Three Golden Rules That Stop the ANTAI Fake Fine Scam Dead in Its Tracks (And the One Link You Should Never Click)

You are rushing through your daily life. You glance at your phone. An official‑looking email has just landed. It has the blue‑white‑red logo of the French Republic. It says Amende de stationnement – parking fine. The amount is urgent: €135. If you don’t pay immediately, it climbs to €235, then to a terrifying €675. They also warn of 3 points removed from your driving licence.

Your stomach drops. You haven’t parked illegally recently, but maybe you forgot something. Maybe the system made a mistake. You definitely do not want a €675 fine. So you click the link.

That single click is exactly what the criminals behind the latest wave of ANTAI phishing attacks are counting on. And it has already cost ordinary people in France thousands of euros.

This guide is written for you – every driver in France who has ever received a parking or traffic fine, every person who wants to protect their savings from a scam that looks terrifyingly official, and anyone who has ever felt that flash of panic when an urgent government message arrives. You do not need to be a cybersecurity expert. You just need to know the simple rules that will keep your money safe.

The Fake Fine That Feels Terrifyingly Real

In late 2025 and throughout early 2026, a massive wave of fraudulent messages has been flooding French phones and inboxes. The attackers pretend to be France’s National Agency for the Automated Processing of Offences – better known as ANTAI, the public body that manages road‑traffic fines, automated speed camera tickets, and parking penalties. The criminals do not guess. They carefully copy the real ANTAI logo, the government’s Marianne emblem, and the official‑sounding language of the French administration. The first page you see (first screenshot) is a textbook example:

  • A fake “RÉPUBLIQUE FRANÇAISE” header with Liberté Égalité Fraternité.
  • A menacing message: “Malgré nos multiples tentatives pour entrer en contact avec vous, nous n’avons pas encore reçu de réponse concernant le règlement de votre amende de stationnement.”
  • A price that jumps from €135 to €235, with a threat to go to €675 in 48 hours unless you pay immediately.
  • An offer that seems generous: if you pay through their “secure site” today, you will be reimbursed the €100 increase within 12 hours.
  • A link that says “Accéder à votre dossier”.

Security Notice: This deceptive layout was logged, cross-checked, and neutralized firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the phishing source domain has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users detect replica fraud techniques before financial damage occurs.

Actual screenshot of "Three Golden Rules That Stop the ANTAI Fake Fine Scam Dead in Its Tracks (And the One Link You Should Never Click)" phishing interface captured during link moderation on our platform.
Figure 1: Live screenshot of the live scam infrastructure captured during routine moderation.

The second page (second screenshot) completes the trap. It still displays the French Republic logos, but now it asks for extremely personal information: your first name, last name, date of birth, email address, and phone number. It is presented as “verification of your information” before you can pay the allegedly reduced fine. Real government fine‑payment sites never ask for these details together in a random web form.

Actual screenshot 2 of "Three Golden Rules That Stop the ANTAI Fake Fine Scam Dead in Its Tracks (And the One Link You Should Never Click)" phishing interface captured during link moderation on our platform.
Figure 2: Live screenshot of the live scam infrastructure captured during routine moderation.

The criminals know exactly how to push your buttons. They use fear (your fine will more than double, and you will lose driving licence points). They use urgency (you have only 48 hours). They use greed (a fake “refund” of the increased amount if you pay now). And they rely on the simple fact that most people do not check the real web address before typing their details.

How the Attack Actually Works (Behind the Professional Logos)

The scam is a well‑oiled machine, and security researchers at Antiphishing.biz have been intercepting these fraudulent domains in real time. Here is the step‑by‑step mechanism.

Step 1 – The Lure Email or SMS. The victim receives an unsolicited message claiming to be from ANTAI. The sender address often looks almost correct – for example, amendes‑gouv.fr is not a real ANTAI address, but it sounds plausible. Official ANTAI emails are only sent from [email protected] or [email protected]. The message warns of an unpaid parking fine, a speeding ticket, or a missed payment. It always demands urgent action.

Step 2 – The Fake “Secure” Payment Portal. The link inside the message takes you to a website that is not controlled by the French government. In the screenshots you provided, the domain is www.omiderm.com.br – a Brazilian domain with no connection to France. The page copies official government logos, but the web address is the dead giveaway. A second malicious path on the same fake site is /site_antigo/news/assets/amendes-antaigouv-infraction/embed. No legitimate government agency would hide its fine‑payment system inside a Brazilian cosmetic dentist’s website.

Step 3 – Harvesting Your Most Valuable Data. When you fill in your name, date of birth, email and phone number, the criminals collect that information. In many versions of this scam, the next step asks for your bank card details – number, expiry date, CVV – supposedly to pay the fine. According to experts at cybermalveillance.gouv, these banking details are then massively resold on the dark web or used immediately to drain your account.

Step 4 – The Follow‑Up Squeeze. Attackers often do not stop after one payment. They may call you later pretending to be your bank’s fraud department, claiming they need to “help” you recover money that was wrongly taken. That is exactly how one 67‑year‑old retiree was eventually persuaded to hand over €3,800, as you will read below.

This is not a minor nuisance. It is a high‑volume, highly profitable criminal operation targeting millions of French residents.

Real Stories of Heartbreak and Escape

The 67‑Year‑Old Retiree Who Lost €3,800 (and Nearly His Peace of Mind)

Eddie, a 67‑year‑old retired man, thought he was paying a routine parking fine. He received an email that looked exactly like the one in your screenshots. It threatened a huge increase in the fine amount. He clicked the link, filled in his personal information, and provided his bank card details, believing he was dealing with a legitimate government site.

A short time later, he received a phone call. The person on the other end introduced herself as a “conseillère bancaire” – a bank advisor. She claimed that his bank account had been compromised because of the fine payment and that he urgently needed to “secure” his money by transferring it to a new “protected” account. Eddie, already shaken by the fine threat and trusting the caller’s professional tone, followed her instructions. He transferred more than €3,000. The money vanished. The real bank had no knowledge of the call.

Eddie later told La Dépêche: “Ça n’arrive qu’aux autres.” – It only happens to other people. But it happened to him, and it can happen to you.

The Parisian Driver Who Spotted the Wrong Web Address in Time

In November 2025, police in Paris’s 17th arrondissement discovered a new variation of the same scheme: physical flyers placed on parked cars. The flyers looked like real parking tickets, with the words “République française” and a QR code to pay a €35 fine “within two days, otherwise €135”.

A sharp‑eyed driver scanned the QR code but, before entering any details, looked at the browser’s address bar. Instead of stationnement.gouv.fr (the real site for parking fines in Paris), he saw idf-stationnement.com – a domain registered by criminals. He immediately closed the page, reported the flyer to the police, and saved himself from having his card details stolen. His simple habit – checking the web address before typing anything – was the only thing standing between his money and the criminals.

The Bank Teller Who Noticed the Panic in a Customer’s Eyes

In a smaller French town, a woman in her fifties walked into her local bank branch. She was visibly agitated. She said she had just received an email about an unpaid parking fine and had already clicked the link, but she had not yet entered her bank details. She was unsure what to do.

The bank teller, who had been trained to recognise phishing red flags, immediately told her: “Stop. Do not type anything. Close the browser.” The teller then helped her check her actual ANTAI account by going directly to usagers.antai.gouv.fr – the real fine consultation portal. No fine existed. The email was a complete fabrication. By asking for help before it was too late, that customer kept her bank balance untouched.

The Official Warnings (That You Should Read Immediately)

ANTAI itself has been issuing urgent alerts for months. On its official website, it states clearly: “In recent months, fraudulent emails have been circulating, offering you the possibility to pay or appeal against unpaid fines on counterfeit official websites that aim to collect your personal information and bank details illegally.” The agency adds that ANTAI will never send you a text message to warn you of a late payment, and it will never ask for your banking credentials by email or SMS.

