Trade Me is warning users to be extra vigilant as hackers attack the site with ever-increasing sophistication, but members want to know why the platform is not doing more to protect them. Jane Phare reports.
Regular Hibiscus Coast Trade Me user Fiona thought her husband had lost the plot when she saw 26 bizarre purchases on their Trade Me account, including a fog canon, a smartphone and photographic equipment.
She rang her husband at work, demanding to know “What have you been buying?”
But her husband wasn’t behind the buying frenzy. It was a scammer who had hacked their joint Trade Me account, using Fiona’s name and home delivery address, to convince the sellers they were the real deal.
Mortified that a good-trading rating of more than 500 items might be blemished, Fiona, who does not want her surname used, set about contacting the 26 traders to tell them they hadn’t in fact sold their items. She’s angry that her Trade Me account was hacked and wants the platform to give better protection.
“Someone needs to warn people. It’s been going on for weeks. It’s a massive issue.”
Elderly Trade Me user Larry Jamieson, of Kaiapoi near Christchurch, was delighted when his specialised film projector — for converting old film to a digital format — sold for $1500 to an Auckland bidder last month. But Jamieson soon received a warning from Trade Me that the buyer’s account had been compromised.
“I had packed it [the projector] up ready to go.”
Jamieson says Trade Me has refunded his success fee and will allow him to relist the projector at no cost. But he’s reluctant to do that because people might wonder why it did not sell the first time around. Instead, he put it in an auction of photographic equipment in Christchurch this month.
Jamieson is baffled by the scam and can’t understand why someone would pretend to buy a film projector.
“I restore old films for people. I’m 81 years of age and I know nothing at all about that side of things. I find it [new technology] very, very difficult. "
“I honestly think it’s for the game. They enjoy the thrill of it.”
But experts warn it’s no game. Both Fiona and Jamieson were unwitting participants in a buy-now scam. The scammers didn’t want Jamieson’s projector, instead, they were after personal information. They are hoping people like Jamieson will follow the “please click on the button below” instruction in their fake “phishing” email, leading to a completely different but legitimate-looking website in an attempt to match a name with banking credentials, password, login details or credit card information to “complete the trade”.
Trust and trickery
The so-called buy-now scam has increasingly become a thorn in Trade Me’s side, keeping its trust and safety staff busy sending out warning emails. Cybercrime experts describe it as a form of social engineering, the exploitation of a trusted relationship.
Dean Williams, senior systems engineer for cybersecurity company Norton, says it’s all about mixing trust with trickery. The context of the message has a sense of urgency to it that triggers emotion in the buyer, he says.
“The buyer is also in a ‘winning’ state because they’ve just sold something so they are eager to close the sale and get the money.”
The buy-now scam gives the scammers the ability to compromise trading accounts so they can begin the cycle again.
“They accrue more personal information and can target a lot more unsuspecting Trade Me victims,” Williams says.
Spotting phishing emails used to be easier because they often contained spelling or grammatical mistakes. Now they’re becoming more sophisticated and not as easy to spot. And the damage is more widespread.
The traditional online marketplace scam often involves a victim buying and paying for an item, but the item never arrives — what Williams calls a “closed attack”.
“But the scammers are looking more broadly now,” he said.
Cyber-deceiving people online is a lucrative business. Netsafe’s 2022 figures show Kiwis lost more than $35 million from scams of some sort. Cyber scams reported to the government cybersecurity site Cert NZ in the three months between April and June this year show Kiwis lost $4.2 million. Of the 1950 incidents reported, 1189 involved phishing and credential harvesting.
And insurers warn that businesses may not be covered if they’re involved in an online marketplace scam. Insurance & Financial Services Ombudsman Karen Stevens says business insurance policies often contain fraud exclusions.
“Things like Facebook Marketplace scams have increased in the past few years, meaning there’s a real risk to businesses if they aren’t alert and vigilant when selling items,” she says.
Multiple warnings from Trade Me
When Fiona set about emailing the 26 Trade Me users who thought she had bought their items, several replied saying it was not the first time they had suffered similar issues. One woman said it was the fourth time a security issue had occurred that week.
“Randomly, I got a text from my neighbour saying ‘oh your husband was trying to buy something off my husband’,” Fiona says.
She also received multiple warnings from Trade Me, letting her know her account had been hacked, causing her to change her password immediately.
But she, like other Trade Me users, wants to know why the trading platform, in the face of an apparent barrage of sophisticated phishing attempts, hasn’t upped its game and introduced increased security measures such as two-factor authentication (2FA).
