Online shopping may be convenient but it's never without risks.
Whether the order shows up with defects or ends up being a poor fit, many things can go wrong when making a purchase online.
Depending on the company's policy, there may be the option to make an exchange or request a refund.
But what happens when you make a purchase from a fraudulent site?
Melinda Cleland paid $200 for two pairs of shoes, only to receive a pair of sunglasses she thinks is worth $2 in return.
Site looked legitimate
She had wanted to buy a pair of waterproof boots from a trusted US brand to add to her existing collection.
A quick Google search brought up the online shop as the second result on the list.
As an online business owner, Ms Cleland considers herself tech-savvy when it comes to verifying the legitimacy of other online shops.
She had made sure the domain name was in the website and that the URL started with "HTTPS" before clicking on anything else.
"I always look for that to know that my details are secure – that's my kind of test," says Ms Cleland.
"Your credit card details aren't going to be sold off to anyone else or recorded anywhere. It's all encrypted so the website owner can't see it."
But that's not entirely accurate, cybersecurity expert Ryan Ko explains.
The HTTPS indicates a connection and transmission is secure, which means information you transmit to the site is encrypted and can't be intercepted by third parties during transmission, the Queensland professor says.
"But that only protects you from hackers sniffing your data transmission, not dodgy site operators," Professor Ko says.
"So HTTPS isn't always an indicator that a website is safe."
And some dodgy operators bank on people being fooled by this common misconception.
Ms Cleland says the website looked secure and even greeted her with a promotional message offering free delivery above a certain amount spent.
So, she decided to add another pair of shoes to her cart to take advantage of the offer.
The entire purchasing process went smoothly up until the payment point.
While the products were advertised in Australian dollars, the final amount had converted to American dollars at check-out.
"I thought it was a bit odd," says Ms Cleland.
But she dismissed this as a glitch and proceeded with the sale, which went through successfully.
Hidden in the fine print
A couple of weeks had passed and there was still no sign of her parcel, so she decided to check the tracking information.
This is when she realised it was missing from her email, so she visited the online shop's FAQ section.
"When you actually read the fine print, that's when things started to get a bit weird," Ms Cleland says.
"You'll receive a receipt from an email," read the answer to missing tracking information, which Ms Cleland says was a random address and not the domain address.
In another section about issues with orders, another email address to contact them was listed, and again it was a random address.
By this time, she figured she had been scammed but decided to try contacting them about her order anyway.
Ms Cleland didn't get a response.
But she did find the receipt with the tracking number sitting in her junk mail which she says "looks like spam" and had saved it just in case.
An unexpected package arrives
"Then randomly one day, this parcel turned up," says Ms Cleland.
"It was a pair of sunglasses – really shitty, plasticky and hard.
"Then I got another spam-looking email saying my package has been delivered."
The tracking number matched that on the parcel so she did some digging into the company.
Ms Cleland found the owner of the website to be an established international wholesaler.
Determined to take the website down, she reported the scam along with her findings to the authorities, the registered brand and the wholesaler — believing them to be a victim.
She then emailed the scammers, demanding a full refund after calling them out on their scheme, fully transparent about the reports she had made.
Conversation with scammers went in circles
A couple of days after, Ms Cleland received a comical reply lined with an apology, with no acknowledgement of the scam.
The scammers had suggested she keep the sunglasses or gift them to a friend or family member.
As part of their apology, they offered a refund of 50 per cent of the full amount.
Ms Cleland persisted for a full refund, confident the authorities and other parties involved would soon take action on the scammers.
She continued to call the scammers out on their scheme.
Meanwhile, she had heard nothing back from any of the bodies she had reported to.
Unfazed by Ms Cleland's allegations, the scammers continued the conversation with a spiteful response.
They requested her to return the pair of sunglasses and pay for postage in exchange for a full refund.
Flustered by the audacity of the scammers' request, Ms Cleland stood her ground.
She warned scammers of an impending shutdown, sharing her plan to escalate her report to more authorities, which she did go ahead with.
This time, the response was lined with a sympathetic tone as the scammers claimed the delivery to be an honest mistake.
To appease Ms Cleland, they offered a refund of half the amount she had paid for the goods.
Ms Cleland stopped engaging with the scammers and decided to contact her bank to get a refund instead.
How common are online shopping scams?
Australians aged between 35 and 44 have reported the greatest loss to online shopping scams, and Ms Cleland is one of them.
According to the Australian Competition & Consumer Commission (ACCC), Australians lost $9.2 million to this type of scam last year.
The total losses increased by 5 per cent over the previous year (2021) despite 37 per cent fewer scams reported.
