The clip above features two victims, who were selling things on Marktplaats -- a Dutch site similar to eBay.
- The victim offers something for sale.
- The scammer contacts the victim using WhatsApp, saying they're keen to buy.
- Before paying, they want confirmation that the seller is for real: will they pay 1 cent by Tikkie, please?
- The scammer sends the victim a link to a fake Tikkie website to pay the cent.
- That site leads the victim to a fake bank website, or sometimes a real one.
- The victim enters their bank details, including card number and ID code.
- The scammer uses that info to link the victim's account to their own.
- Then they can transfer money to themselves, just as if the victim had done it.
Each of the victims in the video lost several hundred euros. Fortunately, the bank was sympathetic and refunded their money.
Green padlock is no guarantee
Kassa followed up its report by asking people in the street what they looked at when deciding whether a website was trustworthy. Nearly everyone mentioned the 'green padlock'. The Dutch public are clearly very familiar with that security feature. Unfortunately, most aren't aware that the padlock doesn't guarantee that a site is trustworthy. A green padlock tells you that your connection to a site is secure; it doesn't say anything about the site itself. There's nothing to stop a scammer enabling secure connection to a phishing site, for example. Increasingly, that's what they do, so that visitors drop their guard. No wonder that many consumers are confused.
Look carefully at the domain name
Kassa also did a quick street survey to see how much attention people paid to domain names. Passers-by were shown five domain names featuring the word 'Tikkie'. Four were fakes, such as mijntikkie.nl ('my tikkie', with the .nl extension), and one was Tikkie's real domain name (tikkie.me). Not one of the interviewees knew which domain name was genuine. Next, Kassa tried a similar experiment with 'Rabobank', the name of one of the Netherlands' biggest banks. And lots of people turned out not to know their bank's real domain name. Clearly, there's work to do for the business community on that score. The familiarity of a company's genuine domain name can be boosted by consistently highlighting it in communications, for example.
False sense of security
Interviewed by Kassa, Delft University's Professor of Internet Security Michel van Eeten says, "For years now, people have been encouraged to look for the green padlock. The unfortunate spin-off is that people are lulled into a false sense of security when they see it. Banks try to prevent fraud by defensively registering all sorts of variants of their domain names, but it's impossible to think of every possibility."
How to avoid getting scammed
Nowadays, fake websites are hard to distinguish from real ones, because scammers often use exact copies. So it helps to read a site's URL carefully. For more advice, read our article How to spot a fake URL.
What businesses can do to protect customers
As a company, of course you want to prevent criminals cashing in on your carefully constructed public image. The risk is that customers stop trusting your brand. With serious implications for brand value, reputation and ultimately earnings. So what can you do to avoid getting stung by on-line brand abuse?
Tip: Proactive monitoring
Our Domain Name Surveillance Service lets you watch out for your brand 24-7. As soon as anyone registers a domain name similar to your brand name or domain name, we'll alert you. You can also use the service to get an idea whether a suspect domain name is being used for phishing or malware. So you can quickly take appropriate action. For more advice, read our guide to protecting your brand on line.