The Hidden Threats in Online Marketplaces
- jessica60513
- 2 days ago
- 4 min read
E-commerce scams continue to plague online shoppers and now account for the majority of the consumer fraud reports fielded by the Better Business Bureau. With social media influencers playing a leading role in selling merchandise online, shoppers are warned to take extra care against these increasingly sophisticated scams.
In Fake Deals, Real Trouble: Cyber Risks in Online Marketplaces, Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research, looks at how online stores can protect themselves, their customers, and their brand names from such scams. “Fifteen years ago, when e-commerce was becoming more mainstream and domain squatting was becoming more prevalent, there was a lot of concern about brand integrity,” Goldberg said. “With the more expansive use of these online marketplaces, it’s kind of coming full circle right now.”
‘The New Dark Web’
Social media has outpaced email as the primary avenue cybercriminals use to socially engineer consumers into giving up sensitive personal information and falling for scams. In 2023, 36% of U.S. consumers said their identity theft or scam victimization was initiated by a direct communication or message through a social platform. By 2024, nearly 50% of consumers who were victimized by scams said the crime was initiated through a connection or friend request from people or personas they did not know.
“Social media has quickly become the new dark web,” Goldberg said. “Rather than having to go through the hassle of stealing credentials and credit card information, then posting it on the dark web for sale, cybercriminals are finding it much easier to manipulate consumers directly through social media. It’s not just by these direct messages that they’re reaching out to consumers, but they’re actually posting fake ads on social media marketplaces.”
Hackers can mimic or spoof a well-known brand, then advertise that they’re selling something in a marketplace under that brand name. They often do this by watching what social media influencers are selling, so they can piggyback on a hot new item being marketed online.
The result is that a consumer clicks on an advertisement that is malicious. When the shopper willingly gives up credit card information and PII, the criminals are spared the hassle of social engineering. They don’t have to go through the complicated process of selling it on the dark web. They can steal it in one fell swoop.
The Scourge of Typo Domains
Larger merchants such as Amazon and eBay have become special targets. Malicious sales from these recognized retailers are often initiated through commonly used social platforms like Facebook Marketplace. Goldberg explained how the scams tend to work.
“You go to Facebook Marketplace, you click on an ad, and it redirects you to another site,” she said. “Often, it’s going to be a typo domain. Let’s say that I think I’m buying a Louis Vuitton. But when I click on that link and it takes me to the site, Louis Vuitton will be a typo domain, maybe with one of the T’s missing.
“These particular types of attacks are getting much more sophisticated, and consumers have a false sense of trust. If they see a link that comes to them through a marketplace that they think is a trusted site, how often do we look at the domain once we click on the link?”
Taking Protective Steps
Social media sites obviously have an obligation to protect their customers in this scenario, but many are falling short. In March 2023, Meta, which owns Facebook and Instagram, launched Meta Verified, a paid service that allows users of the platforms to verify the authenticity of their profiles with blue checkmarks. The service ostensibly protects users and companies from profile account takeover or impersonation in exchange for a monthly fee. In theory, there is also supposed to be some vetting of the user who posts the advertisement to prevent malicious users from selling on marketplaces run by Meta platforms.
“Some of the steps that Meta has put in place to help authenticate a user’s identity have fallen pretty short,” Goldberg said. “You just have to pay an extra fee to show that you’re verified. For the most part, anybody can post there.”
The situation raises serious concerns about brand integrity for the merchants, as well as for the brands themselves that are being mimicked or spoofed. Many companies have been working with firms like BrandShield that will help scour the web to see if their brand is being used maliciously.
But the average consumer is unlikely to be savvy enough to pick up on all of this. Unless consumers are reminded that the store they are entering could be a malicious site, they are not likely to look at the domain name closely.
Banks Are Taking Action
In March 2025, Chase Bank stopped its customers from sending peer-to-peer payments over the Zelle network to recipients originating from social media. Chase took the step after noting that nearly half of fraud reports from clients stemmed from interactions and real-time payments originating from social media platforms.
A consortium of leading U.S. banks own the Zelle network through a company called Early Warning. Chase, one of Zelle’s owners, blocked transactions that were being initiated through these social platforms because it knows that social media is by and large where most of the scams for P2P payments are being initiated.
Other financial institutions are likely to follow. But maintaining the balance between blocking P2P transactions and maintaining customer satisfaction will be tough as social media purchase preferences continue to evolve, particularly among younger users. Although social media marketplaces are attractive online sales channels for all age groups, younger consumers are at the greatest risk.
“I think it’s a wise move,” Goldberg said. “Maybe by the end of the summer we’ll see some of the other top-tier institutions follow suit. I don’t want to say Chase is doing it for selfish reasons, but they have an awful lot of customers, and it’s in their interest to keep them safe.”
Comments