Transferring money to a card - popular scam schemes on Avito

Hello, Habr. I'm Igor, the leader of a team that fights scammers on Avito. Today we’ll talk about the eternal battle with scoundrels who try and even sometimes deceive online shoppers through the delivery of goods.

We have been fighting fraud for a long time. Today's scammers deceive people by imitating the interfaces and functions of online trading platforms. For example, they come up with schemes for courier delivery on marketplaces.

In January 2022, ready-made instructions for scammers and all the necessary tools appeared on the Internet. Then self-isolation added fuel to the fire: those who had previously cheated and stolen on the streets and in apartments were forced to go online. Perhaps these same “scammers” have been calling you a lot lately, writing in instant messengers, SMS and letters. They introduce themselves as employees of banks and law enforcement agencies, distant relatives or notaries. Write in the comments what type of fraud you encountered last time.

Standard fraud schemes

The most common scheme for deceiving a buyer with the delivery of goods looks like this:

1. The scammer publishes an ad with a popular product in the mid-price category. For example, with the sale of electric scooters - they are popular in the summer.
2. By any means, he persuades a potential buyer for delivery. The pretexts can be different: I left the city during the pandemic or I’m just too busy and can’t come to the meeting.
3. After receiving consent, the scammer sends a fake payment link. The linked page is similar to the standard Avito form.
4. The victim pays for purchases and says goodbye to the money.
5. The scammer is trying to make more money by offering to return the payment. He sends the buyer a new form for a refund, but in reality he charges them again. The return page is the same payment page, but the text on the button has been changed from “pay” to “return”.

Below is an example of a fake page that a scammer might send. The domain mimics Avito, and the site itself is similar to the checkout page in an online store. Fake pages are often on the https protocol, and it is impossible to distinguish them by this feature. After filling out the data, the user is taken to the order payment page, where he is asked to enter his bank card information.

Fake product payment and refund pages

We block suspicious sellers. Therefore, in order to carry out such operations, scammers need to constantly create new accounts on Avito. They either register them themselves using SMS to a temporary virtual number, or buy stolen accounts. A virtual SIM card costs from 60 kopecks, someone else’s account on the shadow market costs from 10 rubles. The costs of both are incomparably less than even one-time income from deceiving users.

It was Avito Scam 1.0, but versions 2.0, 3.0 and even 4.0 have already appeared. These are not our designations - they are used by the scammers themselves.

They deceive not only buyers, but also sellers. The second diagram looks like this:

1. The buyer allegedly sent the money through a secure transaction.
2. He sends the seller a fake link where he can receive payment.
3. The seller is taken to a page that asks for his card details, and as a result, the amount is debited from his account.

The Scam 3.0 scheme works like this:

1. The seller publishes advertisements with activated delivery via Avito.
2. When the buyer pays for the goods, the scammer sends him a screenshot in which Avito allegedly asks for a confirmation code.
3. Using the code, the seller logs into the user's account. In the buyer’s profile, the scammer checks a box indicating that he received the goods. The buyer is left without money and purchase.

And the 4.0 scheme is arranged as follows:

1. The buyer pretends to have paid for the goods and sends a fake receipt. Receipts are sent anywhere: by email or via a third-party messenger. Depends on what contact the seller gave to the scammer.
2. The seller receives an SMS that mimics a transfer from the bank.
3. A few minutes later, the buyer writes that a product from another seller would be better suited for him and asks for a refund. The argument “return it, you’re not a fraudster” is often used. The seller sends the amount to the buyer, but from his own pocket, because there was no payment.

Underwater rocks

If you commit fraudulent actions on the Avito service, you will have to try hard to get your money back.
In this case, the following difficulties may arise:

1. You will have to prove that the money was transferred not on a voluntary basis, but as a result of fraud.
2. Banking organizations may refuse to return the money if the card details are available to the fraudster.
3. A citizen who finds himself in a difficult situation may not know how to draw up statements or where to apply.

What are scammers pressing for?

