She must connect, she says, this Saturday Paris to London by car.
On Blablacar, Jana posted a carpool ad.
"Is your route still available?"
we ask him.
In English, she tells us to contact her on Whatsapp and gives us a phone number with the UK area code.
We exchange a few messages there and then she sends us a link leading to a site similar to that of Blablacar to which we must pay for our trip… The trip will never take place.
And for good reason: Jana does not exist.
The one behind it has the sole purpose of stealing money.
Valentin Hamon-Beugin, journalist at L'Usine nouvelle, was also (almost) taken in.
In a long series of tweets, he recounted his misadventure on Friday, shared for several thousand times.
He describes having wanted to book a carpool trip to connect Paris to Douai, his train having been canceled because of the storm.
On Blablacar, he therefore books a trip, it is confirmed and then cancelled.
The would-be driver, Sophia, contacts him and tells him that due to a technical problem, the ride was canceled, but that Blablacar gave him a link so he could confirm the ride anyway.
The young man falls into the trap and pays via this link until the bank confirmation message challenges him, this one asking to confirm a payment in ruble, the Russian currency!
Innocently, I click on the link, and there I come across a page that looks exactly like Blablacar.
Innocently (again), I fill in the requested information, and I proceed to payment.
I am then redirected to a page where I am asked for my credit card code pic.twitter.com/ZIX1LNGYUc
— Valentin Hamon--Beugin (@BeuginHamon) February 18, 2022
This is not the first time that such scams have been publicized.
Already last November, many similar testimonies had been published and picked up by the media.
“These are cases which remain rare and which we are able to detect and block quickly, as soon as suspicious behavior is detected or a member reports it to us”, relativizes however this Saturday a spokesperson for Blablacar.
Near-perfect phishing
What's really going on?
A carpool ad is first posted on the Blablacar platform by a fake profile.
The victim is interested in the trip, books it, but sees it canceled quickly… Blablacar's system, as it is designed, however, allowed the pirate to recover the victim's telephone number to contact him.
Claiming the cancellation because of a technical problem on Blablacar's side, the hacker sends a link to a site similar to that of the platform and the victim is invited to pay... She thinks she has paid for her carpool, but she is wrong: the site is only a copy and the money goes… to the pirate.
This attempt at "phishing" ("phishing" in good French) is not uncommon on the Internet and many companies are confronted with it.
If Blablacar says to “detect and block quickly” these fake profiles, it only took us a few minutes to find Jana.
Better: we were able to see two trips made by this same Jana… on the same day: a Paris-London, with a departure at 9 p.m., but also a Paris-Amiens, with a departure… at the same time.
“Member” since February 2022, she has 10 published trips, but 0 reviews.
It's hard to know how many fake profiles are present on the platform, but a quick tour of Blablacar allowed us in a few minutes to identify almost a dozen profiles similar to Jana's (one recent registration, no reviews and many journeys) for various routes.
Blablacar insists and calls on its users to “look at the profile of the carpooler or carpooler with whom you plan to travel” before booking.
The platform also encourages you to “always book and pay directly” on its site.
"If a driver asks you to pay via a link on WhatsApp, by SMS or elsewhere than on the Blablacar platform, it may be a phishing attempt: in this case, you must refuse and inform Blablacar", explains the company.
Faced with the high risk of being scammed, the carpooling platform has reinforced its messages regarding the “risks associated with payments outside the platform”.