Mar 31 2020

‘Too good to be true’: Covid-19 and the rise of fake goods scams

As the demand for products such as surgical face masks, hand sanitizer and ventilators has grown, so has the prevalence of scammers advertising fake items online for extremely cheap prices. From posts on social media marketplaces and E-commerce platforms to more ‘sophisticated’ fake medical supplies websites, it is all too easy to fall victim to one of these ‘non-delivery’ scams. In fact, it has been reported that scammers have swindled over $2million from Covid-19 panic buyers to date.

NetWatch has conducted an OSINT investigation into the phenomenon and established some tips to help identify scammers during this stressful time.

We began our investigation on familiar territory – social media. While Facebook has recently banned the sale of face masks and hand sanitizer on its marketplace, a simple keyword search on Twitter identified a wealth of tweets advertising these sought-after products. Many of these were originally uploaded in Malay, with South East Asia being identified as the source of many of these fake goods scams. One of the main warning signs to look out for here is sellers inviting customers to contact them via private message or encrypted messaging apps such as WhatsApp, WeChat or Telegram. Another is the accounts having very few followers, with the only tweets on the many of them being uploaded following the outbreak of Coronavirus in February and March 2020.

We then searched for the in-demand items on trusted E-commerce websites such as Amazon and eBay, on which we located several suspicious postings. The main thing to look out for on these platforms is items with low ratings, with users reporting that the products they received were not as advertised. For example, one customer received 7 masks when they purchased a pack of 10, and another reported that the ‘surgical’ masks they purchased were broken and arrived in a food bag. Another characteristic of potentially fraudulent items is those listed for very cheap prices with only a handful of ratings.

Next, we took to the deep web to locate fake medical supplier websites. In total, we identified over 20 such sites originating in the USA, Morocco, Malaysia, Thailand, India, Poland and Germany, the majority of which have thankfully since been shut down. Disturbingly, at first glance many of these sites appeared legitimate, possessing all the hallmarks of genuine online retails such as an ‘About’ page, terms and conditions links and contact forms. However, we were presented with a few red flags whilst browsing the sites including faulty social media links, false or absent company registration numbers and missing address and/ or contact details, with WhatsApp listed as the only form of contact on many of them.

(Please note that the above characteristics do not apply to all scam websites; some may be registered and have a social media presence!)

Another common tactic employed by scammers is selecting a domain name similar to that of a legitimate supplier in order to confuse customers. This was the case when a website appeared recently under the name of ‘’ (now suspended), seeking to emulate the legitimate supplier ‘’, as reported by Buzzfeed.

Going beyond the websites themselves, we used the domain tool ‘Who’ to establish when the sites were registered. As a rule the newer the website, the higher chance that it is fake. In this case, the medical supplier websites we located advertising face masks and ventilators were incorporated after the Covid-19 outbreak in February or March 2020, a clear indication of fraudulent activity.

Case Study – ‘’.

We will now analyse one of the sites we uncovered – ‘’ – to demonstrate the above. The first thing that stood out to us was the prevalence of spelling and grammatical errors on the website. There was also no pricing information for the items listed as you would expect to find on a legitimate supplier website.

It also struck us that the contact telephone numbers have Moroccan and Algerian area codes, while the ‘Physical Address’ is listed in Los Angeles. The lack of a specific office address and incorrect formatting were also cause for concern. Moreover, it is pertinent that WhatsApp was the sellers’ preferred means of communication, with a chat window appearing at the bottom of the screen when a user opens the window. The scammers also claimed that their service was certified to ISO and SAI Global standard, however failed to provide an ISO certification date and did not appear on the SAI Global Certification Register. Lastly, all four of the social media links were broken, re-directing users back to the company homepage.

A ‘Whois’ search for ‘’ determined that the website domain was created on 7th March 2020, a sure-fire sign that the site was created with the purpose of scamming coronavirus preppers.

Overall, while social media accounts and websites advertising fake goods are usually deleted/blocked relatively quickly, new ones are constantly appearing in their place. With the coronavirus pandemic far from over, opportunistic scammers will inevitably continue to take advantage of anxious customers in the coming months.

The bottom line is ‘if it’s too good to be true, it probably is’.

Try ToolSuite

Get started with ToolSuite for free

Book a demo to start discovering the benefits of our OSINT ToolSuite hub. Gain instant access to a range of proven tools for conducting expert online investigations on one browser-based platform.

Learn more about ToolSuite