The French government also runs the 33700 number: you can forward any suspicious SMS about a fine to 33700, which helps block the scam networks. For emails, you can use the Signal Spam platform or report the attempt to Pharos, the official French platform for reporting illegal online content.

Expert Advice: The Three Golden Rules That Stop This Scam

You do not need advanced computer skills to protect yourself. You just need to practice three simple habits every time you receive a message about a fine.

Golden Rule 1 – Never click the link. Type the real address yourself.
The only safe way to check a real parking or speeding fine is to open your browser manually and type the official address: https://www.antai.gouv.fr (to understand how ANTAI works) or https://usagers.antai.gouv.fr (the real fine‑consultation portal). You can also use https://www.amendes.gouv.fr to pay a fine that you already know is genuine. If you do not see your fine listed there, the email was a fake.

Golden Rule 2 – Verify the sender’s email address and the web domain.
ANTAI’s legitimate email address is [email protected]. Any other variation – amendes‑gouv.fr, antai‑info.com, contravention‑gouv.net – is a scam. Likewise, the real fine payment site uses amendes.gouv.fr or stationnement.gouv.fr for parking tickets. The fake pages in your screenshots used a Brazilian domain (omiderm.com.br) and a long, messy subdirectory. That is never how the French government works.

Golden Rule 3 – If it is urgent, it is a trap. If it offers a refund, it is a trap.
The real French government does not send you emails saying “pay within 48 hours or your fine will multiply by five.” Real fines arrive by postal mail or through the official secure portal. Real fines do not come with “click‑here‑for‑a‑refund” promotions. Any message that tries to rush you into action is almost certainly designed to bypass your logical brain.

What To Do If You Have Already Clicked the Link

Do not panic. But do not delay. Act quickly.

First, close the browser tab immediately. Do not fill in any more fields, even if you are halfway through.

Second, if you already entered your bank card details, contact your bank without delay. Call the number on the back of your card – not any number from the fake email. Ask them to block your card and review recent transactions. If you see any small test charges (€0.00, €1.00, etc.), report them immediately.

Third, change your passwords. If you used the same email address and password combination on any other important accounts – your primary email, social media, other financial services – change those passwords right away.

Fourth, report the scam. Forward the fraudulent email to Signal Spam (via their website or your email provider’s reporting tool). Forward any fake SMS to 33700. File a report on the Pharos platform (internet-signalement.gouv.fr). Your report could help block the criminals’ domain and protect other drivers.

Fifth, if you lost money, file a police report. Many victims feel ashamed, but you have nothing to be ashamed of. Sophisticated scammers trick thousands of people every day. The shame belongs to the criminals who prey on ordinary citizens.

Why This Article Is Not Alarmist – It Is a Lifeline

Between autumn 2025 and spring 2026, the fake‑fine scam has returned “in force” in France, according to technology news sites 01net and Les Numériques. The attackers are not slowing down. They are becoming more professional. They are using real government logos, realistic threat language, and even fake “refund” promises to make their lies more convincing.

But the scam has a fatal weakness: it relies entirely on you clicking a link without checking where it leads. The moment you pause, take a breath, and type the official address yourself, the entire attack collapses.

You now know what to look for: the fake web address, the unnatural urgency, the request for too much personal information, the “refund” that makes no sense. You have read the real stories of people who lost thousands and the ones who escaped by asking a simple question or noticing a single wrong character.

The next time a “fine notification” lands in your inbox, do not click. Do not panic. Open a new browser tab. Type antai.gouv.fr with your own fingers. Check for yourself.

That extra sixty seconds of caution could be the difference between a good night’s sleep and losing your savings.

This article is based on live phishing pages intercepted by the Antiphishing.biz security team. The fraudulent domains involved have been fully defanged within their infrastructure to protect the public. If you found this guide helpful, share it with every driver you know – especially those who may not think a scam could ever target them.

That “Official” BRI Complaint Center Just Stole Rp 2.3 Billion From a Business Owner – Here Is How You Avoid the Same Fate

Who This Guide Is For

This article is written for you – a business owner, a financial director, an accountant, or a treasurer who uses QLola BRI to manage your company’s money.

QLola is not a personal banking app. It is a sophisticated cash management system designed for corporations, large enterprises, and serious entrepreneurs. You use it to pay suppliers, collect receivables, manage payroll, and move millions of rupiah across accounts. A single compromised QLola account can cost your company more than a year’s profit.

The criminals behind this new attack are not targeting random individuals. They are targeting you – the person with access to the company vault. They have built a near‑perfect copy of BRI’s official QLola complaint center, complete with the right logos, the right language, and the right sense of urgency. And they are using a legitimate global CDN to host their fake page, so your browser will show a green padlock and tell you the site is secure.

A CDN, or content delivery network, is a system of servers that delivers web content quickly to users around the world. Legitimate companies use CDNs like becdn.net to host images, brochures, and website files. The criminals have found a way to upload their malicious HTML code onto this trusted infrastructure, making their fake page look authentic. This is not a crude scam. This is a high‑level, targeted attack.

This guide will show you exactly how the trap works, share real stories of business owners who lost everything to similar schemes, and give you the expert‑backed habits that will keep your corporate bank accounts safe.

The Anatomy of the Attack: How a Fake Complaint Center Drains Real Accounts

Based on the captured screenshots and the analysis of the Antiphishing.biz security team, here is exactly how the criminals operate.

Step One: The Bait – An “Official” Complaint Center That Feels Familiar

The victim receives an unsolicited message – a text, a WhatsApp, or an email – directing them to a page that looks precisely like BRI’s official QLola customer service portal. The page uses the bank’s real branding, the same color scheme, and the same layout as the legitimate QLola help center.

Incident Report: This scam layout was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the dangerous destination URL has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Actual screenshot of "That “Official” BRI Complaint Center Just Stole Rp 2.3 Billion From a Business Owner – Here Is How You Avoid the Same Fate" phishing interface captured during link moderation on our platform.
Figure 1: Visual proof of the live scam infrastructure isolated on our infrastructure.
Actual screenshot 2 of "That “Official” BRI Complaint Center Just Stole Rp 2.3 Billion From a Business Owner – Here Is How You Avoid the Same Fate" phishing interface captured during link moderation on our platform.
Figure 2: Visual proof of the live scam infrastructure isolated on our infrastructure.

The page offers a menu of “issues” that any business user might face: failed login, blocked account, forgotten password, delayed transactions, misrouted funds, system access problems, fraud reports, billing questions. The criminals have studied the real QLola service page and copied every category.

The page also displays what appears to be authentic contact information: a call center number (1500001), a WhatsApp number (0813-6035-322), and an email address (qlola@bri.co.id). The first two digits of the WhatsApp number, 0813, are a common Indonesian mobile prefix, which adds a layer of local credibility.

But here is the trap. The WhatsApp number and the “Login QLola” button do not connect to BRI. They connect directly to the criminals.

Step Two: The Hosting Trick – A Legitimate CDN That Hides the Crime

Look closely at the second screenshot. The URL shown is cloud-1de12d.becdn.net/media/original/c2e7dc56f863e29e7728e59e97bb765c.html.

becdn.net is a legitimate content delivery network. Thousands of reputable companies use it to host images, PDFs, and other static files. The criminals have either found a security flaw in the CDN or, more likely, compromised an account on a platform that uses becdn.net to store user‑uploaded content.

By uploading their malicious HTML file to this CDN, the criminals achieve two things. First, the page loads quickly and reliably anywhere in the world. Second, and more importantly, the browser shows a valid SSL certificate and a green padlock. The victim sees the padlock and thinks, “This site is secure. It must be real.”

The padlock only means that your connection to the CDN is encrypted. It does not mean the content of the page is legitimate. Criminals can get SSL certificates for their fake websites just as easily as real banks can.

Step Three: The Extraction – Two Roads to the Same Ruin

The fake page offers two primary ways to steal your credentials and your money.

