Advice When You’Ve Been Scammed ?

A friend of mine who is selling some items on FB marketplace, fell for the PayPal scam in which the ‘buyer’ accidentally transfers some extra money into my friends PayPal account and asks for that extra money to be returned via a bank transfer. This was naively done even though there was no extra money in their account.
They have screenshots of the whole conversation, the fake emails and the name and bank account number of the account they transferred to which appears to be an ANZ account (prefix 04).

They’ve tried contacting their bank (ASB) who says nothing can be done since they initiated the transfer and that more than 24 hours (happened on 15/02) have passed.
A police report has been file but no action will be taken due to a lack of resourcing.

Other than making this an expensive lesson learnt, is there anything else that can be done in this situation?


  • I fell for a scam on FB a while back. In terms of anything that will be of benefit to your friend, based on my experience, the answer is no.

    • What caught you out in that instance?

      • +1

        I was wanting a graphics card and the price hooked me in. There were warning signs there, particularly arounds methods of payment, but my keeness for a graphics card made me ignore them.

  • +1

    Maybe consider it a cheap lesson if the amount wasn't too much.

    I appreciate few people on this site will be like this, but very few people pay any attention to all the free advice out there - so many people ascribe to the 'you get what you pay for' mantra their parents / grandparents told them, despite all the evidence they encounter that tells them it just isn't true very often.

    Getting 'done' for, say, $50 might be a cheap way to learn, and not get 'done' for a lot more in the future.

    • +1

      Pretty much this. Slightly different experience, same outcome: I now consider it a blessing in disguise that many years ago in the earlier days of the internet (early 2000s) my website got hacked pretty badly. It made me much more aware and suspicious of interactions online, and I learnt a lot about website security.

      The saddest part about the lowlife scum that perpetrate the scams is that they're actually getting quite good at it. It's not just the aloof and gullible that get sucked in these days, even people who "should know better" often get caught out with professional looking emails and websites, and elaborate social engineering via phone calls and texts.

      The best thing your friend can do is tell others what happened and warn them what to look out for. Don't be ashamed.

  • +1

    About all you can do is play with the scammer. Won't get their money back but can make you/them feel better.

    Set up fake emails or facebook accounts and act like a customer. NEVER USE ACTUAL EMAIL ACCOUNTS
    You can do it over and over again with different details.

    There is a whole online subculture of this. Check out "scambaiting"

    The aim is to engage with the scammer, make them think they are getting a payday, but really you are just stringing them along.
    This wastes their time that they would otherwise be engaged with scamming other people.

    • The scammer account will disappear just as quickly.

      As far as scambaiting goes kitboga on youtube is a fantastic thing to put in the background of your day to day

  • I also fell for a facebook scam a couple of years ago, transferred $XXX to a seller, realised almost immediately that it was dodgy and rang ANZ who told me they couldn't do anything about it, even though it was less than 5 minutes after the transfer. I'm not sure what the banks are able to do within 24 hours when they couldn't help after 5 minutes.

    I went into ANZ with the bank account number I had made the deposit to, told them I didn't know the name on the account to make a deposit, and they stupidly gave me the name. A number of people fell for the same scam so it ended with a police report and the police requesting a full statement from all of the purchasers as they knew who it was, again nothing came of it.

  • I had someone log into my google account in 2016, which had no 2fa at the time and naturally that gives credit cards, logins, paypal.

    They only pinched $60 from paypal and nothing else, which I eventually got back.

    I couldn't help but think that they could have drained everything I had and bought all sorts of shit with the saved / synced cards and wasted their opportunity.

    • Had something similar occur, except they went ham on different accounts of mine (PB tech, phone, banks etc)
      Luckily have not lost out after all said and done (took a while though)
      Now there is no way I would use any of the google built in password / credit card save features, and would strongly discourage anyone from doing so.

      • Convenience is the enemy of security.

      • It's amazing how easy it is to do though.
        I've found card details that I have inadvertantly saved without even realising.
        Good reminder to check.

        • Looks like you can disable the function completely in some (or at least one) browsers - might be a good idea if you are 'prone' :-)

          FireFox - I think this is probably it:


        • On that note, I used to always spot bnz netguard cards in people's wallets when I worked retail.

          The card that explicitly tells you not to carry it with you, and, when coupled with the access number on the back of your debit card will let you not only transfer or withdraw every single dollar in a bnz account, but will let you take out credit lines.

          • -1

            @LonelyShower: It's very hard to walk down the street and not pass genius after genius.

            Guess which ones would be whinging when they lose everything, and want someone else to cover their losses.

