Here a good scam story from an experienced “Domain Investor/Pro”
If you have other scam stories, just shoot me an email.
I fell for a fake online store. I should have noticed the warning signs.
If you read this blog, you’re among the 99.9% most savvy when it comes to domain names. You are also likely quite good at spotting online scams.
I don’t say this to flatter Domain Name Wire readers. Just think about it: most people don’t even know a domain name is called a domain name. When people ask what I do for a living and I mention domain names, I often get a blank stare. I follow up with, “You know, web addresses like amazon.com.”
My readers know what a Whois record is. You know how to look up when and where a domain was registered. You can probably spot an IDN. You know what a TLD is. You might even have access to a Whois history tool.
So I bruised my ego yesterday when I fell for an online scam.
I ran out of a dietary supplement that I order a couple of times a year. I went to re-order it through my phone.
I knew the company did not have its exact brand-match domain name, so I Googled the brand. (In case you weren’t aware, even when people know the domain they are looking for, they often type it in Google’s search box.)
Google presented an ad for the product, so I clicked the link.
Wow! The product was on sale. Great stuff. So I added it to the cart, proceeded to check out, entered my credit card, and submitted it.
That’s when something suspicious happened. I got an error message that my credit card transaction failed, and I should try a different card.
Hmm. I’ve never seen an error message suggesting using a different credit card. Usually, it would highlight an error with the actual card I used.
So I backtracked. I didn’t recall the online store using a .store domain; I thought it was a .com. Yet I entered my info on a .store.
I Googled the brand again and noticed there were two ads for the product. One had a favicon in the ad, and the other didn’t. That’s strange. Both ads had the same second level domain, but one was a .com and one was a .store.
I opened my laptop to investigate further.
Why did the site I just purchased through, which claimed to be powered by Shopify, send me through a different type of checkout form than the standard Shopify one?
I viewed the source code on the checkout page, and it included Chinese language script. Uh-oh.
Then I looked at Whois and found the domain was registered just days ago. Ouch.
I checked the Whois for the matching .com domain and found that the real store uses a different domain registrar.
I went back to Google and clicked the three dots to the right of the ad. There, you can see who paid for the ad. Some person in China. Fuuuuuuuuuc…
I logged into my credit card account and found the fake store hadn’t charged me. Which is nice, but that meant it was just harvesting credit card numbers to sell to other people.
So I called the credit card company and told them I needed to get a new card. It’s a pain because I’ll need to update my card number with all of the merchants I use. But one recent advancement that’s quite convenient is that the card number was instantly updated in Apple Pay and Google Pay.
I should have seen the warning signs as I went through the process. But buying things using a small mobile browser introduces risks, and it’s important to slow down.
It also reminded me to give grace to people who fall for online scams. Whenever I read about someone who got duped by a text message or a pig-butchering scheme, I shake my head, wondering how it happened. And although I’d like to think it would never happen to me, I shouldn’t be so sure. After all, one reason I think I rushed through the checkout process was that the product had a discount applied to it. The scammer knew this would get me to check out faster.
At least I didn’t enter a second credit card number like the site suggested!
For my part, I reported the fake ad to Google and the real company. I also reported the domain to the registrar. As of this morning, the ad for the fake site is no longer running.