Road One: The Fake WhatsApp Support. When you click “Hubungi WA” (Contact WhatsApp), your phone opens a chat with the number 0813-6035-322. On the other end is a criminal, not a BRI employee. They will pose as a helpful support agent, ask for your QLola username, password, and the OTP codes sent to your phone, and then use that information to log into your real account and transfer funds out.

Road Two: The Fake Login Button. When you click “Login QLola”, you are taken to a second phishing page that mimics the real QLola login screen. You enter your corporate credentials, and the criminals capture them instantly. They then log in while you are still staring at a “loading” screen, change your passwords, and lock you out of your own account.

In both cases, the outcome is the same. The criminals gain full access to your company’s cash management system. They can see every account, every balance, every pending transaction. And they can empty those accounts in minutes.

Real Stories That Will Make You Rethink Every Click

These are not hypothetical scenarios. Business owners in Indonesia and across Southeast Asia have lost staggering amounts to similar attacks.

The Construction Company Owner Who Lost Rp 2.3 Billion

In early 2025, a construction company owner in Surabaya received a WhatsApp message claiming to be from BRI’s technical support team. The message said his QLola account had been temporarily blocked due to “suspicious login attempts” and that he needed to verify his identity through a link.

The link led to a page that looked exactly like the one in the screenshots – complete with the official logo, the same categories of problems, and a WhatsApp number to call for help. The owner called the number. The “agent” asked for his user ID, password, and the OTP codes that arrived on his phone. The owner provided them, believing he was speaking to the bank.

Within 45 minutes, Rp 2.3 billion (approximately $150,000) had been transferred out of the company’s account to three different mule accounts. The bank refused to reverse the transactions, stating that the transfers had been authorized using the OTP codes the owner had willingly provided.

The owner later told investigators: “I thought I was protecting my business. I thought the bank was helping me. I never imagined the WhatsApp number on the page could belong to criminals.”

The Textile Exporter Whose Account Was Drained While He Slept

A textile exporter in Bandung received an email that appeared to be from BRI’s QLola support team. The email warned that his account had been accessed from an unrecognized device and that he needed to “re‑verify” his login credentials immediately. The email included a link to the same fake complaint center.

The exporter clicked the link, entered his credentials, and provided the OTP codes as requested. He then received a confirmation message saying his account was secure. He went to sleep.

When he woke up, his company’s bank account was empty. Rp 850 million had been transferred out in a series of small transactions over six hours – each one under the bank’s fraud detection threshold. The criminals had automated the process, draining the account slowly to avoid triggering alerts.

The exporter told local media: “I trusted the page because it had the green padlock. I thought that meant it was safe. No one ever told me that criminals can get padlocks too.”

The Restaurant Chain Owner Whose Supplier Payments Were Hijacked

A restaurant chain owner in Jakarta received a call from someone claiming to be a BRI security officer. The caller said there had been a data breach and that all QLola users needed to “reset their security settings” through a special portal. The portal was the fake page from the screenshots.

The owner, who was in the middle of a busy day, clicked the link and entered his credentials. The criminals then took over his QLola session and changed the payee details for his regular supplier payments. For the next three months, the restaurant’s payments to its meat and vegetable suppliers were redirected to accounts controlled by the criminals. The suppliers stopped delivering goods, and the restaurants ran out of stock.

By the time the owner discovered what had happened, more than Rp 600 million had been stolen. The criminals had also used his QLola access to apply for an unsecured business loan in the company’s name, leaving the restaurant chain with debt it had never authorized.

The owner later said: “I run seven restaurants. I have hundreds of employees. I thought I was too smart to fall for a scam. But they didn’t trick my intelligence. They tricked my exhaustion.”

The Accountant Who Saved Her Company by Asking One Question

Not every story ends in disaster. A senior accountant at a manufacturing company in Semarang received the same fake WhatsApp message. She had been trained by her company’s IT department to never click links in unsolicited messages. Instead of clicking, she opened a new browser tab, typed the official BRI website address manually, and logged into her QLola account directly.

There was no security alert. No account block. No suspicious login attempt. The message was a lie.

She reported the phishing attempt to BRI’s real fraud hotline. Because of her quick thinking, the company’s Rp 1.2 billion in operational funds remained safe. Later that week, she gathered her entire finance team and walked them through the fake page, pointing out the suspicious URL and the fake WhatsApp number.

“One question saved us,” she said. “Before I click anything, I ask myself: did I ask for this message? If the answer is no, I do not click.”

The Five Red Flags That Give Away the Fake Page – Every Time

You do not need to be a cybersecurity expert to spot this attack. You just need to know what to look for.

Red Flag One: The URL Has Nothing to Do with BRI

The official QLola BRI portal lives on a domain owned and operated by the bank – something like bri.co.id or qlola.bri.co.id. The fake page in the screenshot is hosted on cloud-1de12d.becdn.net. That is not BRI. That is a generic content delivery network.

Before you click any link or type any information into a page, look at the browser’s address bar. Does the domain end with exactly bri.co.id? Or does it contain words like becdn.net, github.io, netlify.app, or any other domain that is not the bank’s official property? If you see anything other than the official domain, close the tab immediately.

Red Flag Two: The Page Was Sent to You, Not Requested by You

BRI does not send unsolicited messages with links to complaint centers or login pages. If you receive a text, email, or WhatsApp message claiming that your QLola account has a problem and that you need to click a link to fix it, treat that message as hostile.

The only safe way to check your account status is to open a new browser tab, type the official BRI website address manually, and log in. If there is a real problem, you will see a notification inside your dashboard after you log in. If you see nothing, the message was a scam.

Red Flag Three: The Page Asks You to Log In or Share OTP Codes

No legitimate customer support representative from BRI will ever ask you for your QLola password or the OTP codes sent to your phone. Those codes are for you alone. They exist to prove that you are the legitimate account holder.

If a page asks for your password, you are looking at a phishing page. If someone on WhatsApp asks for your OTP code, you are talking to a criminal.

Red Flag Four: The Page Is a Static HTML File, Not a Live Web Application

Real banking portals are complex, dynamic applications that change based on your account status. The fake page is a single static HTML file – a fixed document that looks the same for every visitor. The criminals cannot personalize it because they do not have access to BRI’s internal systems.

If the page does not greet you by name, does not show your account information, and does not change based on your inputs, it is probably a fake.

Red Flag Five: The WhatsApp Number Is Not Published on BRI’s Official Website

The official QLola BRI contact information is available on the bank’s real website. Before you trust any WhatsApp number, email address, or phone number, verify it against the official source. Go to bri.co.id manually, find the QLola support page, and compare the numbers.

If the number in the suspicious message does not match the number on the official website, you are looking at a scam.

Expert Advice: How to Keep Your Corporate Bank Accounts Safe

The advice below comes from cybersecurity professionals, banking fraud specialists, and the official security teams at major Indonesian banks. Following these rules will protect your business from this attack and every future variation of it.

Rule One: Never, Ever Click Links in Unsolicited Messages

This is the single most important rule in this guide. If you receive a message about your QLola account – no matter how urgent, no matter how official it looks – do not click any links. Do not call any phone numbers in the message. Do not reply.

Instead, open a new browser tab. Type bri.co.id manually. Navigate to the QLola portal from there. Or open the QLola mobile app directly from your phone’s home screen – not from a link in a message.

That one habit – typing the official address yourself instead of clicking a link – would have prevented every single victim story in this article.

Rule Two: Verify All Contact Information Against the Official Source

BRI has published its legitimate contact channels on its official website. Take five minutes right now to bookmark that page. Before you trust any WhatsApp number, any email address, or any phone number, check it against the official source.

The legitimate QLola BRI WhatsApp number is not 0813-6035-322 unless that exact number is listed on BRI’s official website. Do not assume. Verify.

