Guillermo used to buy graphics cards. They have been highly sought after for a long time because they have many uses. It occurred to him to look at Wallapop, a trading platform with a lot of second-hand material. There was one from Nvidia, in a prominent ad, at 1,700 euros. “I know her and that was the minimum price,” says Guillermo. “If it had cost 500, I know it’s not real. I haggled with the seller and he told me no, that the minimum is that, the guy also knew the product, ”he explains.
It was a Friday night in February and Guillermo, 34, who prefers to hide his full name and image so as not to be more affected, was dining at a restaurant with his girlfriend. He was asking for extra information about the card and guarantees from the seller: a video of the box and his seal, a photo of the identity card. The seller pressured him so that he could send the card on Saturday morning and on Monday he would be in Valencia, where he lives. A time came when he decided to pay now and forget about it. He made an instant transfer of 1,650 euros and that’s when he lost his money.
The seller was allegedly a small serious store in the province of Bizkaia. It had more than 200 positive reviews on Wallapop and its rating was five stars. The reviews from the beginning of February, just before Guillermo’s purchase, were impeccable: “Everything very good”, “perfect. Very fast shipping”, “an excellent treatment, everything has been super fast, 100% recommended”. The problem was another, increasingly common on the internet: the seller was not who he claimed to be. He was a scammer who had spoofed the identity of the store, added graphics cards and Apple devices as a hook and promoted them with ads on Wallapop. The victims were coming. That day it was, at least, Guillermo, who has spoken with EL PAÍS in Valencia.
a simple method
This is the relatively simple fraud process, according to Guillermo’s elaborate hypothesis in conversations with the scammer and the impersonation store experience. Look for stores with good reviews and find out their phone number. One way to do this is to write to the store with a query and ask them to do it through WhatsApp, not through the Wallapop chat. You already have the number. A few days later, the offender writes to that store via WhatsApp, pretending to be Wallapop’s technical service.
The affected seller, José Antonio Solano, published the conversation in an internet forum. On February 3, he received this message: “Hello, we are Wallapop’s technical support, we have detected several complaints against your profile and we must verify it so that it is not disabled, contact us as soon as possible.” That “hello good” and the lack of points are two small alerts of phishing. But in these cases, fear often outweighs parsing.
Solano clicked and followed the offender’s instructions, which led him to put his email and password on a fake Wallapop page. He had already lost control of his store. The scammer changed the data right away. Luckily for Solano, his store was going to be just a means of scamming. He did not lose any money or the account, which Wallapop returned days later.
The attack of the weekend
The day of the week chosen is no coincidence. Solano denounced on the same Thursday night of the attack the impersonation of Wallapop. Wallapop’s response came to him on Monday night. The scammer knows that he has at least three days for suitable victims, hence he spends a few euros on advertising. Guillermo looked for similar cards for other weeks and saw that on Friday the same scammer had other supplanted stores. He would sometimes enter the chat and ask if he was the same one who scammed him. “The real one”, was the answer once.
Wallapop says that this weekend delay spends very little on its platform. First there is a team of moderators that “allows quick responses” and “in 99.4% of the cases the actions taken by the moderators are correct, but there are a remaining number of cases that must be re-reviewed and escalated to the internal Wallapop team,” he says. Federico Coll, head of Community Operations of the platform. “The case described is an exception to the rule because only 0.009% of cases take more than a day to respond,” he adds.
That 0.009%, according to Wallapop, is about cases where suspected fraud is reported. The impersonation figures are a tiny percentage of a very large number: “Of the users who use Wallapop, only 0.012% have reported an account impersonation,” says Coll. According to company figures, they have 15 million active users in Spain and since its foundation in 2013 it has allowed transactions of more than 180 million people.
There are two fascinating details of this case. First, the two deceived are expert users of the Internet and its platforms, not beginners. “I was working and I got lost,” says Solano by phone to EL PAÍS. “Then I realized instantly. If you think about it cold, it has a couple of mistakes in the writing and the pressure to do it is already strange. But it was too late. I have been in the world of electronic commerce for more than 20 years and it has happened to me”. Solano has another excuse. A few days before, another platform, eBay, had contacted him by email to request documentation. There he did checks and it was true. But that day, the scammer caught him off guard.
That’s the second curious detail: being clueless affects what we do. Solano worked and Guillermo dined at a restaurant. With those two oversights and a bit of work, the criminal earned more than what most Spaniards earn per month. “How easy it is to scam!” says Guillermo, who spoke several times with the criminal. First to get more information about him and add them to his report to the police. Bill used a friend’s account to buy another graphics card. When he made the fraudulent transfer, the first checking account had not worked. The offender evidently used false documentation and accounts. Now Guillermo was telling him that none of them worked and the other was giving him more.
How to befriend the offender
He also wanted to get him to enter a video call to capture his face. But she couldn’t. When Guillermo gave up, he became a colleague of the bad guy. He told her his nom de guerre. EL PAÍS has tried to contact him, so far without luck: his WhatsApp account is apparently still active with a photo of some car tires, the same one as when he spoke with Guillermo. The criminal offered to collaborate and explained his method: buy SIM cards with false documentation so that the police cannot trace the number and use it to connect to the Internet through a good VPN, which hides the origin of the connection. The scammer wanted Guillermo to send him boxes of graphics cards so he could trick more users, among other collaboration options. William declined.
EL PAÍS has had access to some of the conversations. In addition to some insult, Guillermo tries by all means to make the criminal give up on something. The other acts crazy with phrases like these: “The account [bancaria] it is not mine or anyone close to my environment”; “everything is real, but nothing belongs to anyone, everything on-line”; “nobody gets hurt”. The scammer advises Guillermo to claim the bank, which will return the money, something that is currently in court: “They will return it to you in days, in weeks”, which is not true. The criminal then sent a capture of a valid Spanish DNI in the name of a businessman from Tenerife. “I create them in the name of this one, who I like the worst,” he writes. “Although nothing will happen to him either. Man, the police are aware that it’s not really these people.” People affected by impersonations should logically seek a lawyer and clarify in a trial that it was not them.
In the end, the criminal helps Guillermo by telling him which bank he should go to claim one of the fake accounts. Guillermo has continued to look at cards on Wallapop in the following weeks and has come across the scammer. After an apparently normal conversation about methods, the criminal writes: “You don’t know who I am, dick.”
Guillermo’s lawyers, from the Calvo y Sáez-Benito office in Huesca, have requested that the police trace all the accounts given by the scammer. The judge has not authorized it at the moment. The accounts are not just from a bank. With the pandemic, banks made it easier to open accounts on-line and, now, some entities have once again made it difficult to avoid fraud. Guillermo’s transfer was most likely made to a fake BBVA account. The bank explains: “At BBVA we monitor our customers’ operations to detect abnormal patterns that could constitute fraud. When any suspicious operation is detected, said operation is preventively blocked. This monitoring is always active and includes digital registration”.
The objective is to demonstrate that the bank was negligent in verifying that the holder was who he claimed to be. The police have yet to investigate who owns the cell phone that was used to certify the checking account. Although the police know that these accounts are not real, as the scammer says, the work of verifying it and pulling all the strings is long.