          • @LonelyShower: as someone who carried their netgaurd card with them till it was semi-intergrated with the bnz app - that thing was a right pain
            I NEEDED it for time sensitive matters on about 3 occasions when I didn't have it, twice because I didn't want to carry it and the third because I had recently changed wallets and not moved it over - plus trying to locate it when you did need it was a pain anyways if it wasn't in your wallet or somewhere easy to remember

            So I don't blame people

            • +1

              @Rowjo: I had a photo of mine buried somewhere in my gallery. Probably not great (especially seeing how it synced with google photos and my top levle comment was about someone getting into my google account lol)

              They're waaaay better with biometrics and 2fa through the app now.

              • @LonelyShower: Biometrics has always seemed like it is a really bad idea - how do you change your credentials if they are compromised in some way?

                However, been banging on that one since the nineties :-(

                • @Alan6984: They're used as an alternate to passwords and codes but you must have a password or code. Apps have zero access to actually use the fingerprint scanner, they jsut get to ask the system to go and verify for them when you're on a phone or laptop, which is quiet a tight system.

                  But I remember we had to use this clock in and out machine back at the supermarket when I was younger and it was fingerprints only…. which considering we were cleaning and sterilizing stuff meant that everyone fingers were wet meant that we would, as teenagers bouncing ot go home, spend far too long trying over and over to scan out.

                  • @LonelyShower: They can't be BOTH an alternative to passwords / codes, and also require you to have a password / code - it is one or the other.

                    However, my concern remains, even if it is only an additional factor - how do you revoke it if it becomes compromised?

                    Would you be happy to continue using your Google Authenticator, say, as an additional factor of authentication if you knew it was available 'out there' somewhere for someone else to access and get the codes at will?

                    • @Alan6984: I think the black box nature of biometrics on a phone really does some leg work to make it something to be more comfortable with. There really isnt a way for your fingerprint to be 'out there' because it's stored in an encrypted format in hardware and apps like bnz never have a way to see it, even then they cant get the fingerprint out of the stored data, which is presumably encrypted with a device specific key anyway… that being said we're putting a lot of faith in the engineers who put the chips / software together and I wouldn't really trust the huawei / xiaomi phones of the world 100%. Likewise, if a flaw is found, the closer to hardware it is, the harder it is to update away the problem…. and there's definitely phone brands out there who wouldnt patch it, but might market it as a reason to update.

                      As far as revoking access, assuming the black box local model it's trivial, android does it when you add another finger for example… In the case where maybe someone has a similar enough fingerprint (superbly unlikely) or has a work around that lets the function for checking your fingerprint return a success, turning it off is trivial. iphones require a regular password every few days for example.

                      For the sake of convenience I use face unlock on my pixel phone, fully aware that it is only an rgb camera so a print out of me will work to get in.

                      • @LonelyShower: Fair enough if you are making a conscious decision to use bio-metrics knowing that it might be very easily circumvented (faces especially are trivial to capture - fingerprints a little more difficult, although not much if someone is actually being targeted).

                        As you say, how well are systems being implemented? For example, is your fingerprint fully scanned, then 'encrypted', and that encrypted form stored? Is the original deleted? Does the full scan persist in memory (but only until the device is rebooted, say)? Does the original file still exist on some persistent storage medium, albeit with the file marker removed (so possible to be recovered)?

                        In any of those cases, if your fingerprint credential is now compromised even just once somewhere - anywhere, how do you revoke it?

                        It is also a form of password re-use. If we use a unique password for every website / system that we access, and one gets compromised (perhaps without our knowing, at least for some time), it does not endanger any other set of credentials as they are all different. If I use my fingerprint, I only have ten options (assuming I leave my shoes on - I'm not even sure if toes have toe-prints!)

                        • @Alan6984: Read -> Memory -> hash -> Hash goes to 'secure enclave' or whatever the company call their seperate-storage for this sort of thing that's on the chip. Basically this process repeats with a comparison each time you try to use a fingerprint.

                          I cant see why any of them would write to disk, save maybe the rgb camera face unlock.

                          Completely speculatively here, i would imagine that accessing the data stored in the seperate secure storage bits would be superbly locked down and that even presenting a copied hash would be useless were you able to bypass the system call.

                          Well over my pay grade haha.

                          You still use passwords even if something asks for a biometric, but, in the instance of say, a password manager, the biometrics just confirm who I am to the password manager who then logs me in to the websites/apps, as far as i am concerned, no passwords! But in reality they're hiding but still there.

                          I would imagine that something like a laptop keeps a 'im allwoed to unlock with biometrics now that you've put in the password' token or key that gets switched off if you fail the biometrics more than a few times and crucially is off until it is activated with a password for a period

                          • @LonelyShower: Sure, but how do you know that is what is actually happening - I pretty much guarantee at least one out there isn't doing it that way.

                            The point is, it doesn't matter how many times the people you are trusting get it right - you only need to lose the full fingerprint once ever and you can't revoke it.

                            Your fingerprint is then out there forever, and so is your finger.

                            I guess you cut off your finger to revoke it :-)

Login or Join to leave a comment