Scammers used my email as a spam address

On the 7th of November 2019, I received an email from AliExpress that told me that I created an account with them. Seeing as I didn’t do this, at first I thought it was a scam. My email address contains a dot between my first and last name and that was missing. So I did what I do with all spam, I ignored it.

A few weeks later, on November 25th, I received a notification that I had a shopping cart with items in it. I decided to go to the AliExpress website and do a password reset on “my” account. Surprisingly, I had not received spam and a few moments later, I was the proud owner of an AliExpress account.

The first thing I did was check out my shopping cart. I did not take a precise inventory at the time, I just deleted the few items that were in it. It did prompt me to look into my already purchased items. There was a range of strange choices from plastic apples for table decoration to knockoff Disney dolls. The one thing they all had in common was that they cost under 20 euros, thus skipping most customs controls. So the buyers evade sales tax, limit checks on the knockoff goods and get a higher chance the goods will get delivered.

When I looked at the account details, I saw a fake name with Bonny as the first name and a bogus shipping address in France. It was entered half a dozen times, so I concluded I was dealing with a master criminal that knew how to efficiently navigate the site.

I looked the address up on Google Maps and it turned out to be a corn field. I’ve always wondered how they deliver to such places. The delivery guy shows up in a truck with the stuff in the back and then what? Is there a shady guy with a nondescript white van ready to take the goods? I guess I’ll never know.

Back to the order history. All in all, there were 28 items bought on “my” account. When I saw that, I blamed AliExpress for not verifying the account before accepting orders. I received a welcome mail, but I never had to verify that my account is controlled by me. So there are probably countless unverified accounts that are used by scammers to buy counterfeit goods. That means that AliExpress is profiting from, what are in my opinion, fraudsters.

Until I checked the orders more closely. Apparently 20 out of the 28 orders haven’t been paid yet. That means that over 70% of the orders haven’t been paid 18 days after they were shipped. Somehow, I doubt that they will ever be paid, even if I did not take back the account. Which means that both AliExpress and the third party sellers are missing out on revenue.

All this scammer needs to do is create another fake account and buy as much goods as he can before the account is suspended. They can keep doing this as long as accounts are not verified as there is a treasure trove of emails out there for anybody who knows where to look. And it’s not exactly hard to find even if you don’t know where to look.

So I don’t know why AliExpress is not verifying accounts. It’s costing them money. It’s costing their subcontractors money. It’s costing European countries taxes. They are basically enabling scammers. The only thing they’d need to do to stop these thieves, is verify an account before that account can be used to buy goods.

At no point was my email compromised. They just used my email address to sign up. Thanks to a combination of a password manager (shameless plug for 1Password) and a strong second factor (shameless plug for YubiKey security keys), scammers will be hard pressed to get into my most valuable accounts. For full transparancy, I’m not sponsored by either vendor, I bought these products myself. I’m a big fan of them.

And as a last item, just to be thorough: I did not report this to the police. I do not feel that the information I have to share will make a compelling case against anybody. So instead of adding more white noise to the pile of noise the police already has to deal with, I’m going to ignore this.

What I do want to shine a light on, is that we cannot let scammers just use our emails for their fake accounts. So if I receive an email that I created an account somewhere, especially online shops, will get a closer look to see if it’s an actual welcome mail or a scam in itself.

Asking for a raise

My wife is getting more and more responsibility at work. She handles a number of high profile cases, she’s following a course to become the company’s Data Protection Officer for the upcoming GDPR legislation¬†and is the all around go-to-girl for any problem around the office. This leads her to think about asking for a raise. Unfortunately, she has no clue how to go about this as she’s never asked for a raise before.

Continue reading “Asking for a raise”