved by forming an association with a trusted and respected brand. Chris was confident with using Amazon – and the mechanism was the authentic-looking website or, more accurately, the actual website. This is how it was achieved:
The fraudster created a webstore on Amazon. This is a perfectly legitimate activity and the vast majority of webstores on Amazon are in fact, legitimate. You can find instructions on how to set one up on Amazon’s website, or on YouTube.
At the same time, however, the fraudster created a website and registered the domain name
www.a-z-amazon.co.uk When this page that you are reading was written (1st March 2013), the website is still live and accessible by anybody. The smart part is that the fraudster (or fraudsters) then embedded the actual live Amazon pages in their own site using what is known as an ‘iFrame’.
Chris was then emailed using the same domain name, which is very close to Amazon’s own name, requesting that he order and enter his payment details on another form – allegedly Amazon’s A-Z Services but actually then emailed to a bogus payment site. Because of the trust in the Amazon brand, Chris had no hesitation in doing so. After all, the request had come from Amazon … hadn’t it? The form in question was created in JotForm, a simple, online form building program accessible to anybody.
The fraud did not occur when the website went up or even when Chris tried to pay via the website, but when the scammer emailed him to redirect him to the fake payment site, exploiting the familiarity Chris had already gained with the a-z-amazon name from the site.
The tell-tale signs
Fraudsters are getting smarter every day, and this is a mistake that anybody could have made. Reviewing the events, however, there were tell-tale signs that this was not a genuine transaction:
On every page on www.a-z-amazon.co.uk, you can see the logo and banner of the fake site’s hosting company above Amazon’s own banner.
The order/payment page on www.a-z-amazon.co.uk did not include the ‘https://’ prefix and padlock symbol in the browser window indicating a secure and authentic website.
The wording on the email requesting Chris to order and pay
via an alternative site contained grammatical errors:
Thank you for your interest to buy our products.
We offer free delivery to any address in UK. To place your order with us through Amazon and for a fast dispatching you can do it at this link:
The price of £920 was unrealistically low. A glance on Amazon will show you that £1300 would be more feasible. This is a classic case of if something seems too good to be true, it probably is.