You want to sell something via Marktplaats and an interested buyer asks if you can first transfer one cent via a payment request, supposedly to check your reliability as a seller. Be careful: this “harmless” request could cost you thousands of dollars.
Sending money to others has become a piece of cake with popular apps like Tikkie. Unfortunately, internet scammers have also discovered the benefits of these new payment options.
False payment request
On sales sites like Marktplaats, scammers pose as potential buyers interested in your product. However, before they want to pay you, they still have a request. On the other hand, maybe you can first transfer one cent to check whether you can be trusted: “After all, there are so many fraudsters on the internet”. When clicking on the link, you will be taken to a fake website similar to your banks. Once you enter your details there, the scammers can access your account with ease.
Variant of phishing
Payment request fraud is a new form of phishing. In phishing, personal information is extracted with the help of fake websites. This can be done via a payment request, but also via SMS, e-mail or WhatsApp. What makes recognizing payment request fraud and other forms of phishing so difficult is that the messages and false links sent are often hardly distinguishable from the real thing. In addition, scammers often know how to act credibly as serious buyers or payment agencies.
Victim of payment request fraud
For example, in March 2018, a woman became the victim of payment request fraud via Marktplaats. After placing a bracelet on this site, she soon comes into contact with an interested buyer. This so-called buyer also asks to transfer one cent. Only after the bank calls that more than 1000 euros has been debited from her account, does she understand that she has fallen victim to internet scams.
Transfer money? Do not!
Remember: you never have to prove yourself as a seller, not even by transferring one cent. Fleur van Eck of the Fraud helpdesk said in one of our broadcasts: “Doing business with a completely unknown party that asks you to transfer one cent, you should immediately think: why? In addition, especially if a link is sent, whether it is via the app or the e-mail, it does not matter. Do not do business with it. ”
Doing business with a completely unknown party that asks you to transfer one cent, you should immediately think: why?
Fleur van Eck, Fraud Help Desk
Be alert: recognize fraud
Prevention is better than cure. Victim Support Netherlands shares a number of other tips for recognizing payment request fraud. The only official web address of Tikkie is tikkie.me. For example, it is wise to always check the web address of the payment link when you receive a payment request. In addition, the police has a handy search engine to check whether (negative) reports have been made about a particular buyer or seller.
Not your fault, but your problem
Victim Support Netherlands previously launched a campaign about internet fraud. Because in addition to financial damage, stress can also arise. Victim Support Netherlands helps, among other things, with obtaining compensation.
Warning: current forms of fraud via SMS and apps
Phishing is not the same as hacking. It is a form of internet fraud in which criminals try to trick you into divulging information or conducting financial transactions by means of tricks and creative methods – such as phone calls, fake emails and other forms of social engineering.
When we think of phishing, we mainly think of suspicious emails, but this form of scam is also common via social media and messages on your smartphone. In the latter category, various new tactics have surfaced in the Netherlands in recent months, in which consumers have been duped via SMS, WhatsApp and the so-called Tikkie trick, among other things. We will go through a number of them with you.
Six men have been arrested on suspicion of fraud by sending fake Tikkies. The Northern Netherlands Police announced this today. They would have stolen a total of almost 100,000 euros by using fake messages from the popular payment app, whereby a total of 375 people have been defrauded.
In the Tikkie trick, criminals posing as buyers approach sellers on Marktplaats. In one of the variants, the scammer (s) sent the unsuspecting seller a link that resembles the address of the Tikkie payment app. With the real app, the URL is Tikkie.me and not Eventikke.nl/tikkie.me as in an example of the Fraud helpdesk (now offline). Victims were then asked to transfer 1 cent via the app, whereby the link used led to a bogus site that allowed the scammer to access the victim’s account number.
The most important tip is therefore: always look carefully at the link, because this trick stands or falls by paying close attention to the URL. The police adds: “Never click on a link that you receive via WhatsApp, email or text message from someone you do not know! That is the most important advice we can give in this fraud case.”
At ING, more than a thousand customers were similarly affected in the first half of 2019. Their bank accounts had been illegally accessed through “My ING”. Customers had given access to their own bank account via a counterfeit Tikkie environment without noticing it. By acting preventively, the bank was able to prevent damage to a large number of customers by pausing transactions with these customers. ING managed to prevent more than 300,000 euros in damage. The illegal transactions were therefore successful with 375 customers. The bank has reported these fraudulent transactions.
The danger of the exact example above seems to have disappeared with the recent arrest, but similar variants will undoubtedly emerge in the near future.
Fake SMS from banks
Text message scams from trusted financial institutions and service providers such as your bank or insurer also remain popular. This week, a new one has been added to the enormous amount of false messages reported to the Fraud Help Desk, supposedly from a well-known bank.