Some are angry that Trade Me hasn’t already introduced 2FA to further protect buyers and sellers from hackers and scammers — protection that means two checks are in place to prove a user’s identity before they can log in, a system used by banks, other business organisations and trading sites.
Trade Me users let rip on an online forum, criticising the platform for not introducing 2FA in the face of increasingly sophisticated cybercrime.
‘Poor; lagging behind’
“Poor,” said one. “Really lagging behind with archaic systems and practices.”
Another said it was now a fundamental requirement for conducting business and trading online.
“It is irresponsible to not offer 2FA. It is widely accepted that passwords are fraught with issues, trademe (sic) not offering 2FA is incomprehensible, given their scale and balance sheet.”
Trade Me declined to answer several questions put to it by the Herald, including whether it would consider installing 2FA to help protect members’ accounts, and whether the number of scams and phishing attempts on the site had increased this year.
Neither would Trade Me policy and compliance manager James Ryan be interviewed directly despite repeated requests. However, the platform did issue a statement attributed to Ryan, saying Trade Me had a team of 25 trust and safety staff in New Zealand working seven days a week to keep the site safe.
“That makes us very different from other unregulated marketplaces.”
“Trade Me had advanced systems and processes in place to keep items and people off our site which shouldn’t be there,” Ryan said in the statement.
“We’re constantly looking at new ways we can protect our members and putting measures in place to keep bad eggs away.”
However, those measures aren’t good enough, Trade Me users like Fiona say.
“Someone’s been into our Trade Me account and made 26 purchases. How did that happen?” she wants to know.
‘Do not complete this trade’
One regular Auckland Trade Me lister received repeated urgent warnings from the platform’s trust and safety staff when he listed three items for sale, all worth under $100.
The items were “bought” by different people but shortly afterwards, multiple “DO NOT COMPLETE THIS TRADE” warnings from Trade Me arrived in his inbox.
“The winner of your auction is not legitimate and has since been banned from Trade Me,” the messages said.
Trade Me refunded the man’s success fees that day, and told him how to relist the items free of charge.
“I’ve used Trade Me for many years and this is the first time I’ve had any issues. I don’t understand how the scam works because nothing is sent until payment is received.”
One Northland woman told the Herald about 30 items were “bought” using her Trade Me account last month, between 7am and 8am one morning.
Karen, a Wellington-based Trade Me user, told the Herald that hackers targeted five of her auctions in a row.
“I didn’t lose money, but authentic traders lost the chance of purchasing my auctions, which in total valued approximately $600, which in turn was the amount of money I could have made.”
She, too, was critical of Trade Me’s apparent lack of security. The platform’s trust and safety team told her she should use Ping or AfterPay, but she argues that wasn’t the issue.
“Having my auctions hacked was my issue, and why would I pay extra fees on top of listing and success fees when all my previous sales have been successful via cash or online payments? “
An Auckland Trade Me user, Ben, has been selling items on Trade Me in the past few weeks in readiness for a move to Melbourne. He had a string of items “bought” by scammers followed by warnings from Trade Me.
At one stage he “sold” a pair of speakers and was alerted by Trade Me to a scam so relisted them a second time, and the same thing happened.
Describing himself as reasonably digitally savvy, he didn’t click on any of the links but says he can see how some people might get caught out. The phishing attempts are the most sophisticated he has come across, he says.
He’s in favour of Trade Me installing 2FA and says he thinks the platform’s software appears dated.
The ‘Hi Mum’ texts
Netsafe chief online safety officer Sean Lyons says cyber frauds are evolving at a rapid rate and becoming increasingly complex. Scammers know people are becoming more savvy about websites and emails that don’t look legitimate.
Knowing that, online scammers are finding ways to infiltrate trusted relationships. He points to the “Hi Mum” texts, which were initially “hugely successful”. The fake text would ask “Mum” for help; a broken mobile phone and an urgent need for money to buy a new one.
“It tugged at the heartstrings, it was entirely plausible and a lot of people said, ‘sure love, what’s the account you want it to go into’?”
Using the buy-now option on Trade Me is done on a trusted site and puts the seller under time pressure, Lyons says. They’re excited at having made the sale, perhaps of an obscure or difficult-to-sell item, and want to get the money in. That makes it easier for scammers to persuade someone to click the phishing link. That might take them to a legitimate-looking escrow account or a PayPal-type service.
Theft by stealth
At that point, the unsuspecting victim is effectively logging into a “man-in-the-middle service”, Lyons says.
“You’re putting your details into the bank’s login and they’re logging into your bank at the other end of that.
Sometimes the scammers will withdraw large amounts but increasingly, they will set up small, automatic weekly withdrawals that could go unnoticed by the victims for months.
