Trade Me phishing scam exposed

SOMETHING PHISHY: Woman received email from 'Trade Me' asking for payment details for barbecue she never bought.

SOMETHING PHISHY: Woman received email from 'Trade Me' asking for payment details for barbecue she never bought.

Trade Me is being used as a front for yet another phishing scam, this one involving a barbecue no-one bought.

Trade me user Emma Thompson said she received an email via her work email address with payment information for a barbecue she had allegedly bought on Trade Me.

The Nelson woman realised it was a scam "pretty quickly" as she never logged into Trade Me using her work email address and she had not bought a barbecue on the site, she said.

There was also a link contained in the email if the user wanted to "cancel" the barbecue purchase.

This link then took them to a website not associated with Trade Me and asked for further details about the user.

The rest of the email contained standard information usually included in automated responses sent to buyers when a transaction is made.

Phishing is when a scammer sends legitimate-looking emails that appear to come from websites or companies in an effort to trick users to reveal information such as names or passwords. 

This was not the first time Thompson had been targeted by scammers using Trade Me as a front, she said.

"The concern for me on this one is that someone is trying to use Trade Me as a front, and Trade Me is our trusted friend!"

However, Thompson had never fallen victim to the attempts of scammers as she was suspicious when it came to unsolicited emails, she said.

Ad Feedback

Trade Me head of trust and safety Jon Duffy said similar phishing scams, using Trade Me as a front, did the rounds about twice a month.

Scammers sent out hundreds of thousands of emails to potential victims in the hope the email addresses were active and some of the recipients would fall for the scam, Duffy said.

During the past year 200 members had been successfully phished out of 3.4 million members, he said.

Most of the compromises were picked up by internal security tools when the scammer tried to access the account. The accounts were disabled as a precaution.

The barbecue scam had led to a "steady stream" of reports to Trade Me this morning, about twice the normal number, Duffy said.

The online auction company was aware of three people clicking the link and providing their details. Those people's accounts were secured before the scammers could access them, he said.

Scammers often used an overseas third-party server to host a fake Trade Me website to direct victims to via a link.

Once Trade Me became aware of a phishing site it worked quickly to get the site down, sometimes with the help of a third party, he said.

The sites used bank or credit card details to conduct further scams and could sell the details to other scammers.

Trade Me saw its first, and so far only, smishing scam in March, Duffy said.

Effectively smishing was the same as phishing, but scammers sent a text message to a smartphone with a link to a phishing site.

No-one was successfully scammed by this attack as far as Trade Me was aware, he said.

Unfortunately, a lot of Kiwis did fall victim to fraudsters every year.

NetSafe operations manager Lee Chisholm said New Zealanders reported losses of $4.8 million to scammers last year.

Meanwhile, figures from the Ministry of Business, Innovation and Employment showed scam victims lost $1.7m in May 2014 alone.

Chisholm said Trade Me, Ebay and courier companies were common fronts for these types of scams.

Scammers could be convincing and they were almost impossible to catch and prosecute because they were usually overseas, she said.

It was important for New Zealanders to check if something was a scam on the Ministry of Consumer Affairs website, Chisholm said.

If an unknown person contacted a consumer about something they did not buy and it involved money it was probably a scam, she said.


❏ Check the website you arrive at when you click the link is definitely

❏ Check for your first name. Typically, scammers won't have this information.

❏ Never provide your username or passwords by email. Trade Me won't ask for this information, it already has it.

❏ Check the email address of the sender. Trade Me emails always come from email addresses.

❏ Upgrade your browser to include anti-phishing technology.

❏ Never enter information into forms within email messages.

❏ It is likely to be a scam if you are asked to send money overseas.

❏ Change your email address if it is the same or similar to your Trade Me username.

❏ If you have any suspicions about an email you have received from or about Trade Me email

❏ If you are scammed contact Trade Me so they can secure your account, contact your bank if you have provided financial details and change any passwords that are the same or similar to the one you have provided scammers.

❏ Check Trade Me's trust and safety blog for updates on scams 

 - Stuff


Ad Feedback
special offers
Ad Feedback