The five most popular contexts in which people fall into the clutches of scammers:

1. Unique selling proposition. The price or product compares favorably with other offers.
2. Excitement. The seller has several people willing to buy the product, so he forces an advance payment.
3. Urgency. The buyer offers to urgently buy the goods for any money and asks for all the bank card information in order to transfer money.
4. Good-heartedness. The scammer asks for help in purchasing a product: for example, the buyer has health problems or is unable to personally pick up the product. The fraudster asks for card details to transfer money, and the goods will supposedly be picked up by a courier.
5. Various localities and cities. In this case, prepayment is a mandatory condition of the transaction, and this opens up a huge field of activity for fraudsters.

How and to whom to report fraud if someone wants to deceive you

If you suspect a person of fraud, it is better to check him again. This can be done through the bulletin board support service. For example, if a person is actively trying to transfer communication to instant messengers or asks for an advance payment for “holding” the goods, simply complain about him. There is functionality for this both in the ad itself and in the chat with it.

Click here to submit a complaint or contact technical support

If scammers have tricked you and money has already been debited from your bank card, contact your bank immediately. Perhaps the funds can still be returned. And even if you can’t get the money back, still tell the hotline staff about the fraud: they can block the attacker’s card.

You can go further and write a statement to the police. In practice, almost no one does this, because it is difficult to find scammers in such cases. Besides, people simply don’t want unnecessary red tape.

Have you encountered any attempts at fraud on Yula or Avito? Tell us about your experience in the comments - perhaps it will save someone’s wallet from the actions of an attacker.

Scheme of “work” of scammers

Three groups of people are involved in the fraudulent scheme: workers, support, TS.

Workers, from the word worker, are the largest group of people, mainly schoolchildren and students. They independently create accounts on Avito and look for victims, who are called mammoths. Then, using social engineering skills, they convince victims to pay for something and send them a fake link. If the victim pays for the “goods,” then the workers’ task, with the help of support, is to transfer the victim to a refund, citing some kind of technical error.

Support are people who, for a fixed income, help newbie workers deceive users. They give advice, recommend “profitable” products, and are often willing to provide other services for a certain percentage of the fraudulent transaction, for example, preparing a passport in Photoshop, calling the victim, writing to her on behalf of technical support.

TS, from Topic Starter on shadow forums, where workers were initially hired, are essentially organizers. They download or buy software, which consists of two parts:

1. Telegram bot, which is the main tool of scammers. In it you can get a fake link to a product, receive notifications about clicks or payments.
2. Web version, which is responsible for displaying the payment/return/receipt page. A payment system for accepting payments is also connected to it.

The organizers make money from a percentage of each victim’s transfer, which is called profit. Therefore, they try to advertise their project and pay support to train newcomers. They also bear all the costs associated with the purchase of new domains and cards for which the money comes.

After looking at the source codes of many variants of fraudulent scripts, we came to the conclusion that most of them were written in PHP, but at a very poor level. Almost all scripts collect information about their users, including workers. One of the assumptions why they do this is that when law enforcement agencies contact the organizer, he will cooperate with the investigation and try to reduce the punishment as much as possible by revealing the workers.

In addition to scripts, scammers use bombers. These are bots that provide the opportunity to spam your phone with SMS and calls. Bombers work like this: they go to different sites and request registration or password recovery using a phone number. Usually scammers connect them to victims for 2-72 hours. And this is an important reason not to show your phone number on the Internet.

Some TS also hire developers who make improvements for the bot or website. For example, they improve worker ratings or protect scripts from vulnerabilities found in free versions. However, in pursuit of quick profits, the vehicle can take all the proceeds for itself, deceiving its own workers. At the same time, there is a group of guys who make money from the scammers themselves, tricking them into various services.

The average daily income of a fraudster-executor is 20,000 rubles, and that of a fraudster-organizer is 200,000 rubles.
The main thing to remember: despite the apparent impunity and benefits of “business”, all this activity falls under Article 159 of the Criminal Code of the Russian Federation. Fraudsters are detained and given real sentences even in cases where the damage from deception amounts to 5-7 thousand rubles. We transfer all information we have about fraud to law enforcement agencies. We are convinced that despite the apparent profitability and ease of the scheme, our readers understand that only narrow-minded people who do not realize all the risks engage in fraud.

