{lang: 'en-US'}

MapleSEA Buy / Sell Tips

15:00    



Last edited 8th Aug 2018

http://pastebin.com/raw/4y7JVad8

Aimed at Singaporean MapleSEA traders. Malaysian traders should adapt the guide for their situation. It's repayment and thanks for the hard work other people put into their community guides I've read over the years. Sorry if it seems too complicated, I'm not so good at writing.

Ensuring that the other party does not run away and actually honors the deal is more important than this scam.
This is a more complex scam with heavier penalties if you don't know what you're doing.
Only online SGD/MYR transactions are affected. Mesos, @cash, paper money (meet up trades) and crypto are not.

=====================
For buyers, a warning
=====================
If you get scammed by someone and they do not send your item after you've made payment, please do not report them to the police unless you've confirmed that the seller is the real owner of the bank account. You can permanently screw over honest sellers without realizing it, while the real scammer gets away. It does NOT matter what details you provide to the police.

Banks will unilaterally close an honest person's account with no warning or evidence to back it up. Most people are too expensive for the bank to deal with if they get reported, so they don't bother with investigations. Enjoy modern commercial banking :)

To find out whether the seller is the real owner, you need a copy or screenshot of their bank statement or iBanking page and match it to their ID or FB name. Not something that comes up in a typical trade in the FB groups, so this info is not really accessible to you.
This is also the typical ID method for FinTech companies nowadays, and you can see it everywhere in FinTech startups.

The penalty for the buyer who falls for this scam is losing the money they sent in the trade, not a big deal, you should have understood the risks and used an escrow (middleman) service. The penalty for sellers can be much worse.

===========
For sellers
===========
Name of scam: Third-Party scam
Also known as: Man-in-the-middle scam on Localbitcoins. I believe it originated there as well.

Description:
Three parties are involved.
The honest Seller (A)
The Scammer (B)
A Victim (C).

Seller (A) is selling items to Scammer (B).
Scammer (B) is selling items to Victim (C). Scammer (B) has no intention of releasing items to Victim (C).

1. Victim (C) first contacts Scammer (B) about purchasing an item from them.

2. Scammer (B) then contacts Seller (A) about purchasing a similarly priced item and acquires Seller (A)'s bank information.

3. Scammer (B) forwards this info to the Victim (C), and convinces (C) to pay money into Seller's (A) bank account for the item.

4. Seller (A) releases the item to Scammer (B) after noting funds received. Scammer (B) runs away with a free item.

The Victim (C) assumes they are sending funds to the Scammer (B), but is actually sending it to Seller (A).
Seller (A) assumes they are receiving funds from Scammer (B), but is actually receiving it from Victim (C).

At the end of all of this,
Seller (A) gets their money, but is now in possession of stolen funds.
Scammer (B) gets a free item, and on top of that their identity is usually completely anonymous.
Victim (C) loses their money, and has Seller (A)'s bank info. They might save evidence of the trade and report Seller (A)'s bank info to the police/bank.

Seller (A)'s bank account is now compromised. If the Victim (C) does report the case to the bank or police, Seller (A)'s may be forced to withdraw all funds in their bank account, and the account will be forced to close. In addition, Seller (A) will never be able to open another bank account in their country, because banks share info with each other.

Banking services that the seller will no longer be able to access include: housing loans, car loans, an account to receive their salary and the ability to invest. Think carefully if you want to take risks trading online at an early age.

This scam can happen even if (A) and (C) are trading on different sites. Seller (A) might be trading in a Facebook group, while Victim (C) is trading on Carousell. (B) may be leaving offers on multiple sites waiting for a victim to bite.

This scam typically involves non physical items, usually gaming stuff, gift card codes, crypto, etc. It's because there is no need for the scammer to provide a receiving address, and everything is done online. The scammer is able to remain anonymous, and anyone can do it to someone across the world.

================
Prevention guide
================
2 Methods for online FAST transfers and ATM transfers. Both types of transfers have different ID processes.

The goal is to match the name of the sender's bank account to either their ID (Method 2), or their Facebook name (Method 1).
You must also understand the exact mechanics of the scam, as well as your local bank mechanics, before you reveal your bank details.
You MUST inform the buyer about your ID process before the trade begins, for honesty reasons.

This only reduces the chance of scammers doing this to you. It does not prevent your bank account from receiving stolen funds, and scammers can still compromise your bank accounts.

==========================================
Method 1 - Recommended for typical players
==========================================
Lazy method, can be abused, not safe at all. Non-intrusive.

- Online transfers (FAST transfers):
No ID required. Once funds are received, check the sender's bank account to make sure it matches their Facebook name, and check their FB account to make sure its old and legit. If you use this method, you can't trade with people who make FB accounts with their Maple IGN. Requires skill to judge accounts. Don't get fooled by comments for recipient.