“They [scammers] have worked out that bank security services are triggered by large purchases or withdrawals that are unusual. The smaller subscription-style purchases may fall under the radar of the anti-fraud detection tools.”
Many people with busy lives don’t look too closely at their bank statements, Lyons says. “Before you know it you’ve lost a couple of hundred bucks. The money’s gone and they’ve cleared off by that time.”
Lyons himself was the target of a buy-now Trade Me scam when he sold a fountain pen he didn’t particularly like.
“I got really excited about it [the sale].” But within hours he was contacted by Trade Me to say the purchaser wasn’t genuine and the trade had been cancelled.
Incidents like that damage the user’s confidence in the platform, he says.
“The person who had 26 different items purchased in her name probably feels very differently about the platform than she did [before]. So I think it is certainly in their best interests to make sure they [trading platforms] do all they can to keep people secure.”
It is in the interest of trading platforms to listen to feedback from users. He agrees multi-factor authentication can help people protect their accounts and know when other people are trying to access them.
“That is definitely a question for Trade Me.”
Trade Me is generally receptive to helping customers, he says, and actively looked for fraudulent activity online. But users, too, have a part to play.
Both Lyons and Williams say those buying and selling on online platforms have to take some responsibility by being vigilant, trading on sites that have some protection (unlike trading with someone on a gaming website), and carefully checking where emails are coming from.
Williams says systems like 2FA are necessary to protect online accounts, but warns that although 2FA can “lock down” a person’s account, that won’t necessarily stop them from falling for a scam.
In Ryan’s statement, he said it was important to be vigilant and use trusted platforms.
“You’d be an idiot to do anything dodgy on Trade Me, you leave deep electronic footprints on our site which can be traced.
“Sadly, however, there are some devious people online who will try to steal or scam people out of their money.”
Trade Me took immediate action if it had any concerns about a member’s activity on site, he said. That included banning the member from the site and warning any members they have purchased from, or been in contact with.
“We also have security processes to help flag new accounts being created by scammers.”
If a Trade Me member had been hacked, the platform would help the member to reinstate the account so the buy/sell history was not lost.
Trade Me sold for $2.65 billion
Trade Me was launched in 1999 by Kiwi entrepreneur Sam Morgan and sold to Australian media company Fairfax in 2006 for $700 million. It was delisted from the NZX in 2018 when British private equity company Apax Partners bought the Trade Me Group for $2.56 billion.
Apax still owns Trade Me and is run by Norway-based CEO Anders Skoe.
Trade Me says it has a “strong working relationship” with Cert NZ, Netsafe and the police to protect its online community.
Trade Me would not say how often it involved the police in cybersecurity issues and cams. Nor would it comment on how effective banning someone from Trade Me is, given they can open a different account.
People appear to have multiple accounts on Trade Me. The platform claims it has 5 million active users (out of a New Zealand population of 5.2 million) but says some of those will be business accounts. About 650,000 Kiwis visit the site every day.
Trade Me isn’t the only online trading platform that is hit by scammers. Williams, who is based in Sydney, says the buy-now scams happen across multiple social and trade/selling platforms.
“We see it in Australia as well.”
The increasingly popular Facebook Marketplace, where listings are free and there are no fees for local sales, attracts its fair share of scammers. Meta, the company that owns and operates Facebook, Instagram and WhatsApp, would not answer questions put to it by the Herald, including how many Kiwis used the platform, whether the number of scams is on the rise and what should users watch for, and what Facebook Marketplace is doing to mitigate cybercrime and scams on the platform.
Instead, Meta referred the Herald to website material that outlined online safety tips and said the platform “invests substantial resources in detecting and preventing fraudulent activity on the platform. We remove content that purposefully deceives, wilfully misrepresents, or otherwise defrauds or exploits others for money or property”.
Tips to protect yourself from cyber scammers
- Look closely at where the email is coming from on a trading site
- Don’t click on any button if there is a sense that something’s not quite right
- Emails from Trade Me always end in @trademe.co.nz or @email.trademe.co.nz
- Choose the option “allow bids from authenticated members only” when creating a listing, which stops unauthenticated memberships from buying the listing
- Be wary of any emails posing as Trade Me asking for any further information, or to confirm the sale. Trade Me will never ask you to confirm your password, credit card or any personal information by email
- Hand over or send the item(s) only after the money has appeared in your account
- Trade Me recommends using Ping or Afterpay as a payment method, which acts as a buffer and means the platform’s buyer protection policy applies
Jane Phare is a senior Auckland-based features and investigations journalist, former assistant editor of NZ Herald and former editor of the Weekend Herald and Viva.