Scam when buying a car

Buying and selling via an Internet site does not provide protection from fraudsters. Deception on Avito when selling cars is actively used by swindlers. To avoid troubles, you need to thoroughly check all the little things: documents, condition of the car, any discrepancies between the actual condition and the documents and words of the seller.

First of all, you need to personally test drive the option in question. If there are no complaints, you need to visit a service station and conduct a full diagnosis of all elements of the car. To be completely sure of the right choice, documents are checked to ensure there are no restrictions on the car.

An epic battle between antifraud and scammers

We'll tell you what steps we took in the first months of 2020 to protect our users, and how the scammers responded.

The main metric we relied on to evaluate the effectiveness of our work was the number of support calls with delivery paid for by the scammer. We block most fraudulent ads before they even reach the site. But when almost all trade moved online, we recorded a surge in requests. This information is also confirmed by banks: in April and May they sent out massive warnings about the growth of fraud in online purchases.

To receive quick feedback on new tools, a person from our team infiltrated dozens of closed groups of scammers. In one of them, he passed an interview as a developer and gained access to the source code of scam bots, and also got into the group of organizers. Thanks to this, we always had fresh, first-hand information.

Understanding the risks due to the beginning of self-isolation, we began work before the active increase in requests. One of the first technical measures was the implementation of an anti-hack to snatch user accounts from the clutches of attackers. To do this, if the login and password were entered correctly, but the geolocation was suspicious, we requested a code from an SMS that was sent to the account owner. In response, scammers began registering more independent accounts. This works to our advantage - fresh seller accounts inspire less confidence in everyone.

Next, we started warning users about following suspicious links in the messenger. So we reduced the number of clicks by a third, but this had almost no effect on our main metric: those who were deceived by scammers were not stopped by any warnings.

Next we introduced a white list of links. We have stopped highlighting unknown links in the Avito messenger; you can no longer follow them in one click. When copying a suspicious link, a warning was also shown. This decision had a positive impact on our metrics for the first time.

We began to actively punish for the transmission of suspicious links in the Avito messenger: block or reject the seller’s advertisements. In response, scammers began to divert users from our chat to third-party instant messengers. Then we issued a warning not to switch to another messenger if you see it mentioned in the chat. This function started with a regular expression search, then we replaced it with an ML model.

Then scammers began to trick users into email. To do this, they needed the same thing we all need: trust. They began sending potential victims images where Avito allegedly requested the buyer’s email. This is a scam - we don't need buyers' emails.

Here our support supposedly replies that the buyer’s email is needed for delivery

And here in our interface there seems to be a new field for entering email

If someone else could distinguish a fake link, then the letter can be easily faked and is more trustworthy. We began deleting the email message and showing the user a warning about the dangers of such an action. If after the warning the user sends the email again, we no longer delete it.

Scammers have begun asking customers to send their email address in multiple messages or with the @ symbol replaced with something else. Then we began to display a warning even when requesting mail. The complex of these measures made it possible to almost completely prevent users from leaving the Avito messenger for mail.

Our current mechanics are quite effective, but not user friendly. The email message is deleted completely, and often contains other text. But it was the fastest and cheapest solution to develop. We are thinking about how to remake and improve it.

One of our latest initiatives is dialing the number. Typically, the numbers scammers use to register accounts do not last long. We call the seller's number after submitting an ad on Avito. If you can’t get through by phone, moderation will reject the ad. The scammers began changing the phone number immediately before publication so that we could call while it was still available.

And here is the feedback from the scammer

In suspicious cases, we lower the priority of the ad in the search results and remove it from recommendations. At the same time, we set a delay in issuing up to 48 hours in order to guarantee time to check everything carefully and cause a little more inconvenience to scammers.

Is it possible to file a police report through the Ministry of Internal Affairs website?

