At the moment that two people reach an agreement to sell each other the product, the option to send it instead of having to meet in personthat is, payment is made through a transaction. Because of this, the attack occurs when cybercriminals find people who are doing this for the first time and take advantage of it.
Using normal conversation
This is precisely what they take advantage of when carrying out the scam, since may not raise suspicion, since it is simply a user who meets another and wants to have a conversation to exchange a product. It is after this when, if the scammer detects that the person is carrying little time using application or is it the first time that makes a shipment, will try to manipulate it.
After detecting it and talking to him, the cybercriminal will make the seller doubt that you have not correctly registered your account and that therefore it does not allow you to make the payment, in addition to make you believe that you need to enter your email correctly with which you have registered and asking the victim for it. All this pretending to be a kind, normal and ordinary person.
Obtaining fake email and website
After trusting the person and achieving that atmosphere of relative trust, the scammer may have asked you with all good intentions about the email you are using to check if there is something wrongly written, for example.
This would be a example of a possible dialogueaccording to Panda Security.
SWINDLER: “As you must be new to the app, you have not registered correctly and I cannot make the payment (…), It seems that you have not entered your email and Wallapop cannot charge it to my card. What email are you registered with?”
SWINDLER: How odd! I’m going to try again. I’ll tell you in a moment.
The moment the user puts it in writing, a message will arrive in their email inbox. alleged Wallapop message indicating that ‘the system has successfully reserved the item for sale’ and that to confirm this you must click on the button that containsas the company explains.
This button leads to a page practically exact to the real site of the platform in which you must confirm your email address, password, credit card confirmation…
But of course, it is a site to obtain all the user’s banking information. Therefore, always we should distrust When someone asks us for personal or banking information, even if it is an official website, we have to be careful.