Fake website scam warning for South Africa

South Africans have fallen victim to fraudulent e-commerce websites that “sell” products for a fraction of the price to lure buyers. However, these threats can be avoided by staying vigilant.

Nclose co-founder and business development director Stephen Osler told Cape Talk that these scams usually involve a fake website that appears to be an e-commerce platform or someone impersonating someone else to encourage a transaction.

Unfortunately for e-commerce platforms, Osler says that the people behind these types of scams are free to act according to their own rules and don’t consider copyright infringements.

Once they have created their fraudulent website, they will try to promote it to as many people as possible, Osler says.

In this situation, he says that scammers are ultimately looking for victims with credit or debit cards, so they can steal their credentials and use the card repeatedly.

However, there are ways to tell if a website or payment portal is fraudulent.

“As consumers, we must just be very vigilant of what we’re looking at. If it’s too good to be true, then it is,” Osler warns.

If still in doubt, users should pay attention to the URL to see whether it matches the actual site. Similar to phishing emails, differences in the URL may be almost unnoticeable so calling the business is the safest way to ensure it is safe.

Users can also check the URL encryption. If it starts with https://, the site is encrypted, whereas http:// means it is not.

Checking the URL is important because hosting platforms often have methods of taking down multiple fake sites once they are alerted to them. However, once fake sites are taken down, fraudsters will create new ones with different URLs.

When at the payment portal, users can check for the typical security controls such as Visa or Mastercard logo.

If all the checks have been done and the offer still seems too good to be true, Osler says users should contact the e-commerce platform and find out whether the product is currently available on its website for the advertised price.

An online tool called Yima can also be used to run a free security check on the website to determine if it is safe to use.

Local ladies fashion retailer Desray recently had an incident of website cloning, but they aren’t the only online store that scammers have cloned to steal people’s money.

A search of the Artists Against 419 fake sites list returns dozens of sites targeted in spoofing attacks.

Not all of these are niche e-commerce operators either. Companies like Woolworths and HiFi Corp have also had their sites cloned in similar attacks.

Desray’s story is particularly interesting because they exposed how the scammers were billing people’s credit cards and how little Facebook appeared to care about scam profiles on its platform.

They also revealed the tremendous impact the attack had on their customers and operations.

Desray managing director Michael Dixon said customers started notifying them on 21 January 2024 about a fake Desray group on Facebook running advertisements offering 70% discounts on their products.

The Facebook advertisement sent customers to an exact copy of the desray.co.za website, using the URL dripgym.shop.

Customers ripped off by the spoof website told Desray that the charges appeared on their credit card statements as being processed by Acqra.com.

“One customer reported that her purchase would be refunded to her, all other reports were that customers would not get their money back,” Dixon said.

Understandably angry, customers commented on social media that people should avoid Desray because they assumed the site had been hacked (which was not the case).

Dixon said this caused terrible damage to Desray’s online trust.

He said that upon learning of the spoof site, they immediately reported it via Google’s Safe Browsing page, Microsoft’s unsafe site reporting tool, and Netcraft’s suspicious site tool.

They also dug into the spoof domain and found it was registered through Namesilo.com and hosted behind Cloudflare.

Namesilo said Dixon had to prove it was a scam site before they would do anything, and Cloudflare sent an automated response and no further feedback.

Dixon supplied Namesilo with screenshots of the Facebook ads and the spoofed site. They eventually took the domain down on 27 January — almost a week later.

He also contacted the US company used to register the DNS, fixAPI.org, with no response.

Reporting the fake Desray Facebook group also proved futile. Dixon said they even tried having all staff, friends, and family report the group.

They received no feedback and Facebook did not take the group down, causing untold damage to customers scammed by the page.

Even after they managed to get the original dripgym.shop attack site shut down, the scammers would relaunch on a new domain and use the Facebook group to promote links to the new URL.

“Each time a phishing site is shut down, the link in the Facebook advertisement is changed to a new domain,” Dixon said.

“Facebook is the biggest part of the problem, because no matter how many times the fraudulent phishing pages and ads are reported, they are not taken down.”