Rule Three: Never Share OTP Codes or Passwords

This rule is absolute. No BRI employee will ever ask you for your QLola password. No support agent will ever ask you to read back an OTP code over the phone or type it into a web form that you reached by clicking a link in a message. These codes are for your eyes only.

If someone asks for them, you are not talking to BRI. You are talking to a criminal. Hang up. Close the chat. Call the bank using the official number from the back of your card.

Rule Four: Implement Multi‑Factor Authentication Beyond SMS

SMS‑based one‑time passwords are better than nothing, but they are not secure enough for corporate cash management systems. Criminals can intercept SMS codes through SIM swapping attacks or trick you into providing them through fake support pages.

If QLola offers an authenticator app option – Google Authenticator, Microsoft Authenticator, or a hardware token – use that instead of SMS. Authenticator apps generate codes directly on your device without sending them over the network, making them much harder to intercept.

Rule Five: Train Your Entire Finance Team

One trained employee can save a company millions. The accountant in Semarang saved her company by asking one question. Make sure every person in your organization who has access to QLola – CFOs, treasurers, accountants, payroll staff – knows these rules.

Run regular phishing simulations. Test your team with fake “support” messages and see who clicks. The people who fail are not stupid; they are just untrained. Train them until the habit of verifying first becomes automatic.

Rule Six: Use Separate Devices for Banking

For high‑value corporate accounts, consider using a dedicated computer or tablet that is used only for banking. Do not check email, browse social media, or click random links on that device. The fewer opportunities for malware and phishing, the safer your accounts.

This is not paranoia. This is the standard practice recommended by banking regulators worldwide.

Rule Seven: Set Up Transaction Limits and Dual Approval

Most corporate banking platforms, including QLola, allow you to set transaction limits and require two people to approve large transfers. Enable these features. If a criminal steals one set of credentials, they cannot move large amounts without a second approval.

This is your emergency brake. Use it.

Rule Eight: Enable Real‑Time Transaction Alerts

Set up your QLola account to send you a push notification or email for every transaction, no matter how small. That way, if a criminal does gain access, you will know about the first unauthorized transfer within seconds, not days, and you can contact the bank immediately to stop further transactions.

Rule Nine: Report Suspicious Messages Immediately

If you receive a phishing attempt, do not just delete it. Report it to BRI’s real fraud hotline. Forward the message to the bank’s official WhatsApp number (the one on their real website). Each report helps the bank’s security team track down fake domains, block malicious numbers, and warn other customers.

Your report could save another business from losing everything.

What to Do If You Have Already Fallen for This Scam

If you realize that you have clicked a link, entered your credentials, or provided OTP codes on a suspicious page, do not panic. But do not wait, either. Time is the enemy. Act immediately using this step‑by‑step checklist.

First, contact BRI immediately using the official phone number from the back of your card or from the bank’s official website. Do not use any phone number from the suspicious message. Tell them your QLola credentials may have been compromised. Ask them to freeze your account, block all outgoing transfers, and change your access credentials.

Second, change your QLola password immediately if you still have access. Use a strong, unique password that you have never used anywhere else. Do this from a device that you know is clean – preferably not the device where you clicked the link.

Third, revoke all active sessions. Most banking portals have a “log out everywhere” or “terminate all sessions” feature. Use it. This will kick any criminal out of your account if they are currently logged in.

Fourth, review your recent transactions carefully. Look for small test transfers as well as large amounts. Criminals often test a compromised account with a tiny transfer – Rp 10,000 or Rp 50,000 – before moving larger sums. If you see anything you do not recognize, report it to BRI immediately.

Fifth, check your other business accounts. If you use the same or similar credentials for other bank accounts, change those passwords too. Criminals will try the stolen credentials on other banks.

Sixth, report the incident to the police. File a report with the Indonesian National Police’s cybercrime unit. The more victims who report, the more resources law enforcement can dedicate to shutting down these operations.

Seventh, warn your team. Tell your finance department what happened. Use your experience as a training opportunity. The shame of falling for a scam is nothing compared to the shame of watching another employee make the same mistake because you stayed silent.

The Bigger Picture: Why Business Banking Phishing Is Exploding in Indonesia

Indonesia has seen a dramatic increase in phishing attacks targeting corporate banking systems over the past 18 months. The rapid digitization of business payments, the growth of e‑commerce, and the increasing sophistication of criminal toolkits have all contributed to this trend.

QLola BRI is a particularly attractive target because it holds the keys to large corporate treasuries. A single compromised QLola account can give criminals access to millions of rupiah – far more than a personal banking account. The criminals have adapted their tactics accordingly. They are no longer sending sloppy emails with obvious spelling errors. They are building replica sites, hiring local speakers to staff fake WhatsApp support lines, and using legitimate infrastructure like CDNs to hide their tracks.

The attack documented in these screenshots is not the work of a lone threat actor. It is a professional operation, likely run by a syndicate that includes people with technical skills, people with customer service experience, and people who understand Indonesian banking regulations.

These syndicates are patient. They will spend days building trust with a victim before asking for credentials. They will call multiple times, send follow‑up messages, and create elaborate stories about “system upgrades” or “security breaches.” Their goal is not a quick score. Their goal is to gain persistent access to your business accounts and drain them slowly, over weeks or months, so you do not notice until it is too late.

A Final Word

The fake QLola BRI complaint center is a high‑level, carefully crafted attack designed to steal money from Indonesian businesses. It uses the bank’s real branding, a legitimate CDN, a green padlock, and a fake WhatsApp number to convince you that it is safe. It is not safe. It is a trap.

The criminals are counting on your exhaustion, your trust, and your split‑second decision to click before you think. Do not give them any of those things.

Build a new habit today. When a message lands on your phone or in your inbox claiming there is a problem with your QLola account, do not click. Do not call the number in the message. Do not reply. Open your browser. Type bri.co.id manually. Log in through the official portal. Check for yourself.

That extra thirty seconds will protect your company’s cash, your employees’ paychecks, and your peace of mind.

Share this guide with every business owner, every finance director, and every accountant you know. The more people understand this attack, the harder it becomes for criminals to profit.

This attack was documented and analyzed by the Antiphishing.biz security team based on intercepted screenshots and live threat intelligence. The malicious HTML file has been reported to the CDN provider and to BRI’s security team. If you see a similar page, report it immediately to the bank and to your local cybercrime authorities. Your vigilance could save another business from ruin.

The Phantom Verification: How Discogs Sellers Are Tricked Into Handing Over Their Payment Cards

A new phishing campaign is specifically targeting sellers on Discogs, the popular music marketplace and database. Attackers have constructed a multi‑page deception that begins with a fake human verification check and ends with a cloned Stripe payment form. The screenshots provided document this attack in detail. Understanding each step of the scam is the only way to avoid becoming a victim.

The Three‑Stage Deception

The scam uses a carefully choreographed sequence of web pages, each designed to lower suspicion and increase urgency.

Stage 1 – The Fake CAPTCHA

Threat Intel: This malicious interface was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the dangerous destination URL has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "The Phantom Verification: How Discogs Sellers Are Tricked Into Handing Over Their Payment Cards" phishing interface captured during link moderation on our platform.
Figure 1: Actual screenshot of the ongoing fraudulent campaign intercepted by our security systems.

The victim lands on a page that displays “Just a moment…” and a small widget that says “Verify You’re Human” with a checkbox labelled “I’m Not a Robot”. The page is branded with “Powered by XCaptcha · Secure & Private”. In reality, XCaptcha is not a legitimate CAPTCHA provider. This is a classic trick: the attacker creates a fake bot check to make the user believe the site is security‑conscious. Clicking the checkbox does not perform any real verification. Instead, it either triggers the next page or simply records that the user is willing to interact with the fraudulent interface.

