The internet, websites, and social media can be wonderful things. From a small business stand point, these tools provide an easy, effective, and economical way to establish and grow businesses, and advertise to reach potential customers. But the flip side of that ease, effectiveness, and low cost is the tremendous opportunity available for people out to scam others out of money.
That’s what’s been happening to countless customers of at least 3 nearly-identical Shopify stores since July 2020. Thanks to 3 domain purchases through GoDaddy, multiple Shopify stores, and lots of Facebook and Instagram ads, a single scammer has stolen an unknown amount of money from its customers and continues to do so. It’s important to also note that because payment processors allow merchants to add whatever they’d like as the display name showing on bank and credit card statements (instead of requiring those merchants to use their own business name), these internet scams become even easier to sustain long(er) term. Irrelevant display names allow a scammer to use a fake business name – or even a website address – to confuse and redirect customers to other businesses instead of back to their own.
This is exactly why and how my small business has been stuck in the middle of a series of scam businesses run through Shopify stores since July 2020. My business URL is being used as a pawn in this scam, and I’m left with responding to dozens and dozens of confused and sometimes angry customers wanting to know why I’ve made multiple charges against their account and how I got their credit card information to begin with.
What I’ve learned in these past 6 months is that the recipe of Shopify + GoDaddy + Facebook Ads equals a perfect and profitable internet scam.
Shopify + GoDaddy + Facebook Ads = A Perfect Internet Scam
Here’s a brief rundown of how this particular internet scam is played. The scammer purchases a number of similar URLs through GoDaddy, then heads over to Shopify and creates an account. The scammer builds a Shopify e-commerce store with sleek, trendy images of products they don’t actually sell (in my case, these products are projectors), and puts their Facebook pixel on the site to begin collecting website traffic to use later for Facebook ads retargeting. The scammer creates a Facebook Page and begins running ads on Facebook, Instagram, or both. On their website and in their ads, the scammer shows these cool, modern projectors with prices slashed to 60-70% off, and then offers a coupon code for an additional 5-10% off. Customers see the Facebook or Instagram ads, see the cool, hip projectors, see the low price, and order one. Customers never receive their projectors, and also notice strange charges on their account (in my case, consistently in the $43-45 range). Those charges show to be from a URL instead of a business name. The customers visit the URL, see that it’s not a business they recognize, and then email or call that business asking why that business took their money.
My URL is one of the URLs being used in this Shopify scam (though I’m aware of at least 1 other as of the time of writing). And since July 2020, I’ve spent countless hours responding to calls and emails from these customers as well as speaking with attorneys, filing reports, and submitting support email after support email, with little to show for it.
Actions I Took Once the Shopify Internet Scam was Identified
Thankfully, one of the first 3 customers I heard from in July 2020 knew the URL where she ordered her projector from and also sent me two screenshots of her transactions that displayed my domain as the charging company. Because of this, I was immediately able to submit a support ticket to Shopify, look up the URL in the WhoIs database, identify GoDaddy as the domain registrar, email the Abuse@GoDaddy address provided on WhoIs, and begin searching Facebook for Pages using the projector business name.
I was able to find two Facebook Pages using that projector business name and logo. Both had dozens of negative reviews and comments stating it was fake, a scam, and that the customers never got what they ordered.
From there, I reached out to the two payment processors I had been made aware of by scammed customers who reached out to me. NetSpend did provide a way to complete a support form, which I did. But I never heard back. CashApp had no way for me to contact them outside of logging into my own CashApp account (which I don’t have), so I reached out to them on Facebook Messenger. Because I wasn’t a customer of theirs, they didn’t care to address this issue at all.
Next, I turned to Google because the original projector scam site had a physical mailing address listed in the footer. I immediately discovered that the address wasn’t real; there was no city by that name in the state, and the zip code was of a different state entirely.
The husband of a good friend of mine is an Assistant Attorney General in a different state, and he works on a lot of consumer fraud cases. My brother is an attorney, and I have a long-time social media connection who is an attorney who specializes in social media and internet law. After speaking with them, I received additional guidance on places to report this scam. All three also cautioned that internet scams like these are very hard to track down and stop.
Why Internet Scams are Easy to Run
Internet scams are easy to set up, easy to replicate, and easy to hide from since it’s easy for the scammer to hide their physical location. Add to that the fact that most people wouldn’t have any idea the scam website they ordered from was provided by an e-commerce website solution called Shopify, nor how to identify that the website they were on, was a Shopify site. I’m only aware of this because of what I do; most customers – even if they knew the URL of the site where they ordered – wouldn’t instinctively know there was a larger organization they could report this scam store to.