"While these scams are impacting less people, those impacted are on average suffering greater losses than in the prior year," says an ACCC spokesperson.
Although scams are present all year round, they are likely to heighten over peak online shopping periods such as Black Friday sales and festive seasons such as Christmas.
So how can you spot a fake website?
Scammers now set up fake retailer websites to replicate genuine retail brands.
From sophisticated layouts to stolen logos and Australian Business Number (ABN) and even a ".com.au" domain name, they are pulling all the stops to trick consumers.
Professor Ko says it's difficult to know whether you're buying from the real deal.
But he says there are some checks you can do to verify the legitimacy of a website.
Firstly, he says to pay attention to the URL as even a slight misplacement of the full stop can be a tell-tale sign.
"Look at the domain name and see if there are deviances to the normal way it's spelled."
Real domain names usually appear right before the ".com".
Next, similar to what Ms Cleland had done, Professor Ko says to look out for websites that begin with "HTTPS".
This indicates a secure connection, often accompanied by a certificate displayed as a lock icon in the search bar.
Professor Ko, who also co-founded CyberCert, a cyber security certification company, suggests going a step further.
"Click on the lock icon and see where or who the certificate is issued to."
"If it doesn't look like the company itself, then you might want to be a bit careful," he warns.
Some commonly trusted certificate issuers include Comodo SSL, DigiCert, Entrust Datacard, GeoTrust and GlobalSign.
Professor Ko says to also scan the website's content for any potential red flags.
Inconsistencies in typography such as font design, size and cases as well as spelling errors are signs to take note of.
Professor Ko also recommends entering the website URL into Google's Transparency report to check if a link is legitimate.
Lastly, he says browser settings can also offer an added layer of protection.
"You could turn on settings within your browsers to [allow you to] surf encrypted websites only."
This prevents scammers from eavesdropping or stealing sensitive information.
Fake websites can appear as a top search result
Ms Cleland had her guard down after seeing the website appear high in Google's search list result.
Professor Ko says: "Fake websites, just like any websites, can easily optimise themselves for search engines."
"If you create a hundred fake websites that point to this central fake website, it looks more legitimate than a standalone one and then appears higher on the search list."
Similarly, this can be achieved when key search terms are sprinkled across the content.
Products from fraudulent sites can also come up as sponsored posts by paying advertisement fees.
"It is a small price to pay following the returns they will make," says Professor Ko.
Scammers operate like a business – they even have an HR department
Professor Ko says to not underestimate the extent to which scammers will go to create a functional, fraudulent site.
"They run like businesses — they have web developers, a finance department, even a human resources department to run as syndicates of organised crime."
In his research, Professor Ko labels cybercrimes as a growing and present danger affecting organisations and nations alike.
And getting to the root of online scams is not easy as "sometimes IP addresses can be spoofed" or "redirected to a buffer of websites".
He argues that regulators and law enforcement can be more effective in preventing cybercrimes using traditional crime prevention methods.
Ms Cleland's case is a clear example of how scammers remain nonchalant about being reported to authorities.
Despite the multiple reports made more than half a year ago, the website is still up and running.
Professor Ko believes increasing the barriers and risks to cybercriminals would reduce their rewards and motivations in perpetuating cybercrimes.
How else can you avoid falling for scams?
Ms Cleland later found reports from other people who labelled the website a scam but it was too late.
"Well, you don't find them until you realise you've been scammed, especially when it looks legitimate," she says.
The ACCC advises shoppers to take time to suss out a website or seller online, especially if they are new.
"If possible, try and ascertain how many sales the seller has, and the period of time they've been selling," says the ACCC spokesperson.
"If the store is on social media, read the comments and search for independent reviews on the internet – noting that sometimes there may be fake positive reviews."
What should you do if you think you've been scammed?
Here's what an ACCC spokesperson says to do after you have been scammed:
- Contact your bank or financial institution as soon as possible if you have lost money
- Contact the platform on which you were scammed and provide details about your experience
Tell your friends and family about your experience for support and to help protect them from scams
The ACCC also encourages you to make a report on the Scamwatch website, subscribe to their Scamwatch radar alerts and stay updated via Twitter.
You can report fake websites as well as websites suspected of hosting or distributing malware to Google for review.
Sponsored scam ads can also be reported to Google in "My Ad Centre", accessed by clicking on the three stacked dots next to the ad.
Ms Cleland contacted her bank after failing to get a refund from the scammers.
Although it had been about a month since she had made the transaction, her bank approved her request within a couple of days.
She believed sharing all emails, invoices and reports relating to the scam with the bank had helped her case.
"If you want to get your money back, you've got to persevere and try everything. Why should someone else get your money?"