The Gumtree PayPal Scam: Spotting Internet scammers is harder than you think



In the UK, the Office of Fair Trading estimated that in 2006, 3.2 million adults fell prey to mass marketed scams and lost 3.5 billion GBP. In Australia, consumers are estimated to have lost $1b in 2008. It is easy to believe that society is becoming more sophisticated in identifying the ways of Internet scammers and therefore would be less vulnerable however, scammers are becoming more sophisticated and consumers’ increased dependence on the Internet increases their exposure to a wider variety of scams.

This vulnerability to scammers was recently brought home to me when an acquaintance nearly fell victim to a scammer when trying to sell a car on the ad site Gumtree. What was intriguing about the entire incident was the level of sophistication in the build up to the actual sting which involved sending money via Western Union to a “courier”. The scammer had used a variety of techniques to establish credibility. They firstly engaged in a series of communications via SMS and then email asking for more details including photos of the interior of the car. The back story was also designed to elicit trust by the scammer claiming to be a “researcher” engaged in research “out of town”. The icing on this however was the scammer sending a photograph of their Victorian driving license which looked genuine. It is likely that scammers have crafted their art by trial-and-error rather than being based on a deep understanding of psychology but the end result is comprehensive in its use of behavioural theory nonetheless.

The build-up was all designed to get the victim to not look so carefully when the sting for payment came. Unfortunately for the scammer, the story here was less believable. It turned out that he wanted a courier to come by and pick up the transfer papers of the car. He claimed that he had made the payment via PayPal but this turned out to be a notification from PayPal saying that they would complete the transfer of funds once the Shipping and Handling charges of $1,950 had been made via Western Union to the courier’s head office in the UK.

On closer examination, the PayPal emails were obviously faked and showed the same characteristics of your common-or-garden scams; idiosyncratic english, different reply-to email address and some careless editing on the part of the scammer.

But the scammer had done such a good job in gaining credibility up to that point that it was easier to be fooled by the PayPal emails when they came. It certainly almost had me fooled and prior to this incident, I would have rated myself as being pretty good at spotting these sorts of scams.It turns out that this type of scam is actually quite common when people advertise high value items for sale on sites like Gumtree. It is listed on WA ScamNet and on phoning them, they recommended reporting the scam and to exercise caution in the next few weeks because the scammers often used some of the personal information gained in an initial scam to try again. The ACCC’s SCAMwatch also reports this type of scam. Of course, the scammer hasn’t given up quite yet. The emails asking why the payment hasn’t been made are still coming.

The difficulty here of course is that this is fine after the fact but not terribly useful if you were unaware of the potential for these types of scam. The ACCC and others would possibly argue that this type of information should be included in our high school curriculum as part of a general education on all matters cyber. Certainly technology can play a part with email anti-SPAM extending its information that it gives to a user when it declares something as SPAM, possibly consulting a database of known scam types and alerting the user to that.

In the end however, the takeaway message for me could be distilled into the single statement of “Beware of any offer or request that arrives over the Internet from strangers”.