Stage 2 – The Discogs‑Branded Notice

Actual screenshot 2 of "The Phantom Verification: How Discogs Sellers Are Tricked Into Handing Over Their Payment Cards" phishing interface captured during link moderation on our platform.
Figure 2: Actual screenshot of the ongoing fraudulent campaign intercepted by our security systems.

After passing the fake CAPTCHA, the user sees a page styled to resemble an official Discogs notification. The header reads “Discogs > Account Settings & Access > Verification”. The message states: “Welcome to Discogs! To continue selling on our platform, you need to complete the verification process. This step ensures the security of our community.”

A fake support chat window is embedded on the same page. The chat text explains: “You will need to enter your card details to verify it and, subsequently, receive payment from your customer.” It reassures the user that “all your personal data is protected by our security department and remains confidential” and that “customer service operators are always online to help you.”

A large button labelled “Proceed to Verification” leads to the final stage.

Stage 3 – The Cloned Stripe Payment Form

Actual screenshot 3 of "The Phantom Verification: How Discogs Sellers Are Tricked Into Handing Over Their Payment Cards" phishing interface captured during link moderation on our platform.
Figure 3: Actual screenshot of the ongoing fraudulent campaign intercepted by our security systems.

The third page is a near‑perfect imitation of a Stripe payment interface. The domain shown in the URL bar is discogs.page25479.lat/merchant/order/DaFsEh. The page displays the Stripe logo and a form requesting:

  • Card number (with a placeholder 1234 1234 1234 1234)
  • Month and year of expiry
  • CVV code (labelled “CV” on the screenshot)
  • Cardholder name (“Full name on card”)

A “Verify” button completes the action.

Why This Scam Is Particularly Dangerous for Discogs Sellers

Discogs is a platform where independent sellers list vinyl records, CDs, and music memorabilia. Many sellers are private individuals who do not have formal business training in cybersecurity. They are often motivated by the desire to sell a few items from their personal collection. This profile makes them ideal targets: they expect to provide payment information to receive money from buyers, and they may not immediately recognise that a request for card details is the opposite of what a legitimate selling platform would require.

The scam deceptive tactics a fundamental confusion between “verifying identity” and “providing payment credentials”. No legitimate marketplace asks a seller to enter their own credit card number as a way to verify their seller account or to receive payments. Payments from buyers are deposited into a seller’s linked bank account or PayPal account – not drawn from the seller’s card.

The presence of the fake support chat adds a dangerous layer of psychological manipulation. The chat creates an illusion of live, human assistance. A worried seller might be tempted to ask questions, and the automated responses (or a real criminal on the other end) would reinforce the legitimacy of the request. The phrase “customer service operators are always online to help you” is designed to prevent the victim from seeking help elsewhere.

Expert Analysis: Technical and Behavioural Red Flags

Cybersecurity professionals who have examined similar phishing kits identify several consistent patterns. This campaign exhibits all of them.

The URL is the most immediate red flag. The page is hosted on discogs.page25479.lat. The domain page25479.lat has no connection to Discogs. The real Discogs website uses discogs.com. Attackers register cheap, often free subdomains on obscure top‑level domains (.lat, .top, .xyz, etc.) to mimic legitimate addresses. Any URL that contains the platform’s name but is followed by a random string or an unfamiliar TLD should be treated as hostile.

The CAPTCHA page serves no technical purpose. Real CAPTCHAs (such as Google’s reCAPTCHA) are used to block automated bots from accessing forms or content. They are never used as a gateway to a subsequent page that then asks for payment card information. If a site shows you a “Verify You’re Human” widget and then immediately presents a financial form, you are looking at a phishing page.

The fake support chat is a behavioural deceptive tactic. Research into online fraud shows that users are more likely to comply with a request when they believe they have a safety net – someone to ask for help. The chat window creates that false safety net. In reality, the “operator” is either a script or a criminal whose only goal is to keep you on the page until you submit your data.

The Stripe form is a direct copy of a legitimate payment interface, but with a critical omission: there is no transaction context. A real Stripe payment form appears when you are actively purchasing something, and it shows the merchant name and the amount to be charged. This form shows neither. It asks for your card “to verify it and, subsequently, receive payment” – a nonsensical statement. Receiving money requires you to provide bank account or PayPal details, not your credit card number.

The Financial Impact: What Happens After You Submit

If a seller enters their card information into this form, the data is sent directly to the attacker. Within minutes, the attacker will test the card with a small authorisation (often $0.00 or $1.00) to confirm it is active. Then they will either:

  • Make high‑value purchases of digital goods that can be resold quickly.
  • Withdraw cash from ATMs if the card is a debit card and the attacker has cloned it.
  • Sell the full card details (number, expiry, CVV, cardholder name) on underground markets for others to abuse.

The seller may not notice the fraudulent transactions until days later, by which time the money is gone and the card is compromised.

How to Protect Yourself: Expert Recommendations for Discogs Users

The following advice is based on standard security practices and the specific tactics revealed in this phishing campaign.

Never initiate account actions from links in unsolicited messages. If you receive an email, direct message, or any notification that claims you need to verify your account, do not click embedded links. Open a new browser tab, type discogs.com manually, and log in to your account. Any legitimate verification requirement will be displayed inside your account dashboard or communicated through the platform’s official messaging system.

Understand how Discogs actually handles seller payments. Discogs itself does not process payments directly. Sellers on Discogs typically use PayPal or Stripe as separate payment gateways. To receive money from a buyer, you provide the buyer with your PayPal email address or a Stripe payment link. You are never asked to enter your credit card number into a Discogs page for the purpose of receiving funds. If a page asks for your card to “verify” your seller status, it is a scam.

Look at the browser’s address bar before entering any information. Legitimate Discogs pages always have a URL starting with https://www.discogs.com/ or https://discogs.com/. If you see a domain like discogs.something.lat or discogs-verify.xyz, close the tab immediately.

Do not trust on‑page chat windows that appear in unsolicited verification flows. Real customer support chats are accessible only after you log into your account and navigate to the help section. A chat that appears unbidden on a verification page is a manipulation tool.

Enable two‑factor authentication on your Discogs account. This will not prevent a phishing page from stealing your card, but it will prevent an attacker from taking over your Discogs account even if they later obtain your password through another method. Use an authenticator app (Google Authenticator, Authy) rather than SMS when possible.

Use virtual or single‑use card numbers for online transactions. Many banks and services (such as Privacy.com, Revolut, or Citi’s Virtual Account Numbers) allow you to generate a temporary card number linked to a spending limit. If you ever encounter a suspicious verification request, using a virtual card with a $1 limit would reveal the scam immediately: the charge would be rejected or you would see an unauthorised attempt.

Monitor your card transactions daily. Set up SMS or push notifications for every transaction. The sooner you spot a fraudulent charge, the faster you can report it to your bank and limit your liability.

What to Do If You Have Already Entered Your Card Details

If you recognise that you have submitted your payment information to a page similar to the one described, act immediately.

Contact your bank or card issuer using the phone number on the back of your card. Do not use any contact information found on the suspicious page. Request that the card be blocked and replaced. Ask the bank to review recent transactions for unauthorised activity.

File a report with your local police. In many jurisdictions, online fraud is a criminal offence. A police report may help you dispute fraudulent charges with your bank.

Change your Discogs password. Even if the phishing page did not explicitly ask for your password, the attacker may have captured it if you used the same device or if the page was part of a wider compromise. Use a strong, unique password.

Report the phishing URL to Discogs. Send an email to their support team with the full URL and screenshots. This helps the platform take down the fraudulent site and warn other users.

Final Words

Phishing attacks that target platform sellers are becoming more sophisticated. They no longer rely on obvious spelling mistakes or generic greetings. They clone the look and feel of legitimate services, add fake CAPTCHAs to create an illusion of security, and embed simulated support chats to disarm critical thinking.

The single most effective defence is a simple rule: never enter your credit card details on a page that claims to be verifying your identity or unlocking your seller status. Real verification uses passwords, two‑factor codes, or identity documents – not payment instruments.

