Sign in Subscribe

Here's the Season to Get Ripped Off

Last updated on 
Here's the Season to Get Ripped Off

Received a message from a good friend this morning about a deal from Sports Direct that she'd seen advertised on Facebook. She was about to place an order on the site and wondered whether we wanted her to order some shoes for us at the same time. The deal sounded to good to be true, and that's because it was:


I pointed out that this is likely a scam before even checking the link (the profile name isn't even attempting to impersonate Sports Direct, presumably to avoid getting caught immediately in Meta's filters), and her reply was:


For the informed; people working in IT and Cybersecurity it's really easy to forget that most people don't know how trivial it is to buy a domain, set up a TLS certificate (the secure padlock thing) and launch an ad campaign on a major social media platform. All of this can be done on a rainy afternoon with relatively little effort. And the payout can be huge if well executed.

While "checking for the padlock" may have been good advice a few years ago, it's not been relevant for a long time. Criminals and legitimate businesses can easily set up a certificate for any domain that they own.

We as an industry need to be communicating effectively and clearly better advice to users so i'd offer the following:

  • If it looks too good to be true, it probably is.
  • Assume that any advert on social media is probably a scam. Go to the vendors website directly to find the deal you've seen.
  • Check the URL in the address bar of your browser. Check for typo's - such as missing or additional letters.

In this case, I checked the domain name which was registered in August of this year via a Malaysian registrar:

The website itself is hosted via Cloudflare's Content Delivery Network, so I submitted an abuse form to them, and I've advised my friend to report the advert to Meta as fraud.

Please be careful, particularly at this time of year when shopping online. Stay safe.