This is a story about how my company’s corporate security training saved me from buying 5 adorable, fluffy, and completely imaginary cows. By the end of this tale, you will understand how to apply phishing and security lessons to your daily life, and be thoroughly, completely convinced, my dear friends and colleagues, that I am a gullible idiot.
Setting the Stage
We have a small farm. I currently have 16 goats and in the past we’ve had cows as well as alpacas. I’m always looking for something cute and fluffy to add to the zoo. As it happens I am absolutely obsessed with Scottish Highland cows, and you will understand why when you see the pictures below.
New Years Eve my wife receives a text from her sister linking to a Facebook post identical to the ones shown below. She sends it to me, giddy and excited to add what is basically my spirit animal to our farm. (Scottish Highland minis are stout, poorly groomed, and cuddly… just like me!)
The Listing
The listing reads as follows:
My cows are looking for a new pasture.
No good reason putting up for sss…aaa…lll…eee. Need to get them off our property, moving out of state soon.
Halter broke
Super friendly
PM me for more info…
Can arrange delivery….
Don’t message unless you’re serious about buying and don’t waste my time
How could you say no to that adorable face? Naturally, I send the seller a message. But even now, there were signs of trouble I overlooked.
A False Sense of Urgency
Our phishing training tells us to be on the lookout for a false sense of urgency. In the corporate world that might look like an email from your CEO telling you to open a file or send information they need to close a deal.
In this case it looks:
- “Need to get them off our property, moving out of state soon.”
- “Don’t message unless you’re serious about buying. Don’t waste my time.”
The seller is telling us, in colorful language, that this deal is for a limited time only. And they’re basically telling us if we want to take advantage of this deal, not to ask too many questions.
But dang them cows are cute, aren’t they? And so, my excitement clouds my judgement and I proceed.
Spelling and Grammatical Errors
Our phishing training tells us to be on the lookout for poor grammar and poor spelling. Sometimes this is the mark of scammers whose primary language isn’t English, or are simply focused on speed and scaling their scams and not focused on a polished message.
In some situations, misspellings are entirely intentional and aimed at defeating spam filters and other protections.
Now Facebook users are not exactly known for their focus on quality prose, and this post is no exception. But in addition to the lazy spelling and grammar, there’s something that is very much intentional here:
- No good reason putting up for sss…aaa…lll…eee.
Facebook very much tries to push posts for selling items through Facebook Marketplace.
And selling livestock through Facebook Marketplace is against their terms, and such posts are almost immediately caught and removed. As someone who buys and sells livestock from time to time, I know this. This should have clued me in that the seller was using weird grammar and misspellings to circumvent these protections.
But dang them cows are cute, aren’t they? And so, I persisted.
The Seller
Since apparently, I’m the sort of person that stalks the social media of strangers (i.e., a creep), the first thing I do is click and explore their Facebook profile. There are a few things that immediately stick out to me:
- The profile has not been used in some time, and magically just reappeared to sell some cows. This is a sign it’s a profile that might be compromised.
- Although the seller’s location is Snyder County, PA, we have no people in common. Generally speaking, I should be able to play Six Degrees of Kevin Bacon and reassure myself I am dealing with a real human, and that I could verify their authenticity by asking my ex-girlfriend’s uncle’s Avon Lady, or something.
- There was no evidence on the seller’s profile that they had a farm, or animals. Their listed occupation was “fry cook” and their public profile didn’t suggest they were doing more with life than taking up space in a parent’s basement.
In short, I know that you should only buy and sell from people for whom you can verify their authenticity. I was unable to verify the seller’s authenticity.
But dang them cows are cute, aren’t they? And so, I began a conversation with the mystery fry cook who apparently has a farm in his mom’s basement.
The Conversation
I began a conversation with the seller. He answers my questions in single-word responses and never offers more information than I ask for. Things don’t seem totally off until I’ve satisfied my curiosity about the health and state of the cows, and we start talking price, payment, and delivery. Then things get weird pretty quickly.
The Haggling
The seller asked me how I’d like to pay. Since this is a face-to-face transaction I say I can pay in cash or check. Security experts suggest you always use a secure, refundable payment method like PayPal when selling on Marketplace. In my experience when someone is local, verifiable, and doesn’t want to bring Uncle Sam into the transaction, cash is king.
The seller says, in a single word, “no.”
Okay… that’s weird… My Spidey-Sense begins to tingle.
The seller says, “Can you do Venmo or Facebook Pay? I can do either.”
They want me to pay via one the two payment methods I trust the least. Venmo is lousy with scammers and offers little protection to victims. I’d never Venmo anyone I didn’t know and trust in the real world.
But that’s almost irrelevant. I could do either method… but why? I am willing to put cash in their hand the next day.
I should have stopped right there.
But dang them cows are cute, aren’t they? And so, I apprehensively step a few inches closer to oncoming traffic.