- ATM transfers (requires ATM receipt):
No ID required. ATM receipt + FB or WhatApp chat window in the same picture.
Receipt + Maple client with their account logged in is also acceptable.
Doesn't matter as long as they can prove the sender is the one interacting with you.

Proceed to method 2 if their ID verification fails.

===========================================================
Method 2 - Recommended for frequent traders and high volume
===========================================================
Best method, safer than method 1 but depends on your application. 100% safe if you don't make mistakes.
The primary method used on LocalBitcoins.

- Online transfers (FAST transfers):
Request for the buyer to provide ID with their government issued ID such as their NRIC card, student pass, driving license or passport. This ID must come with a physical note next to it in the same pic stating 'Buying <specified item> from <MSEA FB group> from <Your Name>'. Just the ID is not enough, because the scammer can convince the victim to send their ID. You may ask them to hold up their ID in front of their chat window with you as an alternative to a note (some buyers claim they don't have a pen lol).

Only the name on their ID is important. You can allow buyers to censor sensitive info such as their NRIC number or face, but not security features like watermarks.
It's much easier to spot fraudulent/photoshopped ID if everything is uncensored, though.
I have caught photoshopped ID in the past and the shopped NRIC number saved me.
The buyer probably did not understand the reason why we needed ID verification, and made this mistake.
The Singapore NRIC pink card also has a very suspicious white line on the NRIC number because of bad design.
Check if the card is legit by looking at watermarks and security features. If in doubt, request for a skype/video call/different angle.

Once you've verified their ID, ask which bank the buyer is sending from, then release your bank details. Do not release it before they provide their ID; doing so defeats the purpose of this guide. See Other tips - #3 and #6

When you receive funds, check the name of the sender's account and make sure it matches their ID. Don't get fooled by comments for recipient. See Other Tips section for details.

Most of the time, you won't want to go through the full ID process due to how intrusive it is. That's the reason why I've listed this method as '100% safe if you dont make mistakes'. How safe this method is depends on you; you can sacrifice convenience for more safety and vice versa.

I'll give you an example of a mistake.
Let's say the buyer agrees to ID, but their note only says 'Maplestory item'.
You might think 'meh, whatever, I don't want to be too difficult', and release your bank details...
...but this is what scammers want you to think, and you just fell for the scam.
Maybe the scammer convinced a victim to provide their ID as well, but kept the note vague on purpose.

By the way, if you're a buyer reading this, I never recommend sending just your ID. This is because shady sellers can farm ID from buyers for fraudulent activities, or to execute their own 3rd party scams with your ID. The note in the same picture helps somewhat if you position it well, but can be cropped out if you don't. Hence, I recommend using a watermarking tool layered on top of your ID + note, unless you completely trust the seller.

Here is an example of an ID I received with watermarks: https://imgur.com/a/ETfzuTU
It's from an ID + note from LBC, from one of my trades, with their ID cropped out. The gray lines are watermarks with the trade number + website, layered on top of the original photo.

- ATM transfers (requires ATM receipt):
Ask for the buyer to provide 3 things present in the same picture - the ATM receipt, their ID, and a physical note.

=======================================
What to do if you get scammed? (Buyers)
=======================================
A police report will not recover your money, has little chance of getting justice, and the police report will create more problems for the seller.

You can ask for the seller (if you can find them) to send your money back to you if they actually implemented this ID policy and didn't release items to the scammer. Someone who adopts this guide's suggestions will be able to see the name of the sender's bank account and be able to link it back to you, after you send your ID to them for verification.

Otherwise, I recommend doing nothing. Sucks to be you but sometimes the best thing you can do is not take any action to not make matters worse. If doing nothing makes you feel uncomfortable, you can link this guide to other people and hope Maplers learn from it. Thanks for your effort :)

========================================
What to do if you get scammed? (Sellers)
========================================
If you see a different name on your statement, do not release the item and start collecting evidence. You may ask for the buyer to provide evidence that they own the account by going through the ID process again. They may have sent from a family member's account.

Collecting evidence helps you with potential police investigations. It doesn't help you with the bank closing your account and preventing you from opening new ones with other banks. This is why prevention of this scam is so important.

It's a bad idea to send a refund to the buyer if ID verification fails. You're putting your funds at risk and you'll probably just send it to another honest seller, helping the scammer perpetuate the scam.

Recommend you set aside the money you received and do not spend it for a few months or years. You may choose to refund the buyer after enough time has passed which is being more honest.

If you can identify the victim that got scammed, you can actually give them a refund. Just ask for their ID and match it to the sender's bank account. Maybe search around the FB groups for someone posting your bank account number, or the scammer's name.