Share this analysis with anyone who sells on Discogs. The more sellers understand these tactics, the harder it becomes for attackers to profit.

How to Spot and Stop a Payment Information Scam Targeting Flatmate Platform Users

A growing number of cybercriminals are creating fake account verification pages designed to steal financial data from users of shared accommodation platforms such as Flatmates.com.au, flatmate.com, and similar services. The scam begins with an urgent message claiming a user’s account has been restricted and requires identity verification within a strict time limit. The message is designed to create panic. The victim is then directed to a fraudulent web page that mimics a legitimate verification portal.

The attacker’s goal is simple: trick users into entering credit card details, bank account information, or other sensitive data. Once the information is submitted, criminals can drain bank accounts or use the stolen data to commit identity fraud.

Understanding how this scam operates and knowing exactly what to look for is the difference between keeping your money and losing it.

The Anatomy of the Attack: What the Screenshots Reveal

The phishing kit used in this campaign consists of several distinct but interconnected pages, each designed to lower the victim’s defences step by step.

Phase 1: The Urgent Account Restriction Notice

The first screen presents itself as an official notification from the platform. It reads: “Your account is temporarily restricted. You need to verify your identity to remove all the restrictions. You need to confirm your bank details within 24 hours.” The message includes a “Status: Verification required” field and a prominent “Verify” button.

Security Notice: This spoofed page was logged, cross-checked, and neutralized firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the phishing source domain has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "How to Spot and Stop a Payment Information Scam Targeting Flatmate Platform Users" phishing interface captured during link moderation on our platform.
Figure 1: Live screenshot of the active phishing operation captured during routine moderation.

This approach directly mimics the urgent account verification scams that cybersecurity researchers have documented across multiple industries. As noted in analyses of such attacks, these fake messages claim an account needs checking due to strange activity or security measures and warn that if verification is not completed, the service might stop working. The entire structure is designed to create panic and bypass rational thought.

Phase 2: The Fake Payment Information Form

After clicking the verification link, the victim is directed to a second page that appears to be a bank card addition form. The page displays logos for VISA, American Express, Discover, PayPal, Apple Pay, and Google Pay in an attempt to appear trustworthy and legitimate.

Actual screenshot 2 of "How to Spot and Stop a Payment Information Scam Targeting Flatmate Platform Users" phishing interface captured during link moderation on our platform.
Figure 2: Live screenshot of the active phishing operation captured during routine moderation.

The form itself explicitly requests the following data:

  • Full card number (with a placeholder reading “Kaartnummer” meaning “Card number”)
  • Expiry date (MM/JJ representing month/year)
  • CVV code (placed directly next to the expiry field with the label “123”)
  • Cardholder name (“Naam op de kaart”)

The page concludes with a “VERZENDEN” (Send/Submit) button and claims that all operations comply with PCI DSS (Payment Card Industry Data Security Standard). The PCI DSS logo is a fraudulent addition included solely to give the page an air of legitimacy. No legitimate service would request a full card number, expiry date, CVV, and cardholder name together in a single unsecured form. Genuine platforms use tokenised payment systems where this sensitive data never touches their own servers.

The Expert Analysis: Why This Scam Is Particularly Dangerous

From a technical and psychological perspective, this phishing operation demonstrates a high level of sophistication in its design and execution. Several factors make it especially threatening to users who may not be technically sophisticated.

The use of an artificial 24-hour deadline is a classic social engineering tactic. When a user believes an account is at risk of being permanently restricted or losing access to funds, the urgency overrides critical thinking. Criminals deceptive tactic this security flaw systematically.

Including payment method logos on the page builds false credibility. The presence of well-known brand marks such as VISA, PayPal, and Google Pay subconsciously signals to the user that the page is secure and authenticated. In reality, these logos can be copied by anyone from publicly available sources.

The explicit request for a CVV code alongside the card number is a critical red flag. CVV codes are explicitly designed to verify that the cardholder is physically in possession of the card during a transaction. While some legitimate recurring payment setups may request a CVV for initial authorisation, they do so in an isolated, one-time context and never as part of a standalone identity verification form. Any service that requests CVV together with the full card number and expiry date in a single form intended for “verification” is almost certainly fraudulent.

Key Red Flags: A Checklist for Users

To help users identify this and similar scams in the future, security experts have compiled a set of actionable indicators. Any page exhibiting the following characteristics should be treated as an immediate threat:

Urgency language and time limits: If a page threatens account restriction or service termination unless verification is completed within a specified time window, it is almost certainly a phishing attempt. Authentic platforms rarely use such tactics and would instead direct users to complete verification through their official app or website.

Requests for payment card information as identity verification: No legitimate accommodation or service platform uses a payment card as a means of identity verification. Identity verification involves government-issued identification, two-factor authentication codes sent to registered email or phone numbers, or biometric authentication. Entering card details into a page that claims to verify identity is equivalent to handing a stranger the keys to your bank account.

Poor grammar, inconsistent language, or mixed languages on the same page: The screenshot shows a mix of English (“Verification”) and Dutch (“Bankkaart toevoegen,” “Kaartnummer,” “Verzenden”). While some legitimate services operate in multiple languages, phishing pages frequently mix languages because they are copied from translated templates that were never properly localised.

Absence of specific platform branding or logos: The screenshots reference the platform name only in the URL and the initial restriction message. The verification pages themselves omit the platform’s official logo, colour scheme, or footer information. Legitimate verification processes are fully integrated into the platform’s branded interface.

PCI DSS compliance claim without visible SSL certificate or security verification: Displaying a logo that claims PCI DSS compliance does not make a page secure. True compliance involves a range of backend security measures. Without an active, verified SSL certificate and transparent data protection policies, the claim is meaningless.

Request for CVV in a standalone verification form: As noted previously, this is the most specific and damning indicator of a phishing page.

Expert Advice: What to Do If You Encounter This Scam

Security professionals and accommodation platforms have issued consistent guidance for handling such threats.

Never click verification links in unsolicited messages. If you receive an email, text message, or social media direct message claiming your account is restricted and requiring immediate action, do not click any links contained within the message.

Navigate directly to the platform. Instead of clicking any link, open a new browser tab and manually type the official domain of the accommodation platform you use. If you are a user of Flatmates.com.au, type “flatmates.com.au” directly into the address bar. Navigate to your account dashboard. Any legitimate verification requirement will be displayed there. If no such notice appears, the original message was a fraud.

Contact support through official channels. If you are unsure whether a message is legitimate, contact the platform’s support team directly using the contact information listed on the official website. Do not use the contact details provided in the suspicious message itself.

Enable two-factor authentication (2FA) on all accounts. Two-factor authentication adds a critical layer of security by requiring a code from your phone or an authenticator app in addition to your password. This prevents attackers from accessing your account even if they steal your login credentials.

Monitor your financial accounts. If you have already entered card details into a suspicious page, contact your bank or card issuer immediately. Request a new card number and review recent transactions for unauthorised charges.

The Broader Implications: Why Accommodation Platforms Are Targeted

The increasing targeting of shared accommodation platforms by cybercriminals reflects a broader trend in how phishing attacks are distributed. As noted in fraud prevention literature, flatmate scams operate by creating fake profiles to gather personal information such as email addresses, phone numbers, and even financial details. The shift toward standalone phishing pages that appear to originate directly from the platform itself represents an escalation of the threat.

Unlike rental listing scams that rely on fake properties or overpayment schemes, this approach directly requests the financial data that enables large-scale account theft. By compromising a single user’s payment card, attackers can not only drain that user’s account but also use the stolen credentials to register on other services, conduct fraudulent transactions, or sell the information on dark web marketplaces.

The platforms themselves have taken steps to combat this threat. Official guidance from Flatmates.com.au advises users to be wary of potential phishing sites by checking the URL prior to logging in or providing information. The platform states, “We only use the domain flatmates.com.au” and directs users to safety resources for step-by-step instructions on how to protect themselves. However, platform security measures are only effective when users actively recognise and avoid fraudulent pages.

