How to Identify Online Scammers Before It's Too Late: The Story of Totyo and The Treadmill

We hear about scams all the time, whether it's through phishing, vishing, smishing, or whatever malevolent ishing-for-your-money there is nowadays. I'll admit that as a cybersecurity professional, I usually joke around at the blatant scam attempts that come across my devices, be it tracking notifications of packages from companies I've never interacted with, or security alerts from generic phone numbers not associated to accounts I own. Recently, however, I had a more involved interaction with a scammer, and I'm here to share it with you so you can not only learn from my experience but become familiar with what to look for to help determine the validity of your interaction.

The Dreaded Online Marketplace

It happened to all of us: we went through COVID-19 times and built environments at home to meet our needs. Now that we've adapted to the situation surrounding COVID-19, we realize that we may no longer need some of the things we acquired since 2020, so we resort to downsizing but also hate losing all of our investment. Enter the online marketplace: it looks like Facebook Marketplace, OfferUp, Craigslist, among others. Essentially, any platform that allows you to sell your goods to a group of individuals with accounts on said platform. Features include listings for your items, chat interactions with interested parties, and the ability to list your items as pending, reduced price, sold, no longer available, etc.

There's a lot of great deals, some too good to be true. That's not going to be the premise of this post. The perspective I'll offer is that of a seller, which in my opinion, is not the perspective one usually considers as being the victim of a scam. Scams, as a knee-jerk thought, typically involve paying for a fraudulent service and therefore losing money. Not in the case I'm about to explain.

Treading Lightly on a Treadmill Sale

We recently decided to part ways with the treadmill we acquired as part of the great hibernation period that came with COVID-19. We have a gym membership and it was no longer serving it's purpose, so it was time to say goodbye. While I'm not too keen on online marketplace sales because they tend to be riddled with folks with ulterior motives, I adapted for practicality's sake and with the hope of getting the contraption off of my hands easily. I made my listing for $500 and made it public.

Enter "Totyo":

Totyo at first didn't seem too out of the norm. I didn't provide an excess of information up front. I provided a general region, not an address, and fortunately for me, the phone number tied to my Zelle is a public number I use for business and other activities where I don't want to provide my personal number. Did I think it was a little weird that he had a truck driver? Sure, but maybe the guy runs a business reselling equipment or owns a gym, who knows? Thinking in the context of an average marketplace user and not a security professional, this person is making me an offer, didn't ask for my first born or my social security number, and is going to solve my issue. Great!

The plot thickens and he claims Zelle is asking for my email for verification. A bit strange, as I've never run into the issue, but again, my mind is focused on completing the transaction and not on potentially being scammed here. I gave him my spam/burner email.

Next thing I know, this is in my inbox:

This is where reality kind of punches me in the face with the notion that something is not right. I thought it was SUPER strange that this would even be thing, having used Zelle in the past and not having encountered this issue. So, I sent "Totyo" a screenshot of the email:

So he calls, refuses any other type of means of payment, and insists that this is the way to resolve the issue. Note that at this point I had checked the bank account associated with Zelle and saw nothing come through or notify me there. Having used Zelle in the past, I knew that he hadn't actually done anything. I stopped him right there, essentially told him to kick rocks and that this would be the end of it.

To humor you with a good, poor quality scam email, let me show you what the email for the "second transaction" looked like on my phone at a glance:

But even more humorously (which will be a point I make later) on my computer:

So what's the scam?

Alright, so the logic of the scam:

1. "Totyo" sends me fake $500 for the treadmill

2. Fake $500 is on hold because I don't have a "Zelle business account." Only way to clear this is by "Totyo" sending another fake $500 (or a duplicate transaction of whatever the cost of your item is in your case).

3. Once the two transactions go through, they ask you to "kindly" return the duplicate

4. You give them real money

5. #ScammerProfit

They never send real money. They just pretend that they do and then hope they can "trust you to return the duplicate transaction money."

No More Totyos - What to Look For

So, how do we avoid more Totyo-ta-thons (see what I did there) in the future?

1. Don't give any information they can't find publicly easily or that can cause you significant damage. In my case, I gave him a burner email and a phone number that's been handed out more than I'd like to think about. I didn't freely offer up any additional information early in the process.

2. Check the profile. If it's something like Facebook Marketplace, you can check the profile of the individual. Look for the following:

   1. Do they reside in the same area as you?

   2. Does their profile tell a believable and discernible story? Or does it say that they basketweave in Madrid but live in Tijuana?

   3. Is the profile essentially barren, and maybe have one or two profile pictures that look like they could've been taken from an unsuspecting victim? Aka does the profile look like it was thrown together in 5 minutes by someone in a hurry?

3. Assess the logic of the interaction. Any interaction where you're selling something but being asked for money doesn't make sense. I totally understand that in some situations you can get tunnel vision and not give too much thought. Some would argue I already disclosed too much by providing what I did. The key thing is: if any aspect of the interaction brings you pause, makes you hesitate, or gives you a negative gut feeling, you have every right to walk away from it, be you the seller or the buyer.

4. If they've sent you an email, look closely at it. So I brought up the point about the phone earlier. If you look at my phone screenshot, you can't see much about the sender's email information. It just says it came from Zelle Pay, which at a glance is convincing enough to the average person. However, if you expand the sender information in your phone or open the email in a computer, you'll see this:

Legitimate companies usually send emails from company domains. So in the case of Zelle, hypothetically, it would be something like "customerservice@zelle.com" as opposed to a Gmail address. Additionally, let's look at the remainder of that sketchy second email:

The name doesn't match who I was dealing with, and sweet Neptune that email is...something. There's lots of great content out there about the wonders of ChatGPT and how it can be used maliciously to craft grammatically-correct and professional sounding phishing emails, but I'll tell you: this was not one of them.

Be Safe

The ultimate takeaway I'd like the reader to have is this: be safe. If at any point you're skeptical, concerned, scared, apprehensive, or just don't have a good gut feeling about what's going on, take a step back and reevaluate.

Also, don't be afraid to ask for a second opinion or seek help from friends, loved ones, or maybe someone you know that has experience in dealing with this kind of stuff. I wrote this post to bring light to the fact that even a cyber security professional can be three steps deep into a scam situation because of some tunnel vision and a desire to achieve an objective. I hope that my experience is informative and helps offer a sense of psychological safety and comfort in knowing that the situations do present themselves but they can be stopped before they become harmful to us and our families.

P.S. I reported the interaction with Totyo to Facebook and it's out of my hands now. Ultimately, even if it were actioned, nothing stops Totyo from becoming Fred, or Aswan, or Maria. Another account will be made and another user will be targeted as a scam victim. It's up to us to educate the masses, and maybe use a little bit of humor, to prevent future Totyo-ta-thons. :)