Carousell further enhances multi-layered security measures to bolster platform safety

Posted by

Singapore, 6 February 2023 – Popular home-grown peer-to-peer classifieds platform Carousell has implemented additional measures and processes on top of existing multi-layered defence to enhance efforts in tackling the recent rise in phishing scams in Singapore. 

From mid December 2022, users are required to verify their mobile number before they initiate a chat or tap on the “make offer” button. This is on top of existing requirements since 2019 for users to be mobile verified before their first listing is published.

To swiftly address the rapidly increasing phishing attacks observed globally across multiple industries, Carousell increased both its automated ability and dedicated moderator team to detect and suspend scammers swiftly and more stringently from the marketplace. Carousell has suspended more accounts for phishing attempts in November and December 2022, than it did across the rest of 2022 combined, and also has proactive measures to allow access only from app versions with the latest security measures.

“What makes Carousell different from other platforms in Singapore is that the majority of our transactions are between individuals, and many users often arrange with each other directly on how to deal. We will be tightening our policies to protect our users even further; in a few short months, we will require users who do not do meet-ups to make payment and delivery only via the Carousell platform for escrow protection. We will share more details soon. Trust and safety is a top priority for us and we are committed to do our best to keep users safe,” said Su Lin Tan, Senior Vice President of Operations, Carousell.

Besides enhancing security measures, Carousell has also taken an intermediary role in the transaction process to reduce the risk for casual sellers and buyers. “We have been piloting various Sell to Carousell programmes, which allow sellers to sell their items like luxury bags, mobile phones and cars directly to Carousell for an instant cash-out. We then authenticate or certify those items and sell it to buyers on Carousell for a worry-free purchase. We know buying high priced secondhand items may be risky so we are systematically introducing features to mitigate those risks and making the experience similar to that of buying new items.,” said Su Lin Tan.

How Carousell has been working to keep its users safe

Social engineering remains a huge threat to cyber safety across all industries as scammers constantly come up with new ways to deceive or manipulate victims to share their personal and financial information. Hence Carousell has been targeting this aggressively on three fronts, i) Proactively stopping bad actors from getting a chance to harm users; ii) Swift action on any evidence of fraudulent behaviour; and iii) Driving user awareness about phishing scams. (Please refer to Annex A for more details on our safety measures)

i) Proactively stopping bad actors from getting a chance to harm users

Besides mobile verification, Carousell has been constantly iterating our message blocking filter on Carousell Chat to adapt to the latest trends in scams and trigger relevant warnings to users of the risk of sharing personal details and clicking on non-Carousell links that will direct users out of the app. Additionally, we will proactively inform users via in-chat notices if a user whom they were previously chatting with has been suspended or is under investigations by Carousell.

ii) Swift action on any evidence of fraudulent behaviour

Carousell uses a fraud detection solution that combines AI and machine learning to spot patterns and detect malicious online content faster and with more accuracy. One example is the recent QR code phishing scam method, where the team detected suspicious trends in activity, and quickly implemented filters to suspend users who send QR codes in high risk scenarios.  Our user community has also been a key partner in reporting to us suspicious users and listings, so our moderator team can quickly investigate and take necessary action. 

iii) Driving user awareness about phishing scams

User awareness is very key as the last barrier of defence against cunning scammers who quickly adapt to platform restrictions, hence we have increasing user safety education both in broad and targeted messaging. Our user education team has enhanced Carousell’s Help Centre with updated resources to help users better understand and identify potential scams, including the latest phishing scam patterns spotted on Carousell. Users will also see alerts pinned to the top of the app’s homescreen as well as safety tips on our homepage banners during spikes in certain scam trends. For high risk cases, users will also see added safety warnings in their chat on how to transact safely. 

“The Singapore Police Force has been working closely with the Carousell team to investigate, disrupt scammers’ operations and safeguard the community against phishing. Phishing scams in Singapore is a pressing challenge that we’re constantly tackling in various forms, from jobs to e-commerce scams and phishing scams. Crime prevention is important, and we have been running education campaigns, such as ‘I Can ACT Against Scams’. The best defence is becoming a discerning public who will protect ourselves and also ACT to protect others against scams,” Aileen Yap, Deputy Assistant Commissioner, Singapore Police Force.

###

About Carousell

Carousell is part of Carousell Group, the leading multi-category platform for secondhand in Greater Southeast Asia on a mission to inspire the world to start selling, and to make secondhand the first choice. Founded in August 2012 in Singapore, the Group has a leading presence in seven markets under the brands Carousell, Cho Tot, Laku6, Mudah.my, OneShift, Ox Luxe, Ox Street, and Refash, serving tens of millions of monthly active users. Carousell is backed by leading investors including Telenor Group, Rakuten Ventures, Naver, STIC Investments and Sequoia Capital India.  In Singapore, Carousell has a diverse range of products across a variety of categories, including cars, lifestyle, gadgets and fashion accessories. Download the app for iOS or Android, and visit www.carousell.com for more information.

