Change Log

• 23/03/23 – Updated the article with outcomes from the action the Wise and Facebook have taken

In this article, I want to expose another Facebook Marketplace scam that attempts to trick a seller into sending money to the scammer.

You are about to read and see a real example of the scam from start to finish. This article is for educational purposes and aims to raise awareness and protect individuals from becoming a victim of this scam.

How does this scam start?

• A scammer will attempt to contact an individual that has goods listed on the Facebook marketplace and express their intention to buy the item listed for sale.
• The scammer may attempt to ask some general questions about the item. For example, the scammer will try to appear as though they are genuinely interested in the item by asking questions like “what is the condition of the item?”, “how long have you been using the item?”.
• The Facebook account used by the scammer is likely a fake account or an account that is genuine but one that has been hacked.

The following example shows how a scammer reached out to me and expressed an interest in purchasing an item that I had listed on the Facebook Marketplace. The scammer used a Facebook account that appeared to be hacked; the name of the account is ‘Anna Fortuna’.

The following screenshot highlights the initial conversation. In the screenshot below, the scammer ‘Anna’ engaged with me and asked a few general questions about the item I was selling.

The Scam

As the conversation continued it became evident that ‘Anna’ was a scammer. My suspicions were raised when ‘Anna’ told me that she couldn’t collect the item because she was out of state but still wanted to pay. It is extremely unlikely that a legitimate individual would want to pay for an item from someone they don’t know on Facebook without wanting to inspect it first – especially when it’s a collection-only item. Furthermore, the listing is for an item in the UK and so the fact that ‘Anna’ told me she was out of ‘state’ tells me that ‘Anna’ has little understanding of the terminology used in the UK.

Nevertheless, at this point, I know it’s a scam but I want to continue the conversation to uncover how the scam works and so I proceed by sharing my PayPal email address so that the scammer can proceed with his scam. For context, the scammer wants my PayPal email address so that he can pretend to pay me for the item and send me confirmation via email that appears as though it’s from PayPal but it’s not. The scammer asks for the item price so that they can put the item price in their fake email.

You may be thinking the following by now…How can I get scammed by sharing my PayPal email address? Keep reading and you’ll find out that the actual scam doesn’t actually involve the transfer of money through PayPal.

I let the scammer know the cost of the item (even though it’s listed on the item) and they proceed to let me know that they’ve sent payment. In addition, the scammer tells me that PayPal cannot accept the payment because my PayPal account isn’t a business account and so the scammer needs to send an additional £300 to convert my account to a business account.

At this point, I’m laughing to myself because I’ve never heard so much rubbish in my life! On a more serious note, at this point, I can see how this scam could still work on someone who doesn’t understand how PayPal works.

The scammer is adamant to proceed with the conversation and sends a number of messages with the intent of trying to rush me to check my emails.

I proceed to check my emails and find that the scammer has sent me two emails, one of which landed in my spam folder. The scammer has attempted to impersonate PayPal but has done a VERY bad job of doing so.

Here are a few things that confirm that this email is not from PayPal:

• The domain is not a PayPal domain
  • The email address is from: paypalonline@onlinepay.business (more details on this later for the technical folks reading)
• Grammatic errors in the email
• The email is automatically marked as spam
• The email subject
• The PayPal image is added to the email as an attachment
• The sense of urgency in the email

Below is the second email received. The scammer has sent another email that tries to impersonate PayPal again.

The intention of the second email is to trick me into thinking that the scammer has sent the additional £300 payment required by PayPal to upgrade my account to a business account. However, before I can access the original payment of £140, I first need to send £300 back to the buyer’s (scammer) bank account. <<< THIS IS THE GOAL OF THE SCAM!

Let’s look at this in a little more detail:

• Why would PayPal ask someone to send money to someone else outside of PayPal?
• The grammar in the email is bad again
• The email is from the same person (not PayPal)
• A false sense of urgency again

Returning back to the Facebook messenger chat, we can see that the scammer is trying to reassure me that this is PayPal’s normal procedure. I play along and once I’ve checked the aforementioned email above, I ask the sender to send me their bank details so that I can send the £300 payment. Again, this is the goal of the scam – the scammer never sent any money but wants to gain £300 from me.

Interestingly enough, I wasn’t expecting to receive bank details from a Wise account. The reason is that Wise are usually good at vetting people before allowing them to open accounts thus opening up the possibility of being able to track account owners. Nevertheless, the scammer may actually be using a legitimate Wise account that has been hacked. At the time of writing this, I am yet to check how Wise deals with accounts that are being used for malicious activity but I will be reporting the account to Wise.

Exposing the Scammer

I was now at a point where I had exposed the scam and now I had to let the scammer know that I was on to them. I thought I’d play around with the scammer a little more before finally exposing him and so I pretended to send the payment to someone else account to see what the reaction would be.

After stringing the scammer on for a little bit, I was ready to come clean and let them know that I was onto their dirty scam. I pretend to send the scammer the payment and they proceed to ask for proof in the form of a screenshot to show that payment has in fact been sent. I made the scammer wait a few minutes while I found a suitable picture.

When I found the most suitable proof of payment picture, I sent it to the scammer and ask for confirmation that they could see it. I can’t say I was shocked at the response received from the scammer before they left the chat. 😂

I hope that you find this article before becoming another victim of this ridiculous scam. I will be reporting this scam to Facebook, Wise and Google which host the scammer’s domain but I can assure you that these people will not stop. The scam might not be the exact same but hopefully, you’ll be able to identify the characteristics of such a scam.

Please share this article with your fellow Facebook users to raise awareness.

Technical Analysis

• Domain onlinepay.business was created recently (23 days ago)
• No security flags against the domain – likely as its new
• Google Domain

• Online results appear to have reports of the domain being associated with scams

• Cisco Talos report the domain as medium risk

• The domain has been reported to Cisco Talos and the reputation has been lowered to block

Update 19/03/23

• Cisco Umbrella have blocked the domain

Report Outcomes

• After reporting this incident to Wise, they have now confirmed that they have stopped the scammer from being able to use the account details associated with this scam.
• After reporting the Facebook profile to Facebook on 23/03/23, unfortunately they made the decision to not take any further action and the account is still active. I will attempt to report the Facebook account one more time to see if we can get the account removed.