You will likely not get investigated by the police unless a lot of people start reporting you. It's still better to be safer since the penalty is harsh.

==========
Other tips
==========
1. You cannot call banks to find out any of your transaction details. I've tried with all SG banks, including the other party's bank.

2. All ATM transfers do not show the name of the sender. Hence the need for receipt +1 form of ID.

3. Internal transfers between accounts from the same bank do not show the name of the sender. An example is if the buyer sends from their OCBC to your OCBC, or from their UOB to your UOB. Recommend opening at least two separate bank accounts, with two different banks that are not DBS or POSB (see #6).

4. If the buyer is sending from their UOB, request for them to add your account as a payee first. If they transfer with one-time transfer, you will not be able to view the name of the sender.

5. It's not quite clear how OCBC's online banking transaction settlement policies work. For example, if a FAST transfer, which is normally instant, is sent during the weekend, or after 9 PM, it will reflect on your statement as being settled on the next working day. Calling up their customer service reps, as well as the other party's bank did not clarity this.

6. DBS/POSB bank does not allow the sender's name to reflect on your statement for all transactions. Use other banks to match the buyer's name instead. The exception is PayNow, which sends a SMS showing the sender's A/C name.

8. Don't get fooled by recipient comments. Comments for recipient are useless and its only purpose is to make sure you don't get confused by too many transfers (transaction matching). You may request for the buyer to enter something like 'Payment to <Your Name>', for somewhat better security. Still vulnerable to impersonation.

9. The 4 common online low risk methods in Singapore currently are FAST bank transfers, ATM transfers, PayNow and cryptocurrency transfers. Request specifically for these 4 methods which are instant and non-reversible.
ᵗʰᵒᵘᵍʰ ᵃᶫᵐᵒˢᵗ ᶰᵒ ᵒᶰᵉ ᵘˢᵉˢ ᶜʳʸᵖᵗᵒ ᵈᵉˢᵖᶦᵗᵉ ᶦᵗ ᵇᵉᶦᶰᵍ ᵗʰᵉ ˢᵃᶠᵉˢᵗ⋅⋅⋅
ᵗʰᶦˢ ᵃᶫˢᵒ ᵃᵖᵖᶫᶦᵉˢ ᵗᵒ ᴬᶫᶦᵖᵃʸ ᵃᶰᵈ ᵂᵉᶜʰᵃᵗ ᵇᵘᵗ ᶫᶦᵗᵉʳᵃᶫᶫʸ ᶰᵒᵇᵒᵈʸ ᵘˢᵉˢ ᵗʰᵉᵐ ᶫᵒᶫ

Many other payment types such as Paypal, GIRO, Telegraphic transfers/remittance, MEPS, credit card and cheque either have a high chargeback risk, or are delayed transfers. The transaction may also reverse before the funds settle in some cases (cheques), see below under Cybersecurity - chargeback scam.

Also, accepting TT/remittance from overseas may cause charges of $25-$100 to be applied to your bank account about a month after the transaction (agent bank charges).

10. Do not allow the buyer to send from their business account. Business accounts do not show the name of the sender. Ask for more ID if they sent through a business A/C, or dig it up yourself.

11. Beware of buyers who are not from SG/MY but have access to a local bank account somehow. Most scammers are professionals from overseas.

12. Beware of suspicious delays in payment. Buyers who 'aeroplane' make this somewhat harder to judge. Delays may be caused by a scammer communicating with a third party.

13. MAS does not prevent banks from blacklisting and refusing to do business with you without a clear reason. Confirmed this via email with MAS about a seperate issue. This means that the police investigation is irrelevant and separate from the bank's decision to blacklist you.

Also, police don't give a fuck. They're all completely clueless when it comes to cybersecurity and scams. Don't bother talking to MAS or the police about this, I've already tried. Applies to traders as well who similarly don't give a fuck. Waste of my effort.

14. Recommend rejecting buyers who are purchasing on behalf of another party, unless they are able to provide the other party's ID with note before the trade begins. Usually a big red flag.

15. Online banking transaction receipt, which is what the buyer gets to see after transferring funds, is also useless. Things like transaction reference numbers cannot be used as ID or evidence, so there is no point copy pasting it for the seller.

16. Don't reveal your mobile number in public. If you do, you can expect lots of spam (loan sharks) and phishing through SMS and Whatsapp. This is also the reason why I prefer Telegram over other communication methods, because people can contact you via username.

=============
Cybersecurity
=============
There are two other dangerous types of fraud out there that deserves their own guides. The chargeback scam, and phishing. Both will screw you hard if you don't know what you're doing. I'll just include a short section here. They're uncommon in most FB groups.

