“Swipe method” purchases in an online store.
We previously reported about “the F-game”. Unfortunately not a game but the phrase used to describe all kinds of fraud within the field of cybercrime.
This time around we take a closer look at a form of fraud that is currently quite popular among cyber criminals, or should we say within “the F-game”. This is about 'swiping', the term used for 'making money'. One of the most commonly used “Swipe methods” is making purchases from online stores with hacked accounts.
This is not something new, in 2018 Daniël Verlaan journalist at RTL news already reported about this.
What is it exactly? Internet criminals ordered popular items through hacked accounts and then resold them through advertisements on Marktplaats and other sites. The hacked accounts were purchased via the internet, usually for one euro each. If the criminal also ordered the corresponding email address, he paid two euros each.
The verbs above are written in the past tense, but this could just as easily have been in the present tense. Massive fraud still occurs in this way.
The cybercriminals not only offer previously ordered goods but also purchase goods to order via hacked accounts. Suppose you want the latest type of a certain smartphone and you order it via an advertisement on social media, the cybercriminal places the order with a hacked account and has the smartphone delivered to you. By opting for payment afterward, the cybercriminal does not need to have access to a bank account.
The cybercriminal can also choose to have the goods delivered to a collection point. So-called catchers collect the ordered goods there so that the cybercriminal stays out of the picture as much as possible. Or even more cheeky, the cybercriminal has the ordered item delivered to your address, but in a different name, and then has the package collected with a good excuse.
It is not without reason that when you search Google for reports from the past few months about this form of fraud, you get many results about this method or derivatives of it. Not only incidents that have taken place but also warnings and tips from various authorities to protect you from this form of crime will come up in the results.
Here are a few tips to help you prevent fraud using the swipe method described:
- Use Two-Factor Authentication (2FA) as much as possible. This may sound complicated, but it means nothing other than that you need a second form of verification in addition to your password to log in. This could, for example, be an SMS with which you receive a code that you need when logging in.
- WhatsApp is even simpler. A small question of conscience: Have you already secured your WhatsApp with 2FA? Not yet? Then go to settings via the 3 dots at the top right, choose Account, and then Two-step verification. You will then be asked to provide a PIN code. After this, you can continue to use WhatsApp as you were used to, but every few days WhatsApp will ask for your PIN code. This is a small effort that will make WhatsApp more secure. Do you want more? Then take a look at the Passkeys option in the same menu.
- Don't click on all kinds of links. Especially if you are asked by a “well-known authority” to log in somewhere, so you can then change your details or, for example, see details about a placed order. Bona fide companies and institutions will never ask you to log in via email. Don't click! If you want to check, use the internet and type in the correct address yourself. A lock at the top left indicating “secure communication” is not enough to protect you from this form of Phishing. Cybercriminals also use such a lock, also known as an https connection.
- Regularly check whether your email address for online accounts is still correct.
- Check regularly whether your email address has not ended up on lists of hacked data. Use https://haveibeenpwned.com/ for this. You can also have your telephone number checked here, simply in the same field as "email address".
- Change your password regularly. Fortunately, you are often forced to come up with a secure password. There are plenty of tips on the internet about a secure password.
- In addition, use a different password for each site and keep your passwords secure. You can use Keepass or Protonpass for this, for example.
- If you receive an order message from an online store even though you have not ordered anything, exercise your right to cancel. You can cancel or undo an online order within 14 days. Please check your login details, email address, and telephone number immediately.
- If you receive something delivered to your home that you did not order, refuse the package and have the delivery person take it back.
- In most cases, you are not required to show proof of identity upon delivery, and certainly not required that the delivery person photographs your ID. Please refuse this!
Are you an investigator and would you like to know more about these forms of cybercrime and what we can do about them? Then take a look at our cybercrime training courses.