A WhoIs search did let me know that all 3 domains used (so far) in this series of scams were registered by someone with an address in Massachusetts, but all the rest of the registrant’s information was hidden from public view. I used this information to file a report with the Attorney General in Massachusetts. I received a letter back in the mail directing me to file at one of the same places my brother recommended (IC3.gov, a site specifically for reporting internet crimes) as well as a note about how difficult these internet crimes are to stop.
How this Shopify Internet Scam Repeats
Since this all began in July 2020, there have been 3 different URLs used with Shopify stores. A nutshell explanation of what happens is that the scammer runs this scam with one URL and one Shopify site as long as possible. I’ve been encouraging every customer who’s reached out to me, to contact Shopify, and eventually one of the scammed customers will take the extra step of filing a complaint with Shopify. Shopify then verifies their order and confirms fraud took place, and then takes down the shop as a result. Then the scammer waits a few days, uses one of their other projector URLs, creates another Shopify account, perhaps creates another couple Facebook Pages (I’ve found a total of 4 so far), starts running Facebook ads again, and repeats the same exact scam until they again get shut down.
How GoDaddy Responded to this Internet Scam
I have filed a report with GoDaddy for each of the 3 URLs. I have not gotten a response from anything sent to their Abuse@ email. After sending their Abuse email my most recent report, I got an auto-response directing me to a page on their site with a breakdown of different support-related addresses. Since nothing from the list really fit my situation, I tweeted their Help account. You can read the full thread here. While they did give me a different email address to send to (which I did, and also have not gotten a response from), I was told that it’s their policy to only address issues with sites they host. Meaning, they have chosen to ignore scam website that use a URL purchased through them.
Anyone who has even had a website or blog knows that there are 2 essential pieces to having a website live and on the internet: a domain and a host. So, GoDaddy being the domain provider means they make up half of this equation. This scammer wouldn’t be able to pull off this scam without a domain.
GoDaddy needs to do better.
How Facebook Responded to this Internet Scam
If you ever have tried getting any type of help on Facebook, you know it’s pretty much impossible short of contacting their Ads Support team. And in order to do that, you need to first choose a Facebook ads account you are needing help with. This means that the only shot at chatting with a human isn’t even really an option here.
You can report Facebook Pages, ads, and individual posts, which I have. But you almost immediately get a response that the Facebook Page, ad, or post doesn’t violate any guidelines. This is because Facebook doesn’t use real people to review reported Pages, ads, or posts. It uses AI to scan for offensive images and words. But since a real person is needed to understand what’s going on and to read the reviews and comments, reporting Facebook Pages, ads, and posts is ineffective.
In addition, Facebook advertising provides a treasure trove of targeting options to help advertisers reach the type of consumers interested in what they are selling, as well as retargeting and ad optimization techniques thanks to the Facebook pixel.
Here’s a screenshot taken of the current Shopify scam site as of December 20, 2020. You can see the pixel information on the right side viewable using the Pixel Helper. There are two Facebook pixels on this site, with one of them tracking over 90 types of activities.
Facebook needs to do better.
How Shopify Responded to this Internet Scam
Shopify Support has been more frustrating than GoDaddy in some ways, yet more helpful in others. GoDaddy refuses to even address this issue because they are involved on the domain side vs. the hosting, so in that sense, at least Shopify has a dedicated team to address more types of fraudulent activity on its platform. However, given the fact that this scam has been run on four Shopify stores now and the site is still live on the internet at the time of this writing, is incredibly frustrating.
For Shopify to have shut down the scammer 4 times means it needed to hear from and validate the fraudulent activity direct from a projector customer each time. Meaning, fraudulent activity was proven and confirmed by Shopify, and the shop was take down as a result. Add to that: each time one of these projector Shopify stores has been created, the scammer has used the same products and images, same business name, same logo, same discounts/discount codes, even some of the same visible email addresses, and makes a couple additional (fraudulent) charges against its customers’ accounts always in the $43-45 range.
So at this point, there’s an established pattern of fraud that’s been validated by the Shopify Integrity Support Team.
It begs the question of how many cases of fraud is too many cases of fraud before Shopify starts immediately shutting down a new projector site as soon as it pops up?
Shopify needs to do better.