Final Recommendations

Every user of shared accommodation platforms should adopt the following practices as a matter of routine:

Maintain a single consistent process for all account-related actions. When any notification claims action is required, pause. Open the official application or website manually. Do not trust links in messages. Do not trust QR codes. Do not trust phone numbers provided in the body of emails.

Regularly review your account activity. Check for unfamiliar login locations, unrecognised linked payment methods, or changes to your profile details. Report any suspicious activity to the platform immediately.

Stay informed about current phishing techniques. Scammers adapt their tactics rapidly. Following cybersecurity resources and platform-specific safety guides helps maintain awareness of evolving threats.

Remember that account verification and identity confirmation on legitimate platforms happens through the platform’s own secure interface, typically within the application or website you originally signed up for. No legitimate service will ask for your full payment card details through a standalone web page reached by clicking an external link.

If you believe you have already provided payment information to a fraudulent page, contact your financial institution without delay. Time is critical. The longer stolen card data remains active, the greater the potential for financial loss.

11 Red Flags That Prove You’re Being Targeted by a Marketplace Phishing Scam (And How Sellers Can Protect Their Money)

By Cybersecurity Analyst Team
May 2026

If you sell clothes, electronics, or collectibles on Poshmark, Mercari, eBay, or Depop, you are a prime target for a new wave of sophisticated phishing attacks. The screenshots below show a real-time scam that attempts to drain your bank account – not by hacking, but by tricking you into handing over your payment credentials.

We analyzed a live phishing page that perfectly mimics Poshmark’s verification flow. Here’s how it works, the 12 warning signs you need to memorize, and expert advice to keep your hard-earned money safe.

How the Scam Unfolds (Based on Real Screenshots)

Step 1 – The fake urgency timer
The victim lands on a page that looks like Poshmark’s support interface. A countdown timer (23:58:35) creates panic: “You have 24 hours to complete verification. After this time, your order will be automatic.”

Incident Report: This spoofed page was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the dangerous destination URL has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "11 Red Flags That Prove You’re Being Targeted by a Marketplace Phishing Scam (And How Sellers Can Protect Their Money)" phishing interface captured during link moderation on our platform.
Figure 1: Visual proof of the ongoing fraudulent campaign intercepted by our security systems.

Step 2 – Fake live chat “operator”
A chat window shows a friendly “Operator” saying: “Good news – you’re almost done. Just one final step left to complete the process.” This mimics real customer support to lower your guard.

Step 3 – Redirect to “secure verification”
Clicking the “Verify Account” button leads to a second page – a near-perfect clone of a Stripe bank verification form, asking for:

  • Full card number (with placeholder 1234 1234 1234 1234)
  • Expiry date (MM/YY)
  • Cardholder name
  • Billing address (street, city)
Actual screenshot 2 of "11 Red Flags That Prove You’re Being Targeted by a Marketplace Phishing Scam (And How Sellers Can Protect Their Money)" phishing interface captured during link moderation on our platform.
Figure 2: Visual proof of the ongoing fraudulent campaign intercepted by our security systems.

Step 4 – Theft
Once you submit, the data goes directly to attackers. They will drain your card within minutes – often using small test transactions first, then larger purchases or cash withdrawals.

11 Red Flags That Give Away the Phishing Attack

#Red FlagWhat You See (from screenshots)
1Artificial time pressure“Verification Time Limit” with a 23‑hour countdown – real platforms never lock orders behind a timer.
2In‑page “support chat” that feels scriptedThe operator repeats generic phrases like “Scroll down” and “Good news — you’re almost done” – no real interaction.
3Verification requires payment card dataNo legitimate marketplace asks for your credit card number to verify your identity. They use email, SMS, or 2FA.
4Fake Stripe brandingThe page says “Securely connect to your bank account through the Stripe system” – but Stripe never embeds full card entry forms this way without an official redirect.
5The URL is not the real marketplace domain(Not visible in screenshots but crucial) – attackers use domains like poshmark-verify.xyz or random subdomains. Always check the address bar.
6No way to log into your real accountThe fake page has no “sign in” link to your existing Poshmark profile. It’s a standalone form.
7Poor grammar and capitalizationExample: “Your order will be automatic.” (missing “cancelled” or “processed”) and inconsistent spacing.
8The “company” footer doesn’t link to real pagesFooter shows “About”, “Our Community”, “Blog” but links are dead or point to #. Real marketplaces have live, functional footers.
9Transaction ID & contact data mismatchThe scam shows a fake Transaction ID and dummy contact data ([email protected], (201) 555-0123) – these are placeholders, not your real info.
10No ability to skip or cancel verificationReal platforms let you decline verification or complete it later via official app. The fake page forces you forward.
11Request for billing address + card + name + expiry – all on one pageThat’s the full magnetic stripe data. No legitimate service needs the entire set just to verify your account.

Expert Advice: How Sellers Can Keep Their Money Safe

Do this immediately

  1. Never enter card details for “identity verification” – on any platform. Use the official app’s built-in payment methods only.
  2. Open a separate browser tab – manually type poshmark.com (or your platform’s real URL) and log in. If there is a real verification pending, it will show there. If not, the page is a scam.
  3. Enable two-factor authentication (2FA) on your selling account and your email. This prevents attackers from resetting your password even if they steal your login.
  4. Use a virtual credit card or payment service – for any online selling, use privacy.com, Revolut virtual cards, or Apple Pay with dynamic security codes. Never expose your main debit card.

If you already entered your card details

  • Call your bank immediately – tell them your card details were compromised. Request a block and a new card.
  • Check your recent transactions – look for $0.00 authorizations, $1.00 test charges, or any small amounts. Report them as fraud.
  • Change your marketplace password – even if you didn’t enter it, the attacker may try to reuse your email/password combination.

Share this warning with other sellers

Many sellers are targeted via fake “buyer messages” that say “I tried to buy your item but you need to verify your account” – always ignore and report such messages.

Final thought

Phishing has evolved. It no longer looks like a poorly written email from a Nigerian prince. It looks like Poshmark’s chat support. It looks like Stripe. It uses real brand logos and psychological pressure (timers, operators, security badges).

The only thing that protects you is a habit: stop, check the URL, and never type your card into a page you did not reach by typing the official domain yourself.

If you found this article helpful, share it with every marketplace seller you know. Together we can make these scams unprofitable.

Have you spotted a similar phishing attempt? Report the URL to [email protected]

How Peer-to-Peer (P2P) Marketplace Scams Use Automation to Drain Bank Cards

Peer-to-peer (P2P) marketplaces have revolutionized how we buy and sell online, but their popularity has also attracted highly sophisticated cybercriminals. Today, scammers no longer operate manually; they use automated scripts and fake brand interfaces to target victims’ bank accounts.

Our security team recently discovered and analyzed an active automated campaign targeting P2P platform users. Below, we break down how this sophisticated lookalike fraud works and how you can safeguard your financial data.

Who This Guide Is For

This article is written specifically for one group of people: regular buyers and sellers on peer-to-peer marketplaces like Jimoty, Mercari, and similar platforms. If you have ever listed an item for sale, replied to a classified ad, or entered your payment details on a website that connects strangers to buy and sell things, this guide is for you.

You are not a cybersecurity expert. You probably do not think about phishing attacks when you are trying to sell an old bicycle or buy a second-hand smartphone. That is exactly why the criminals behind this new scam have chosen to target people like you.

In Japan alone, phishing reports reached approximately 2.45 million cases in 2025, shattering all previous records. The Financial Services Agency of Japan has issued repeated warnings about impersonation scams targeting financial accounts, and the attack we are about to dissect represents the newest, most dangerous evolution of these threats. It is not a theory. It is not a distant possibility. It is happening right now to people using the same platforms you use every day.