The Down Payment
I tell the seller I can Venmo them the money, but only when we meet in person, and I can physically pet my cows. If we tie the payment to the exchange, that still feels safe.
They tell me, “you will have to Venmo a deposit to have them secured and held for you.”
Okay… what? Are these cows really flying off the shelf? On New Years Eve?
If my Spidey-sense was tingling before, I am now milliseconds from feeling the hot sting of the Green Goblin’s festive pumpkin bombs exploding against my delicate web developer skin.
I know from my training that you should never put down deposits on items whose authenticity you can’t verify. Especially through a payment service that isn’t entirely safe.
My lizard brain is now on high alert. It is trying to balance what I now know to be true (I am getting scammed) against admitting to the shame of being duped, the sunk cost of the time I’ve invested, and the joy this transaction was going bring my family. Balance fails. I am beginning to have a panic attack. I can either disappoint my family, or get scammed and still disappoint my family.
But dang them cows are cute, aren’t they? So cognitive dissonance it is, then!
Acceptance
I’m ashamed to admit it: I actually agreed to send the seller a down payment, but I dictate how much based on how much I was willing to lose. I tell them I am willing to Venmo $200 as a down payment and no more. They accept.
I ask the seller what my total bill is. They say $450 per cow.
By this point I’ve done some research, and I understand that this price is absurd. Scottish Highland Minis sell for thousands of dollars a head.
I can accept that this person is so desperate to unload these cows that they’re willing to sell them at 10-30% of their actual value.
Or, I can conclude that the seller, in the immortal words of Bart Simpson, “don’t have a cow,” and therefore doesn’t actually care about the value of the cow, the selling price, or the size of the down payment. Regardless of the quantity, it’s free money.
Fortunately the seller solved this problem for me by making misstep.
They sent me their Venmo account. Like the diligence-doing creep that I am, I look at their transaction history and see that it’s a new account, with two transactions: one with a $50 transfer to another account, and a $50 transfer back from that same account. They created an account. They used another account to create some history to appear authentic.
At this point my brain finally relents to the hammer of rationality that’s been trying to crack through for the better park of the day. This account was clearly just created with a specific purpose: to take my money and run.
Then they unsend the message with their Venmo ID and send a new one. I don’t bother to check. I know what’s going on, I’ve lost nothing but time and self-esteem at this point, and I take my leave. I tell the seller that unless I can come by to see the cows in person, we’re done.
I won’t give you the gory details but as soon as I mention verifying that the merchandise exists by driving 10 minutes across the county to see them, the conversation goes off the rails. I block them. I report the post on Facebook. I tell my family. Tears are shed.
Mostly mine.
The Conclusion
After refusing to take multiple logical off-ramps, I eventually found my way to sanity and backed out of this scam before becoming a victim. I was angry at myself for not seeing it much, much earlier. I rubbed salt in the wound by doing a little research to see if I almost fell for a common scam. I had.
- Doing a reverse image search of the photos the scammer posted to facebook yielded many, many results. The same photos, of the same cows, have been used many times before.
- Googling “Facebook cow scam” showed me that this same scam, with almost no change whatsoever, has been making its rounds on Facebook, all across the country, for several years, and the scam has been well-documented by several individuals including actual Scottish Highland breeders.
What Did we Learn by Phishing for Cows?
So, what have we learned?
- Pay attention when an email, message, or social media post attempts to create a sense of urgency.
- Sometimes poor grammar and spelling is just lack of polish. Sometimes it’s a sign of something more nefarious. And sometimes, it’s an intentional way of circumventing protection based on scanning text for spam, phishing attempts, and other threats.
- You should only make purchases from online markets like Facebook Marketplace from individuals whose authenticity you can verify. (It’s OK to creep on their public profile.)
- Always use a secure payment platform, such as PayPal, that offers adequate protection to both the buyer and seller.
- Avoid payment platforms like Venmo that lack fraud protection unless you’re dealing with someone you know and trust in real life.
- Don’t make a down payment on something you can’t verify as authentic in real life. You’re gambling that the seller won’t just taking your down payment and scram.
- If it sounds too good to be true, it probably is. No matter how cute and fluffy.
- If something feels like a scam, trust your gut and hit eject.
- Just because someone you know and trust shares something with you online, does not mean that that piece of information is trustworthy.
At the end of the day I lost nothing but time, and a little pride. I lowered my defenses because I was not at work in a high-stakes corporate cybersecurity setting, because the listing was shared by well-meaning people I know, love, and trust, and because frankly I got caught up in the excitement of getting a good deal in something that would have meant a lot to me and my family.
So let’s take a moment to laugh at my expense, and learn from my mistakes.
Okay… you can stop laughing now.
Seriously… am I just a joke to you?
Now you’re just being hurtful.