How this Shopify Internet Scam has Evolved & Why It’s Even More Problematic Now
On Friday, December 18, I heard from a customer who was scammed by this projector business back in the late summer/early fall. She had contacted Shopify at the time and was a reason why the second scam site was taken down. She reached out to me again because she had been hit with a new set of bogus charges (in the same $43-45 range) by the same scammer. Even worse, she had a second set of charges at that same price point but attributed to a different URL that she didn’t recognize. After sending an email to the business owner at the other URL, she got a response that exactly paralleled my story. The URL belonging to this other business was being used in the same way as mine.
This instantly expanded the scope of this scam while also uncovering the fact that this scammer had managed to hack the payment system in a way that they were able to capture and save their customers’ bank and credit card information to reuse as they please. That also theoretically means that this scam can continue until each of those scammed customers requests new cards from their banks.
A Warning to All Small Business Owners
The truth is, there’s nothing special about my small business that makes me any more or less susceptible to being used as a pawn in this way (it is interesting to note, though, that the other business being used in the scam in the same way, is also a female-owned online marketing firm). Most businesses of all sizes have a website these days. And unless and until payment processors make changes to their systems, and Facebook provides real, human ways to report fraud, and GoDaddy addresses scams that involve domains and not just sites they host, and Shopify takes down – and keeps down – businesses they know to be running scams, there’s little myself or any of the rest of us can do.
This is just plain scary, Liz. Thanks for the information you provided in your blog. It seems that nowadays you can’t even find direct contact info for most companies. Amazon included in this list. There are so many scam emails and spam floating through the internet these days, you almost don’t want to use it. But we also don’t have many options. Frustrating! As a small business, we totally understand your dilemma.
That is very true. And even if a company does have a way to contact them, it’s hidden under so many layers (and by design) that it’s extremely frustrating.
I wonder if this is in any way related to my recent IRS notices telling me that I owe back taxes on a THRIVING sole proprietorship accepting six figures annually in PayPal payments for who knows what? PayPal has been maddeningly dodgy and obtuse about this, since my actual PayPal accounts don’t show any transactions, we spend forever discussing that I have 2 PayPal’s and I’d notice $120k in payments coming through either of them, I checked them both and neither are getting any action, no I don’t have any other PayPals, and around here is where we get the obligatory reset (either “technical issues” or simple incompetence, my problem will not get a response) that resets my entire process and leaves me back at square one: dragging my explanation of a problem through the sludge of barriers that exist and are incapable of recognizing this particular situation or comprehending it for that matter.
I actually ended up here researching a totally different issue, I’ve been trying to find a way to report a new and active fake e-commerce site that’s coming up on Google’s search results as one of the main options for several rather generic search terms. I’m talking first page google shopping scroll visibility and I’ve already found the legitimate site’s policies and about info they fully copied and pasted as their own, glaring indicators of a scammy site and many reports of people having just made purchases, along with all the people that found out they’ve been scammed. They use several mechanisms to do this, I’d assume they are selling high quality customer data since they’ve been getting up to date and accurate shipping addresses from people with their current contact info and payment details. They are using fake tracking or inaccurate zip codes to delay shipping and then dragging out and denying customer complaints after phishing as a payment screen/confirmation or guest checkout to further kick the can down the road so people think they’ve been denied a refund by PayPal or their CC.
All I want to do is report this to godaddy or Shopify or PayPal or anybody affiliated who of course would want to know that blatant theft and other chicanery is happening on their platforms since they can flip a switch and shut it off but instead the best I can do is a useless empty whois report and an endless click through of options that don’t ever include “report fake e-commerce site that we actively facilitate so we can quit helping them steal from people using ssl certification we provide that falsely legitimizes them”
I don’t know what to do. It’s us goods sale.com and I suspect was daily sale us.com at one time bc that’s been left by mistake in the code under the new email address with the new domain. I went to domaintools and short of buying a membership that costs a hundred bucks a month all I could find out is they’re potentially operating/have operated over 400 sites and I betcha they could help if I were a bajillionaire and I mattered more, but alas. “It’s impossible to stop” is an unacceptable yet ubiquitous take on fraud like this. They say it’s too hard to track down perpetrators but it seems like the real problem is it’s just not profitable to do so.
It’s beyond maddening. We can look up who the domain registrar and hosting companies are for all websites, but what I’ve found is that domain registrar’s say it’s not their problem, and to contact the host. I’ve had very mixed experiences with hosting companies. A couple were amazing and removed the scam sites in a day or two. Shopify, on the other hand, is the exact opposite. It’s like they are doing everything they can to aid the scammers. And with an issue like mine, there are too many payment processors to contact. I don’t know why any payment processor would allow someone to set up an account with a display name different than their business name.