Reply With QuoteThanks Christian. You did very well here. I would have been less savvy.
Sent from my CLT-L09 using Tapatalk
Gents,
Thought it would be good to highlight yesterday’s incident on Sales Corner and how I came within a few clicks of being scammed out of £3000. I think if myself as pretty savvy and never thought I’d get this close to being duped so I think by increasing our overall awareness, I might make others take that extra minute prior to each watch purchase and potentially avoid being stung.
This is becoming a very common scam across all watch forums...we’ve seen it a couple of times here in recent months. Hacked accounts are used to dupe unsuspecting buyers.
Here is the sales corner thread:
https://forum.tz-uk.com/showthread.p...83#post5375983
mjrennie is a well established member here having great feedback on H&V. His account was hacked and scammers posted the sales post for the Speedmaster.
Some lessons from this:
1. I’d always thought that by probability, the scammers would generally end up with accounts from members who weren’t regulars and hadn’t posted in a while. This was not the case - this was not a dormant account.
2. They are very good at using pictures which aren’t the easiest to find. Google image search led me to deleted threads and I only found the pictures on a site that cached another.
3. The scammers took their time to read back through the genuine members posts to mimic the way he has previously signed off other posts. I did my due diligence checks and the TZ history didn’t make me suspicious.
4. When I offered to buy the watch, I realised that the scammers had left the sales post unmarked (ie not OHPF). I think their aim would have been to take money from any that offered to buy.
5. They replied to all my PMs and offered to give me a mobile phone number and WhatsApp pictures of ‘the watch’ with our usernames written by it.
6. Big alarm bell: it was requested I pay into a Monzo account of someone in a different name. Second time I’ve heard of Monzo be used in a scam.
7. I’ve had a WTB for this watch for ages. This deal didn’t feel too good to be true, but it did feel like one I needed to act quickly on in order to secure. This could easily have clouded my judgement and led to me taking a stupid risk. At the end of the day, you are sending money to someone you haven’t met...always be 100% sure. None of us should be embarrassed about asking or supplying some form of assurance, even if very well established here. Don’t be afraid to ask.
8. All members with access to SC should think about the security of their account. Change password regularly, use something that you don’t use elsewhere (a good tip is to have a basic secure password that is changed slightly for each website or account). Check if you’ve ever been compromised: https://haveibeenpwned.com/
I hope that by raising awareness, we keep ourselves a bit safer on TZ-UK. They are definitely out there and getting through!
Last edited by Christian; 7th April 2020 at 12:30.
Thanks Christian. You did very well here. I would have been less savvy.
Sent from my CLT-L09 using Tapatalk
Definitely UK based scammers, good command of English, taking their time to get details correct...UK bank account and mobile. In case it helps anyone in future if scammers use the same details...all the info the scammers sent me via mjrennie’s PM:
Account name: Sarah Micheal
Sort code- 040004
Account no - 91102327
“I can send you any tagged photos of both our names next watch to make you feel comfortable, text me +44 7451 224537, let me know.”
Glad you dodged this bullet, well done
Well done indeed Christian, and a close escape. As you say the bank details with a non-matching name is a big red flag. I’m sure scammers could bypass this with PayPal, and have a name that resembles the scammed account name.
No doubt this is a worrying fraud in watch fora, and is on the increase. You have to remain diligent, but passion and enthusiasm risks bypassing the necessary checks and balances.
It’s scary
Dave
Sent from my iPad using Tapatalk
Close call indeed,glad you dodged that one.
Can those account details be passed on to action fraud or the like ???Originally Posted by Christian
So glad you weren’t scammed. A lot of scumbags out there.
Not sure, I’ve reported the account details to Monzo as I happen to bank with them too - they seemed interested. I guess if they get further complaints about the account holder, they’ll spot a trend.
Well done Christian.1-0 to the good guys.
Very worrying and well done for being savvy. Could it be time we all put a piece of paper with our username and a date with the pics of the watch as standard when selling?
I know that won't be cast iron but at very least it would stop people stealing pics online of a watch they probably don't even own?
I think we need to start thinking how we can make SC a safe place for all.
In order to activate a Monzo account - the user has to record themselves on video and upload to Monzo. If this is reported to the police, Monzo can at least retrieve the face of the person who opened this account. They had to send that Monzo card to an address....
Well done Christian!!!
I have changed my password - would hate to have my account used to dupe someone on here.
If you stick that number into WhatsApp it suggests it has been registered as a ‘business account’. I’ve not seen that before and not really sure what benefit it may offer the budding scammer. Anyone know?
Ps, also, well done Christian and a good write up. Let’s hope everyone reads
Blimey!
Well done for not getting caught out Christian.
Cheers,
Neil.
Well spotted Christian and a valuable reminder to conduct due diligence before handing over any money.
It would be helpful if the forum software were more secure, offering two step verification and forced regular password changes.
But in the absence of those options, the key is as always to have a unique password for each site, to make the password long and non-dictionary based and to change it regularly. Browser plug-ins like LastPass can help with all of those.
Having a unique password for each site - absolutely (if one site is compromised, you don't want all the others to also be compromised).
Strong and long - yes (it safeguards somewhat against dictionary- and brute-force attacks).
Changing your password regularly - NO. It's pointless (it would only make a difference after the account has already been compromised, and all the evidence tends to show that the perpetrators will use compromised credentials immediately after compromising them) and may even reduce security (it's better to choose a good password and stick with it rather than having to try to think up new - and potentially less secure - ones). It also goes against National Cyber Security Centre guidance - https://www.ncsc.gov.uk/blog-post/pr...assword-expiry
Well done OP, good Spidey sense!
