I didn’t slow down and think when buying a product online yesterday. I fell for a fake website.
If you read this blog, you’re among the 99.9% most savvy when it comes to domain names. You are also likely quite good at spotting online scams.
I don’t say this to flatter Domain Name Wire readers. Just think about it: most people don’t even know a domain name is called a domain name. When people ask what I do for a living and I mention domain names, I often get a blank stare. I follow up with, “You know, web addresses like amazon.com.”
My readers know what a Whois record is. You know how to look up when and where a domain was registered. You can probably spot an IDN. You know what a TLD is. You might even have access to a Whois history tool.
So I bruised my ego yesterday when I fell for an online scam.
I ran out of a dietary supplement that I order a couple of times a year. I went to re-order it through my phone.
I knew the company did not have its exact brand-match domain name, so I Googled the brand. (In case you weren’t aware, even when people know the domain they are looking for, they often type it in Google’s search box.)
Google presented an ad for the product, so I clicked the link.
Wow! The product was on sale. Great stuff. So I added it to the cart, proceeded to check out, entered my credit card, and submitted it.
That’s when something suspicious happened. I got an error message that my credit card transaction failed, and I should try a different card.
Hmm. I’ve never seen an error message suggesting using a different credit card. Usually, it would highlight an error with the actual card I used.
So I backtracked. I didn’t recall the online store using a .store domain; I thought it was a .com. Yet I entered my info on a .store.
I Googled the brand again and noticed there were two ads for the product. One had a favicon in the ad, and the other didn’t. That’s strange. Both ads had the same second level domain, but one was a .com and one was a .store.
I opened my laptop to investigate further.
Why did the site I just purchased through, which claimed to be powered by Shopify, send me through a different type of checkout form than the standard Shopify one?
I viewed the source code on the checkout page, and it included Chinese language script. Uh-oh.
Then I looked at Whois and found the domain was registered just days ago. Ouch.
I checked the Whois for the matching .com domain and found that the real store uses a different domain registrar.
I went back to Google and clicked the three dots to the right of the ad. There, you can see who paid for the ad. Some person in China. Fuuuuuuuuuc…
I logged into my credit card account and found the fake store hadn’t charged me. Which is nice, but that meant it was just harvesting credit card numbers to sell to other people.
So I called the credit card company and told them I needed to get a new card. It’s a pain because I’ll need to update my card number with all of the merchants I use. But one recent advancement that’s quite convenient is that the card number was instantly updated in Apple Pay and Google Pay.
I should have seen the warning signs as I went through the process. But buying things using a small mobile browser introduces risks, and it’s important to slow down.
It also reminded me to give grace to people who fall for online scams. Whenever I read about someone who got duped by a text message or a pig-butchering scheme, I shake my head, wondering how it happened. And although I’d like to think it would never happen to me, I shouldn’t be so sure. After all, one reason I think I rushed through the checkout process was that the product had a discount applied to it. The scammer knew this would get me to check out faster.
At least I didn’t enter a second credit card number like the site suggested!
For my part, I reported the fake ad to Google and the real company. I also reported the domain to the registrar. As of this morning, the ad for the fake site is no longer running.
To avoid problems, I have several bank accounts each with a Debit Card (not Credit). I always use the one card with very little in it to buy things that I dont necessarily want to repeat each month. That way there is not enough in account for them to take another month subscription or whatever. Also use similar tactic with other debit card, use online
any crooks can only take up to what I have put in bank account.
In the U.S. you have much better protections on credit cards than you do debit cards. Even if the scammer used the card, I wouldn’t be held liable as long as I let the credit card company know as soon as I discovered it.
I see this kind of thing happen to people who have been online for 30 years all the time. Mobile phones are a peril.
I think this is a pretty damning indictment of just how bad Google is as a search engine. If you can pay your way to the top, who cares if the results actually help the end user?
Great case study on why brands should always own their dotCOM whenever feasible.
Consumers are wary of non-dotcom extensions due to endless scammers.
A company that offers a solution for this has a great .com: privacy.com
I just got an email from the real store. They said someone is also using a .top domain to spoof them.
Lucky that your card was not used immediately by the scammer, usually once they get access immediately they use the card.
super close call…
I have a seperate account with debit card for online purchases and keep
under 500 in there and watch it daily…
Kudos to you for sharing your experience and coming out unscathed for the most part. As you stated, everyone’s not as fortunate. It’s worth highlighting that .STORE is NOT THE PROBLEM HERE. The way it was used is though. This same thing happens all the time with .COM and others extensions too. Folks simply need to slowdown and perform a few more seconds of due diligence whenever they can.
I’ve had this happen to me in dubai, unfortunately in the uae brands use random domains for their mena brands and it’s very easy to fall for the scams showing a legitimate site with same products, brands are too lazy (even large ones) utilising their main domain for regions with different ethics and laws hence use brandae.com or branduae.com or they have no official representation and use regional suppliers who use random domains. It’s a true pain