ANNEX A: TRUST AND SAFETY MEASURES ON CAROUSELL

We are constantly investing in our people and infrastructure, and fine-tuning our methods with the latest technology. Here are some of the security measures we have in place and you can visit our Trust and Safety centre to learn more. 

i) What Carousell does to proactively stop bad actors from getting a chance to harm users

Machine learning and automated tools to quickly identify bad actors
Carousell uses a fraud detection solution that combines AI and machine learning to spot patterns and detect malicious online content faster and with more accuracy. We are constantly updating the tools to pick up new trends and patterns, as scammers quickly change up their tactics to avoid detection. One example is the recent QR code phishing scam method, where the team detected suspicious trends in activity, and quickly implemented filters to suspend users who send QR codes in high risk scenarios. 
In-chat banners to warn users of suspicious/suspended accounts
When a user is under review for dispute, an in-chat banner will surface to notify users who have yet to transact with the user (e.g. make payment) to delay or reconsider the deal. A similar warning will also appear if a user they have previously chatted with has been suspended.
2FA email verification for suspicious logins
When a Carousell account is being logged in through a new device, we have 2FA codes sent to the account’s email address to confirm and inform the account owner that there is an attempt to log into their Carousell account.
Block URLs and email addresses from being sent in chat
A common tactic of phishing scams is to trick users into clicking on external links that will direct them to a website to share their personal or banking information. Our system identifies these links and email addresses, and blocks the sender from sending it out.
Discouraging users from bringing transactions off platform
Phishing scammers often try to get users’ contact information to bring the conversation off the platform to avoid detection.
We have in-app prompts to remind users of the risks of doing so, but give users the freedom to proceed anyway, as we recognise that mobile numbers are used for common methods to receive payment.
Mobile verification 
All buyers and sellers have to verify their mobile number in order to chat or for their listings to be successfully listed on the marketplace. This gives our community more confidence in trusting one another, and helps to create a safer and more enjoyable marketplace. 
A phone-verified badge will be added onto the user’s profile once they have successfully verified their number, and this badge is visible to all on the marketplace.
Account limit to prevent scammers from creating multiple accounts
Each user is limited to one account on Carousell. If they try to create more accounts, they will be blocked from signing up. 
Ensuring users are up-to-date with security measures
Recently, we have started disallowing login and sign-up access from certain old app versions where the latest security measures are not available. This is to ensure that users are adequately protected with our enhanced measures. We encourage users to keep their apps updated regularly.

ii) How Carousell swiftly takes action on any evidence of fraudulent behaviour

Dedicated moderation team
On top of our automated fraud detection tools, we have a dedicated moderator team that works 7 days a week to monitor and review fraud reports. With the growing scale of scams, we have been expanding our team to review cases in 24 hours.
In-app reporting function
Any user can report a suspicious listing or user. Our moderation team will review these reports and take necessary action.

iii) How Carousell drives user awareness about phishing scams

Enhancing our scam education materials
 Our user education team has enhanced Carousell’s Help Centre with updated resources to help users better understand and identify potential scams, including the latest phishing scam patterns spotted on Carousell. 
Education Campaigns 
We regularly run education campaigns on our platform to inform users of scam trends, as well as tips on how to transact safely.
Encourage users to verify the other party’s profiles
Ratings and Reviews are useful in building a community of trust. We educate our users to refer to ratings and reviews before they chat/ deal. 
Users can verify their personal information for “verified” badges. 
In-chat safety messages
Carousell has been constantly iterating our message blocking filter on Carousell Chat to adapt to the latest trends in scams and trigger relevant warnings to users of the risk of sharing personal details.

ANNEX B:  TIPS TO STAY SAFE

We recommend that users be extra vigilant when shopping on any online platform, no matter how much the transaction amount is. Here are some tips for buying and selling with peace of mind: 

  1. Never disclose your internet banking details and OTP to anyone.

    Beyond our official mobile app and website (https://www.carousell.sg/, https://www.carousell.com), we will never direct you to external websites or platforms to key in your personal details.
  2. Never click on suspicious links provided in emails or text messages of any form. Carousell will never send you an SMS leading you to an external website. All Carousell websites will end with carousell.com or carousell.sg.

    Phishing sites may trick you by including “carousell” in their url, such as carousell.lalamovetoday.com or carousell.pay.com. Those are not official Carousell websites.

    This applies to links pretending to be official online banking websites as well. Be sure to cross check your bank’s official domain before entering your online banking credentials.

    How to identify: here
  3. Keep your chats within Carousell.

    Carousell has on-platform detection technologies to identify fraudulent users. To avoid being detected, scammers will try to direct you out of Carousell Chat before the detection kicks in, in order to be able to continue chatting with you even after the account gets suspended.

    By keeping your chat within Carousell, you will also be informed when the user you are talking to has been suspended.

If you spot any suspicious activity or users on our platform, please report this to Carousell immediately through the ‘Report User’ feature available on both the web and the app. The Carousell team will review these reports within 24 hours from when it’s reported.