You can contact the Ministry of Internal Affairs online.
The application is submitted on the official website of the department. You can use both the main and regional versions. To submit your application you must follow the instructions:

1. Go to the official website of the Ministry of Internal Affairs and select a territorial department.
2. On the right side of the page, click “Receive requests”. Place a check mark in the box confirming that you have read the information.
3. Click the “Submit Appeal” button. Fill out the proposed form, describing in detail the current situation in the “Text of appeal” paragraph.
4. Attach the necessary files confirming the fact of fraud.
5. Submit your request after receiving appropriate confirmation.

Attention! The application is reviewed within 3 working days. After this, a decision is made to initiate criminal proceedings or refuse. The applicant is sent a written notification.

This is just the tip of the iceberg, there are many more types of fraud.

Unfortunately, it is impossible to describe all types of fraud in one article. When we learned about the introduction of the self-isolation regime, it immediately became clear that scammers who made money offline would run online. They won't want to change their behavior patterns for a few months and become good citizens. This has led to a real boom in fraud on all online platforms and by phone.

Among the types of fraud, there are rare and even funny ones. For example, here the scammer pretends to be a robot to reduce communication costs:

Despite the fact that there are fewer and fewer scammers on Avito every day, and raids are taking place throughout the country where law enforcement officers find them, despite proxies and VPNs, detain them and lead to real sentences of up to 2 years in prison for deceptions of 2500 -5000 rubles, it is impossible to completely get rid of fraud.

We will not publicly talk about other ideas and innovations, so as not to make the work of scammers easier. We understand that this battle will continue. Our task is to make life as difficult as possible for scammers, to make this type of activity on our resource simply unprofitable and too dangerous, while minimally hurting good users.

Bonus: story #6. Happy ending

It seemed fair to me to note that on Avito, in addition to fraud, many legal and successful transactions take place every day, when the seller and buyer get what they wanted.

I was just finishing this text when a friend wrote to me and told me that he had sold his recently purchased iPhone through Avito Delivery. In horror, I asked him if he was afraid of substitution, to which he replied that he had already sold so many things, checked the sellers’ profiles and was not particularly worried.

At the same time, he was mentally prepared for the fact that candy might be returned instead of a parcel. It’s great that you can sell your item on Avito, but even a 5% risk of fraud will make you think about whether it’s worth doing.

How to avoid becoming a victim of a scammer

Fraudsters are the fly in the ointment of profitable offers. To always stay safe, just follow these rules:

1. Do not share sensitive data. None: full name, phone number, address, email, date and place of birth, information about family and income, card details, contacts in other messengers. Never tell codes from SMS and push notifications.
2. Conduct all communication only within our messenger, then we will be able to warn you in case of danger.
3. Check the seller's rating and profile age. Suspicion is raised by low prices, recent date of registration on the site and negative reviews.
4. If the “Buy with delivery” button is inactive, there is no delivery of goods through trusted Avito partners. Other delivery methods are always a risk.
5. Do not click on links. The link to pay or receive money should be sent to the built-in Avito messenger via a system message. A real link always starts with the domain www.avito.ru. Any other combination of words and symbols is fraud.
6. Take your time and make all purchases sober. Be attentive to every little detail. Fraudsters often put pressure on potential buyers and threaten to sell the product to someone else. Honest sellers are loyal and ready for additional questions.
7. Do not make an advance payment for any services unless you are confident in the seller.
8. Do not install any third-party extensions or programs.
9. If you see a suspicious profile or ad, write about it to our support. We will check the seller. On the Internet it is better not to trust anyone and do additional checks.

Story No. 4. “Your parcel has already been taken”

This story happened to a vc.ru reader, he agreed to buy a Nikon camera through Avito.Delivery. The parcel was sent via DPD, the seller insisted on this.

As a result, somehow, after the package arrived at the DPD office, the scammer’s accomplices received it, and when the author came to pick up the package, the employees shrugged. The parcel was issued using a track code , although they should have asked for a special PIN code.

Why did it happen?

This is more the fault of the delivery service than of Avito, although in that story the support service took a very long time to respond to the author’s questions and gave sparse answers.

How could this be resolved?

Choose delivery contractors more carefully. By the way, Avito.Delivery has stopped cooperating with DPD.

Original story