Any neobank like Monzo is something for all of us to watch for; a red flag requiring further clarity before sending.
While it would be great if everyone had a unique, strong password for every site they use, the reality is that's unworkable after a while.
Best advice is to use a password manager. At a bare minimum set up 2 factor authentication on the stuff that matters, like your email or your bank. If your email is secure, you can normally recover anything that was compromised.
You're right about regular password changes, although that advice only changed a couple of years ago so it's taking the World a while to catch up.
Thank you for the link. I take your point about the regular password change, however the article's main criticism against regular changes is, in my view, made less relevant if you utilise LastPass or another secure password system and use its suggestions for long, obscure passwords, like tuwKtZ70%8in which it's just generated for me. At work, all of my users now have and use it.
Best of all though is 2SV! :)
Well done christian. I am really glad you didn't lose your money.
Great advice. Thank you.
Don't just do something, sit there. - TNH
The owner of that account is likely waiting for payment for something they were selling that the "buyer" will then pop around to pick up really quickly - as we know from here bank transfer is the safest means to sell... right?
That or one of a range of variations of funneling the money through the account of a dupe.
Thanks Matthew, good point. Just finished changing all my critical passwords to 'correct horse battery staple'. Let's see them hack me now!!
This only works if you have an unlimited vocabulary. Otherwise you're essentially creating a 4 character password just with a much bigger alphabet.
Password managers are the one and only answer I think.
Well done OP great shout.
Sent from my SM-G930F using Tapatalk
Thanks for posting. Can someone explain what a monzo account is please? I am Dutch, never heard of it. Is it a specific bank?
Also agree on the password advice above. Password manager and strong and unique passwords.
Sent from my iPhone using Tapatalk
The phone no provided is on the Tismi network, much beloved of scammers apparently.
https://www.ncsc.gov.uk/blog-post/th...-thinkrandom-0
https://www.ncsc.gov.uk/collection/t...word-for-email
Don't just do something, sit there. - TNH
What happens when the organisation you create your password to access insists on:
At least one number?
A mix of upper and lower case letters?
At leasr one character that is neither a letter or number?
Yes I know that's the current guidance, but there's plenty of debate in the community about whether that's correct. Especially if you're using 3 instead of 4 words as they suggest.
Also, they are guidelines for creating a password which is a last resort, and the NCSC absolutely recommend using password managers so that you don't have to.
Wow, bullet dodged for sure. Well done and good on you for writing about it and sharing it
Thanks for the tips on how to stay vary of these thing
Well spotted and thanks very much for the heads up
What community? The three National Technical Authorities?
You can use a number as one of your 'words' such as a historical date or memorable zip code. Proper nouns have capital letters so they can be used if you don't want to simply capitalise the first letter. Punctuation is easy to add to a memorable phrase! It's all about making it easy to remember but hard to guess. Even password managers need a memorable password, and you can do a lot worse than three or four random words.
Don't just do something, sit there. - TNH
Yes it is a bank - it currently operates in the UK and the USA.
Bloody hell that's scary I normal look and always feel safe if someone been on the forum for years
Never mind mate. Don't want to derail the thread. If you want to have a detailed conversation about it then feel free to drop me a PM and I will bore you to death.
Password Managers are great, that should be the takeaway. And 'correcthorsebatterystaple' is better than 'letmein' or whatever.
I suggest people actually phone each other up and have a talk / video call. It will soon be apparent if they are scammers - you could get them to hold up their driving license to show their home address / name or bank statement matching the account they want paying too.
also - always good to chat to fellow TZrs in these days.
luckily banks are introducing more checks with the account name having to (exactly) match the payee name - being rolled out now. This should help against fraud.
good spot Christian!!
Why is it unworkable to have a unique, strong password for every site, if one is using a password manager? I may be on the lowish end of things, but I have 150+ accounts of various sorts, and they all have unique, strong passwords.
(Except for TZ-UK -- unique, but not all that strong, only 8 characters, although upper/lower/numerals. Most accounts have 16, although some others have only 12.)
Best wishes,
Bob
Last edited by rfrazier; 7th April 2020 at 19:11.
It's not unworkable if you use a password manager. I don't think that's what I wrote, but apologies if that's how it came across.
If people reading this thread take away one piece of advice, it's to use a password manager.
Could be me. I sometimes read things too closely. Professional habit, but not appropriate for all circumstances.
Best wishes,
Bob
Things would be a lot simpler if 'sites' asked for the password and not the 3rd, 11th, 19th and 24th character of the password. Even with a password manager it's hard work.
The only safe way to buy a pricey watch from a stranger, TZ member or not, is to meet at his house or workplace, and then do the bank transfer. You got his address, so that gives you a fair amount of protection.
If he doesn't like it, walk away.
Thanks for the heads up
That's normally done to protect against replay attacks (if somebody is monitoring the connection, they don't get to see the whole password, but just a few characters from it, so they can't then use it to log in as you). There are better ways of achieving this, though (e.g. end-to-end encryption).
Unfortunately in any system you can have two out of Security, Cost and Ease Of Use, but never all three.
A certain amount of friction is good for security. Think about the friction there is (usually) in deleting things. One is asked for confirmation. That is a useful friction.
Best wishes,
Bob
Not really - you're still somewhere inside the Security / Cost / Ease Of Use triangle.
In this case you've lowered Cost at the expense of Ease Of Use.
You could imagine an alternative system with unlimited storage and excellent indexing which allowed extremely easy retrieval of incorrectly deleted things (at increased Cost) which didn't require you to confirm deletion (thus improving Ease Of Use).
Yes, I was thinking that there is too much of an emphasis on Ease of Use.
Best wishes,
Bob
Posting Permissions
