Online marketplace scams: how to certify evidence of online fraud
You found the perfect listing: fair price, convincing photos, a seller who answers fast. You send the payment, and then nothing. The profile disappears, the listing is taken down, the chat goes empty. When you try to report it, you realize you are holding almost nothing.
This plays out millions of times a year. In 2024 alone, U.S. consumers reported losing more than $12.5 billion to fraud, up 25% on the previous year, with online shopping ranking as the second most reported fraud category and more than $3 billion lost to scams that started online (Federal Trade Commission, March 2025). When it comes time to defend yourself, the hard part is rarely realizing you were scammed. It is proving it.
Turning a scam listing into online marketplace scam evidence takes more than a screenshot grabbed after the fact. Evidence of online fraud is volatile and easy to challenge, and it loses value exactly when you need it most. The only way to avoid ending up empty-handed is to capture and certify the listing, the conversation and the payment data at the source, while they still exist, applying a hash fingerprint and a qualified timestamp. Here is why that matters, and how to do it before everything vanishes.
Why a screenshot of a scam listing is not enough as evidence
A screenshot taken after the fact proves neither where the content came from nor when it existed. It is an image like any other: no guarantee it really came from that marketplace, no trusted date, no proof it was not edited. In a dispute, it is the first thing the opposing party goes after.
Online fraud evidence disappears within hours
A fraudulent listing is built to be short-lived. The seller collects the money and cleans up: the listing comes down, the profile is deactivated, sometimes the conversation is wiped. Platforms speed up the disappearance too, because they remove content flagged as fraudulent quickly. Within a few hours the clone listing that fooled you no longer exists, and with it the price, the photos, the stated conditions and the seller's apparent identity.
The screenshot you take in a hurry captures the look of the content, not its origin. When you bring it to a court, the part that carries weight is missing: proof that the image really matches a page published online at a specific moment, and that nobody has touched it since.
A screenshot of a fraudulent listing, saved manually after the event, documents the content but not its origin or the exact moment it was online. It is an image file with no verifiable link to the source page: anyone can produce a similar one with common editing tools, and no technical data attests to its real creation date. Frameworks for the admissibility of digital evidence generally require that a record be shown to be authentic and unaltered before a court can rely on it, and a plain screen capture offers no such assurance. This is why, in a dispute, an uncertified capture is easily challenged by the other side. The difference between an image and defensible evidence does not lie in what it shows, but in how it was captured and preserved.
Tamperability and lack of a trusted timestamp: the opposing party's objections
Anyone defending against an accusation built on screenshots has an easy job on two fronts. Tamperability first: an image can be altered with any editor, so nothing guarantees that the price, the text or the seller's name are really the ones that were published. Then the lack of a trusted timestamp. The file date on a phone can be set at will and does not prove when that content was online.
These two objections turn seemingly solid evidence into a mere clue. Once the other side raises a credible doubt about authenticity or timing, the burden swings back to the victim, who now has to prove from scratch something that should already have been settled.
What makes evidence of an online scam defensible
Evidence of an online scam becomes defensible when it holds three things together: content integrity, a trusted date and a documented chain of custody. Take away just one and the opposing party has the foothold to contest it. Have all three, and the screenshot stops being just an image. It becomes proof that is hard to take apart.
Content integrity: the hash fingerprint
Integrity is demonstrated with the hash fingerprint, a unique digital fingerprint calculated on the captured content. Change a single pixel or a single byte, and that string changes completely.
A hash is a fixed-length alphanumeric string generated by a cryptographic algorithm from a file. It works like a fingerprint of the content: identical content always produces the same hash, and any change, however small, produces a completely different value. By comparing the hash calculated at the moment of capture with the one recalculated later, anyone can independently verify whether the file has stayed identical. It is the technical mechanism that lets you state, with no room for interpretation, that a listing or a chat was not altered after capture. This is why the international standard ISO/IEC 27037 lists cryptographic hashing among the requirements for acquiring digital evidence intended for proceedings. Without a hash, the integrity of digital evidence stays an assertion, not a verifiable fact.
A trusted date: the qualified timestamp
A trusted date comes from the qualified timestamp, issued by a qualified third-party QTSP and governed by the eIDAS Regulation. The timestamp binds the content to a precise, defensible moment: it guarantees that the listing or the conversation existed in that form on that date and at that time.
This is what separates certified evidence from a screenshot saved on a phone. The qualified timestamp covers when the content existed, source-level capture covers where it came from. Together they make it far harder for the opposing party to argue the content was built or manipulated later. And the timestamp is not generated by the capture tool itself: it is issued by an accredited trust service provider under eIDAS, which is what gives it independent legal weight.
