My Experience with an Online Scam: A Cautionary Tale

I am a security professional who recently fell victim to an online scam, and I want to share my experience to help others avoid the same fate. It can happen to anyone, even people who know better.

I’ve been eyeing those adjustable weight sets for a while now, particularly the Bowflex ones with the stand (because I'm getting old and picking my dumbbells off the ground is inconvenient). One day, while scrolling through my feed on Instagram, I stumbled upon an ad offering those same Bowflex dumbbells at a 60% discount. My interest was piqued and at the same time Spidey senses were tingling. So I decided to check out the website directly. It seemed legitimate, looked professional and featured a variety of fitness products. However, I couldn’t find any physical location associated with the store, which made me a little uneasy.

Over the next few days, I kept seeing the ads (thanks, Instagram algorithms) and continued to checkout the website. Clearly I was interested. Eventually, I decided to take the risk (fell just within my personal risk tolerance) and attempt the purchase. The total cost was just under $270.

I immediately received an order number from a Shopify store. I could tell this because the email address that it came from included the Shopify name combined with a store number. It all looked professional and since it was from Shopify, I relaxed a little. However, on closer inspection of the order confirmation email, I noticed that in the body it also included a Proton email address for inquiries. This raised a red flag. No reputable business uses a Proton mail address.

The next day, I got another automated email from the Shopify store account stating that my order had been shipped, but there was no tracking information. I reached out via a reply email for tracking details but received no response over the course of 24 hours. The next morning, I checked the email link again, and the website was no longer available. I checked my order by clicking on that link and received a "The link you followed is no longer available." Great.

I decided to do a bit of investigating and after some digging I found that the domain was registered with the Namecheap domain registration service. I used Virus Total to check the URL for the website and it reported it as a “newly registered domain”. That is a bad sign as fraudsters use new domains that don't have a reputation out on the internet so they are less likely to be blocked by protection tools. A Whois lookup confirmed the site was indeed hosted on the Shopify platform. Sigh.

I should have trusted my instincts.

I have to wait for the transaction to post before disputing it with my credit card company as they won't do anything with it until it reaches the posted state. I’ve also reported the fraudulent store to Shopify, but you need a Shopify account to do so (which I signed up for in order to be able to report this). Shopify should make it much easier for customers to report scams on their platform!

So here I am, feeling humbled and a bit embarrassed. I know better. I guess what made me proceed was that this just fell within my risk tolerance levels. I knew there was some risk this was not legit, but it was my hope that it would be real that had me move forward. This experience has taught me a valuable lesson: it can happen to anyone. As a reminder, here are a few things to help yourself not get stung by a fraudster.

1. If it's too good to be true, it probably isn't legit. Those weights I was interested in typically sell within the $500 - $600 range new. 60% off would be a heck of a deal. A deal too good to be true. It clearly wasn't.
2. Stay vigilant and trust your instincts. At numerous points along the way, my "Spidey" senses were tingling. I should have listened. What is interesting about this is understanding what drives us to act in situations like this. For me, it was, "60% off is a great deal - you don't want to miss out on this. Maybe they are getting out of the business - which is why they would be so cheap". Fraudsters seem to understand this balance and use it to their advantage.
3. Do some research. Had I done a bit more research in advance, I may have avoided this situation all together. Check if the domain is newly registered. You can do this at virustotal.com and type in the URL and it will tell you if it's new. Fraudsters like to hide in new domains. Look for a physical store outlet. If there is a physical location, it's more likely they are a legitimate business. If you don't find one, it can be another sign that it is not legitimate.

While this experience has been a humbling one (especially as a security professional), it serves as a powerful reminder that even the most vigilant among us can fall prey to scams. It’s crucial to remain cautious and trust your instincts when something feels off. By sharing this account, I hope to raise awareness and help others avoid similar pitfalls. Remember, if a deal seems too good to be true, it probably is. Stay informed, do your research, and always prioritize your online safety. Let’s learn from each other’s experiences and strive to make the internet a safer place for everyone.

#fraud #scam #onlinesafety #shopify #bowflex #vigilance #canhappentoanyone