The message states that a transfer of 354 euros would have been accepted. To cancel the transfer, you must log in via an enclosed link. The link takes you to a fake website that is very similar to the bank’s domain, but if you log in here and enter the code to block a payment, the information ends up with the scammers who can then log in to the real website and thus can funnel money away.
A second variant that pops up a lot is an SMS that appears to have been sent from ING and a message about an update of the app. Messages from the bank itself, however, come from the sender ‘ING’ and never contain a link. This variant comes from varying 06 numbers and reads: “Dear ING customer, now download the new ING app with renewed certificates and make the flash. Log in to My ING and follow these steps [link omitted].” The link deliberately omitted here leads to an unreliable website. ING is aware of this form of fraud.
Fake text messages from CJIB about an outstanding claim
Finally, this week, the Fraud Help Desk received many responses to SMS fraud attempts from the Central Judicial Collection Agency (CJIB). According to these messages, there would be an outstanding claim. With the remark “pay today via iDeal”, the scammers try to collect an amount of 332.84 euros.
The Fraud Help Desk says that the real CJIB never approaches people by text message about outstanding fines. This also applies to other forms of digital communication. CJIB: “Don’t worry. This is always a message from scammers. The CJIB will never email, text or WhatsApp you about a fine, reminder or payment arrears.”
Fraud via Tikkie is increasingly popular among criminals: you can do this yourself
Criminals are increasingly using the Tikkie repayment app to cheat victims of money. How does this form of robbery work and how do the criminals work? The latest figures from creator ABN Amro show that more than two million Dutch people pay via Tikkie. The app has thus become an interesting target for cyber criminals who use a fake version of the app to trick their victims.
Various payment apps used for fraud the robberies mainly take place via trading website Marktplaats. A criminal pretends to be an interested buyer and asks the seller for his bank details so that the amount due can be transferred. The criminal then takes a vulnerable position and asks whether the seller could transfer 1 cent to him, so that he can be sure that the payment for his purchase reaches the right person.
Fake payment link
If the seller agrees to this, he will receive a WhatsApp message with a payment link. The payment link is fake and leads to a counterfeit Tikkie environment, where the victim provides his bank account and pin code. From that moment on, the criminal has all the necessary information to empty the seller’s account.
• Make sure that ‘tikkie.me’ is in the link address. Criminals use fake addresses, such as tlkkie.nl (with an L instead of an i)
• Although it may sound reliable, never just transfer 1 cent to someone you do not know
• Check whether a ‘lock’ is shown in the address bar. This indicates whether the site has a valid security certificate. Also, check if the website address is correct (https://tikkie.me)
• Always file a report if you have become a victim of (internet) scams
• An open door, but never wrong to emphasize: never give up your pin code just like that!
Someone who fell victim to fraud in this way is Ed Roovers from Hoofddorp. Thousands of euros were taken from him in this way. His story, which was previously shown in Hart van Nederland, is shown above.
Privacy leak at Tikkie: IBAN numbers users can be viewed
The popular payment app Tikkie offers the possibility to transfer money to other Tikkie users based on their 06 number. This made it possible to trace the IBAN numbers of many unsuspecting Tikkie users, with the risk of identity fraud and phishing.
This is shown by research by RTL Nieuws. ABN Amro confirms the vulnerability and has temporarily taken the new function, Tikkie Pay, offline. “Thank you for your attention,” said the representative.
Tikkie, which has 4 million users, showed with its new function all users from your contact list who have linked their 06-number to Tikkie. You could press a name, then transfer an amount and cancel the Tikkie just before the transfer. In the description of the transfer, you would then see the IBAN number of the recipient, without the person being aware of it.
This is what transferring to a Tikkie user looks like.
Your account number is a unique number that is only linked to you, and it is often used by companies to verify your identity over the phone. It is therefore important to properly protect your IBAN number, says Dave Maasland of cybersecurity company ESET Netherlands: “I understand the user-friendliness of this function, but there is a risk to release the IBAN number on a large scale in this way.”
In addition to the danger of identity fraud, Maasland also warns against phishing. Because a cyber-criminal knows your IBAN number, they can send you targeted and ‘highly credible’ phishing attacks. The criminals then send an e-mail or text message with your account number and the question whether you want to approve a payment. The link then leads to a phishing website that criminals use to withdraw large amounts of money from your account.
ABN Amro immediately took the position offline after reporting from RTL Nieuws and is currently discussing the situation. The goal is to still launch Tikkie Pay, but in a way, that it does not compromise the privacy of users. It is not yet known when and how Tikkie Pay will return.
The leak is reported to the Dutch Data Protection Authority as a precaution, confirms ABN Amro. The situation is a “serious concern” for them. 100,000 people had access to the feature, according to the bank, and it would have been used less than 1,000 times.