A documented chain of custody (ISO/IEC 27037)
The third requirement is the chain of custody: the traced account of how the evidence was captured, from what source, with what tools and what happened to it after capture. It is what lets an independent third party retrace the whole process and trust the result.
ISO/IEC 27037 is the international standard that defines guidelines for identifying, collecting, acquiring and preserving potential digital evidence. It rests on three principles: auditability, meaning every step must be documented and reconstructable by an independent third party; repeatability, meaning the same procedures must lead to the same results; and justifiability, meaning technical choices must be based on recognized methodologies. The standard calls for cryptographic hashing, timestamping, preservation of metadata and a documented chain of custody. A manual screenshot satisfies none of these requirements: it is not repeatable, it preserves no verifiable metadata and it leaves no trail. It is the difference between an improvised capture and a compliant acquisition, which bears directly on whether digital evidence can be relied upon in proceedings.
To document a marketplace fraud with probative weight, the route is forensic acquisition: evidence with a trusted date that is already defensible, rather than a pile of images you have to defend after the fact.
What evidence to collect in a marketplace fraud
Three kinds of evidence carry weight in a marketplace fraud, each with a different role and all sharing the same flaw: they vanish fast. The listing and profile tell the deceptive offer, the conversation tells the agreements, the payment data traces the money. Capturing them together, at the source, reconstructs the whole dynamic of the scam.
| Evidence type | What it proves | Why it vanishes / risk if not certified |
|---|---|---|
| Listing and seller profile | The deceptive offer: price, photos, description, apparent identity | Listing removed and profile deactivated within hours; an uncertified screenshot is contestable on origin and date |
| Conversation and agreements | The promises and conditions agreed, the deceptive tactics | Chat deletable by seller or platform; messages editable, authorship and date unproven |
| Payment data and money trail | The financial loss and where the funds went | Receipts and references scattered across apps and email; without a trusted date, hard to link to the listing |
The listing and the seller profile
The listing is the heart of the deception: a price out of line with the market, photos lifted from other ads, a description written to reassure. The profile fills in the rest, often a fake identity or a recently opened account run with synthetic data. Capturing them means fixing the offer as it appeared to the victim, before the fraudster makes it disappear.
The conversation and the agreements
The chat is where the deceptive tactics take shape: the reassurances, the excuses to move payment off the platform, the shipments promised and never sent. It reconstructs the seller's behavior and intent, yet it can be wiped in minutes, and a copy-paste of the text does not prove who wrote what and when.
Payment data and the money trail
Then there is the money: bank transfer, top-up, payment via app or, more and more often, cryptocurrency. The FTC reports that bank transfers and cryptocurrency account for the largest losses by payment method, which makes this data decisive (FTC Consumer Sentinel, 2025). These records prove the loss and point to where the funds went, which matters for a chargeback or an investigation. Capturing the receipt together with the listing and the chat ties the money to that specific scam, not to some unrelated transaction.
How to certify evidence of online fraud before it disappears
To certify evidence of online fraud before it disappears, you have to capture it at the source while it exists, applying integrity and a trusted date in the same instant as the capture, not afterward. This is what TrueScreen does: it captures the listing, the conversation and the payment data at the source, applying a hash fingerprint and a qualified timestamp at the moment it captures them. The evidence is born already intact and defensible, because the proof of origin and timing is inside the file from the start, not added later to an image that already exists. The seal comes from a qualified third-party QTSP, and the qualified timestamp is always issued through a QTSP integrated into TrueScreen, while the chain of custody, aligned with the principles of ISO/IEC 27037, is built automatically. Companies and legal teams use TrueScreen to capture clone listings and fraudulent chats before they are removed.
Source-level capture with legal value
Source-level capture takes the content directly from where it is published, recording its origin, technical context and geographic coordinates at the instant of capture. With the TrueScreen App and the Forensic Browser you can document a suspicious listing while it is still online, with a hash fingerprint and a qualified timestamp already applied. The Chrome Extension and the Web Portal bring the same process to volume, and the API and SDK embed it into existing workflows. The result is the same either way: certified content, tamper-proof and bound to a trusted date, not an image to explain later.
From capture to complaint: report and litigation
Certified evidence closes the loop between the fact and its protection. Showing up with the listing, chat and payment already captured speeds up the report to the authorities and gives weight to any civil action to recover the funds. A lawyer who receives evidence with a trusted date and a documented chain of custody works on an established fact, not on a screenshot to defend. It is the basis for a credible complaint or for supporting a chargeback with the bank, where the records of payment and offer document the loss in a way that is hard to contest.
