I am selling something on a marketplace. Someone contacted me - they want to buy the thing I am selling. Do I still have it? I say yes. They say they are sending a GLS courier to collect the item. I figure they need the item fast - we are celebrating Christmas tomorrow. Why not.
The "buyer" sends me a link to a service supposedly offered by GLS, where GLS works as an intermediary - they collected the money from the buyer; when they collect the item, they will pay me. This is happening in the Czech Republic, and services like that seem plausible here. I do not know every detail of every delivery service offered here. The page looks just like an ordinary GLS page. I am in a hurry. I do not pay that much attention. I pause and check only when redirected to my bank's authentication page (this is the phishing part, obviously). Turns out GLS offers no such service.
I was closer to giving them what they wanted than I imagined possible. I was on autopilot until the last second. Not even my bank's login page surprised me that much - we have something called "bank identity" that lets you authenticate stuff by your bank ID. It is so convenient that I got used to it and I do it carelessly.
>> I hate scammers
Yes, me too.
In Czechia, something called bank ID is commonly used to authenticate. The point is to verify it is you, for example when you sign a contract online, fill in tax returns online... stuff like that. The way it works is that you are on some site, you get redirected to your internet banking, you log in (that's what I meant by "bank details", I am sorry about expressing myself so clumsily), and your bank redirects you back to that site with confirmation that is you.
Do I need to verify my identity when someone wants to send me money? Who knows. This is the part that made me check. But I was close to not checking simply because it is habitual, and you do stuff like that automatically.
Nowadays, we are often dealing with systems we do not fully understand. You get redirected to some familiar login form, you log in, and you don't even pause. Well, at least I do it. I should be a lot more careful, apparently.
If most of the traffic is scams, it’s not like they can remove it without something showing up in their metrics after all.
Search, and USPS ‘spam’ mail has a similar problem.
Are you going to show up with cash on my doorstep (or another agreed upon location)? If yes, we can continue talking. If not, you are blocked and reported. End of story.
I get why someone might not show up on my doorstep if they’re buying a piano - they probably need to hire somebody and are themselves not going to contribute anything to the piano moving process.
But fully agreed that once you’re an inch off the “show up with money” path, everything is suspect.
Even if you get .01% success rate, if it costs so little to reach 1M people, you’ll do well.
That's survival bias. There are some you can't spot.
As noted, it probably won't change anything, but scammers are a lot more sophisticated, these days, than they used to be.
It's the lifecycle of a scam. Once it really isn't worth the effort anymore, it gets packaged up and sold to stupid kids.
This is how overall marketplace trust dies and the overall industry collapses though.
until you get robbed, kidnapped or forced to do a bank transfer.
At that point, nobody cares if you were trying to steal the silverware.
what law? In my country in my scenario the person would be charged for scam (fraud), robbery and any other possible crimes.
I dislike this as well, as this is conditioning people to not second guess why a third party website is sending you to your bank to login. As well as scam websites I've come across that mirror the authentication process down to every step you would have when using it for legitimate purposes. Scam website>Scam Interact login parter>Scam web banking login> stolen bank credentials.
I don't want my web server dependent on anyone else's server/service being available or in any other way slowing down my user's experience.
The only service that I have no local solution is payment processing.
I dont have many banking relationships, using 2 banks and there is not even a password to remember, all login is done via authentication apps.
The thing is, those services really are useful. A lot of stuff that used to be complicated and required me to stand in line somewhere can now be done comfortably from home. Many good things can be abused, but that does not mean they should not be implemented. And you don't have to use it if you do not want to.
Also, I don't know how the scam works behind the login form that stopped me, but I think it would not have worked even if I had given them my info because there is 2FA - how would they overcome that hurdle?
The problem is the lack of user education as to what an "origin" is.
But assuming there is good user education, this is the proper way to do it. One (untrusted) origin redirects you to a trusted one with instructions to give it some information. The trusted origin asks for your authentication and tells you what the untrusted origin is requesting. If you approve, the untrusted origin only gets the very specific data it requested (and you approved) and nothing else.