1. Chargeback scams are when buyers convince you to accept an easily reversible payment method, usually Paypal, cheques or credit card. You lose all funds, and you won't know when it will hit you. In certain countries, ATM transfers are also highly reversible, but not in Singapore.

2. Phishing is when you click on a link that you think links to an official site, but its actually a well disguised fake website meant to steal your info. Don't enter your login info into suspicious websites, and don't click on any links you receive in your email, no matter how legit it seems, unless you're 200 IQ. Modern phishing is much harder to spot at first glance than what you might think, and there are different variants. Typically this is done through email spoofing or a suspicious link.

Modern forms of this method include the buyer PMing you through your trading site, but they leave a link to their email, something like 'contact me at xxxx@gmail.com'. Once you contact their email, they will spam you with links to either reset your account's password (might not be immediately), or send a phishing link where they farm your login ID.

They might attempt to hijack your account once they find out what your main email address is. This can be your FB, Asiasoft, email, or Maple accounts. They might check sites like haveibeenpwned.com to see if you've had any data leaks.

Another form of this is phone phishing, where the scammers acquire your Whatsapp/phone number, then spam SMS phishing links about your banks. They may claim things like 'Your bank account has been frozen, login to reset your password etc'. Then you log into your bank by clicking the fake link in the SMS and lose your money. Less likely with modern 2FA, though 2FA is vulnerable.

Here is one example of a phishing SMS: https://imgur.com/a/u8d18BF
I don't have a Citibank account :)

Usually, when phishing occurs, you will see the page 'refresh' once. This is because the phishers want to make you think you've misspelled your password. What really happened is you got redirected to the legit website after the phishers got your info the first time. Quite sneaky.

You can look up social engineering (cyber security) to see what people can do with limited info.

Since you are trading on Facebook where you may not value your privacy, people can launch an attack specifically targeted at you for months without you realizing it. For example, pretending to be your friend while baiting your personal info over several months.
Typically, this info is used for account recovery, also known as account hijacking.

3. A friendly hacker (China) casually said my login ID and password in public chat while I was chatting with him back in 2011-2012, and knew that I had an @key. Shat bricks when he said that. The same one who hijacked mass inactive accounts to take advantage of the free gachapon ticket welcome back gift many years ago, if you remember the gacha broadcast spam. Might be because of a data leak... or something bigger. He was a very nice guy, though.

=================================================
For middleman service providers (escrow service):
=================================================
Read the guide carefully and ID both the buyer and seller carefully. In addition to the third-party scam, you are also more vulnerable to other troublesome types of scams such as money mules or money laundering. On other platforms like Steam, ML has been going on for a long time.

If you provide high volume services on shady P2P websites (>10k a month), Telegram me (below) for links to Monetary Authority of Singapore (MAS)'s guidelines on AML/KYC/CTF requirements and other lesser known stuff. The concern is with banking regulations impacting you indirectly, some of which are more recent. You can easily get audited or get your accounts closed with no reason given. If you're not vigilant at all, you may find yourself in deep trouble.

===
END
===
Credit to bitcoin_singapore for his original guide on Localbitcoins. Goes out of his way to PM new traders about this scam.
Link to his guide posted by numoney: https://numoney.store/sg/post/avoiding-scams-on-localbitcoins

I deal with this specific scam on a daily basis. It's very screwed up if you don't know whats happening. Many of my merch friends in different peer-to-peer trading sites have been sniped by this scam, and I've personally had $5k SGD compromised by a scammer from Thailand through multiple trades. You might not take this scam seriously at first, but once it happens to you, its too late to take any action.
My accounts on LBC and LE with feedback below, you can ask me to change profile description to prove ownership.
https://localbitcoins.com/accounts/profile/BitcoinWhale/
https://localethereum.com/profile/Zeusie

Fun fact: This guide's V1 version was originally harder to read and not meant for public use, after me and a few sellers got spooked. It was only meant to be spread within our traders' circle and to authorities, in the hopes that they would be aware and take accurate measures to counter it, but nothing of value came out of discussions with authorities. It's dangerous to even release this guide, since more people will start abusing the scam. It's too bad a lazy scammer started preying on kids/young adults, didn't even try to hide the scam by using multiple FB accounts or using multiple sites, and everything is now out in the open.

Our current banking system simply isn't suitable for making online payments, unless you deal with major retailers. It was created a long time ago without the Internet in mind, and has made literally no innovations in terms of safety or verifiability. Worthless, uncompetitive and inefficient trash needs to go.

If you don't know what to do after reading this guide or think you got scammed, you can contact me with details, I'll try to help.
Telegram me @Zeusie to clarify things, give feedback or criticism.

Blogger Tips and TricksLatest Tips And TricksBlogger Tricks