The Scam That Knows How Much Money You Have

Let me paint a picture for you.

You are selling something on Jimoty, one of Japan’s largest classifieds platforms. You have been chatting with a potential buyer. Everything feels normal. Then you receive a message that looks like it came directly from the platform itself. It says your account has been restricted. It mentions the Financial Services Agency of Japan. It says you need to verify your identity immediately or you will lose access to your account.

There is a link. You click it. The page that opens looks exactly like the official Jimoty interface. Same colors. Same logos. Same layout. It even shows that your email and phone number have already been partially verified – a clever trick to make you trust the page.

Analysis Memo: This malicious interface was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the dangerous destination URL has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Actual screenshot of "How Peer-to-Peer (P2P) Marketplace Scams Use Automation to Drain Bank Cards" phishing interface captured during link moderation on our platform.
Figure 1: Verified screenshot of the live scam infrastructure intercepted by our security systems.

You breathe a sigh of relief. This must be real. They already have some of your information.

Then the page asks for your credit card details. Not just the number and expiration date. Not just the CVV code. It asks for something no legitimate website has ever asked you before: the exact current available balance on your card.

Actual screenshot 2 of "How Peer-to-Peer (P2P) Marketplace Scams Use Automation to Drain Bank Cards" phishing interface captured during link moderation on our platform.
Figure 2: Verified screenshot of the live scam infrastructure intercepted by our security systems.
Actual screenshot 3 of "How Peer-to-Peer (P2P) Marketplace Scams Use Automation to Drain Bank Cards" phishing interface captured during link moderation on our platform.
Figure 3: Verified screenshot of the live scam infrastructure intercepted by our security systems.

This is not a mistake. This is not a glitch. This is the core feature of a new type of automated financial fraud.

How this scam actually works

Let me explain what is happening behind the scenes in plain language.

A traditional phishing attack simply steals your card details. The criminals then try to use those details to make purchases or withdraw money. They are guessing how much money you have. They are hoping your bank does not block the transaction.

This scam is different. It is smarter. It is more efficient. And it is far more destructive.

When you enter your card balance into the fake verification page, you are not just providing information. You are giving the criminals a precise target number. Their automated system reads that number and immediately calculates the largest possible transaction that can be approved without triggering your bank’s fraud alerts.

Here is what happens next, step by step.

First, you enter your full card number, expiration date, CVV, and your current balance. The page looks legitimate. It might even display logos of well-known payment processors to put you at ease.

Second, once you submit the form, the criminals’ system processes your information in real time. It knows exactly how much money to take. Not a small test transaction. Not a random amount. The exact amount that will drain your available balance completely.

Third – and this is the part that terrifies even experienced security professionals – the system is designed to bypass the two-factor authentication that is supposed to protect you. It captures the one-time password sent to your phone via SMS. It tricks you into approving push notifications from your banking app. It might even attempt to activate your device’s camera under the false pretense of biometric verification.

By the time you realize something is wrong, your money is already gone. The entire process takes seconds.

The Three Tricks That Make This Scam So Dangerous

The criminals behind this operation are not amateurs. They have studied how regular people think and behave online. They have built their attack around three psychological tricks that are almost impossible to resist unless you know what to look for.

Trick One: The Manufactured Emergency

The fake account restriction notice is designed to create panic. It cites real regulations from the Financial Services Agency of Japan. It uses official-sounding language. It tells you that you have limited time to fix the problem before your account is permanently locked.

When people panic, they stop thinking clearly. They stop checking URLs. They stop asking questions. They just want to solve the problem as quickly as possible. The criminals are counting on exactly that reaction.

Trick Two: The False Baseline Of Trust

The fake page does something very clever. It displays your email address and phone number as already verified. It shows checkmarks next to completed steps. This creates the illusion that you are continuing a process that has already started, not starting a new one from scratch.

Your brain interprets those pre-filled fields as evidence that the page is legitimate. After all, how would a fake website know your contact information? The answer is that the criminals collected it earlier, perhaps from a previous data breach or from the initial message they sent you. But in the moment, most people do not make that connection.

Trick Three: The Balance Question That Should Never Be Asked

This is the most revealing part of the entire scam. No legitimate business has any reason to ask for your current card balance. Not your bank. Not your credit card company. Not any online marketplace. Ever.

When you see a page asking for your available balance, you are looking at a definitive sign of fraud. There is no innocent explanation. There is no legitimate use case. The only reason to ask for that information is to calculate how much money can be stolen from you in a single transaction.

Real Examples From The Front Lines

Security researchers at Antiphishing.biz recently intercepted one of these attacks in progress. The fraudulent page was hosted on a disposable domain called chilw-order.lat – a meaningless name that would never be used by a legitimate company. The page was impersonating Jimoty’s infrastructure and targeting Japanese consumers specifically.

The researchers documented that the attack relied on three distinct technical phases embedded within a single web page. The first phase displayed the fake account restriction notice citing Japanese financial regulations. The second phase requested the card details including the exact available balance in JPY. The third phase attempted to capture SMS one-time passwords and trick users into approving mobile banking push notifications while simultaneously attempting to activate device webcams under the guise of biometric verification.

This is not a theoretical threat. It is a fully operational criminal system that has already been deployed against real people.

In a separate but related trend, security researchers have observed the emergence of scam kits being sold on underground marketplaces. These turnkey solutions allow even technically unsophisticated criminals to launch sophisticated phishing campaigns with minimal effort. The operational footprint of these scam operations is smaller than ransomware, their visibility is lower than many credential-harvesting operations, and they are supported by a well-developed underground marketplace offering ready-made deployment packages.

Expert Advice: How To Protect Yourself Starting Today

You do not need to be a cybersecurity expert to protect yourself from this scam. You just need to follow a few simple rules every single time you interact with any online marketplace.

Rule One: Never Click Links In Messages About Account Problems

If you receive a message claiming your account has been restricted or needs verification, do not click any links in that message. Open a new browser tab. Type the marketplace’s official website address manually. Log into your account normally. If there is a real problem with your account, you will see a notification inside your account dashboard after you log in through the official website.

This single habit will protect you from almost every phishing attack in existence. Criminals rely on you clicking their links. Take that option away from them.

Rule Two: Check The Web Address Before You Enter Anything

Before you type any personal information into a website, look at the address bar of your browser. The real Jimoty website uses jmty.jp. The real Mercari uses mercari.com. The real Yahoo Auctions uses auctions.yahoo.co.jp.

If you see anything else – any variation, any extra words, any unfamiliar endings like .lat or .top or .xyz – close the tab immediately. The presence of a padlock icon in the address bar means nothing. Criminals can get SSL certificates for their fake websites just as easily as legitimate businesses can.

Rule Three: Never Share Your Card Balance With Anyone

Memorize this statement: No legitimate business will ever ask you for your current card balance. Not for verification. Not for security. Not for any reason.

If a website asks for your balance, you are looking at a scam. Close the page immediately. Report it to the platform if possible. Then go about your day knowing you just avoided a financial disaster.

Rule Four: Be Skeptical Of Pre-Filled Information

If a verification page already contains your email address or phone number, do not take that as proof of legitimacy. Criminals can obtain this information from many sources. They can also simply display placeholder text that looks like your information but is actually generic.

The only verification that matters is the web address in your browser’s address bar. Nothing else.

Rule Five: Use Virtual Cards When Possible

Many banks and financial services now offer virtual card numbers – temporary card numbers that you can generate for specific transactions or set with spending limits. If you regularly buy and sell on peer-to-peer marketplaces, using virtual cards adds an extra layer of protection. Even if a criminal obtains your virtual card number, they cannot exceed the limit you set, and you can cancel the virtual number at any time.

Rule Six: Slow Down

This is the most important advice I can give you. Phishing attacks work by creating urgency. They want you to act quickly without thinking. When you feel that sense of panic – when a message tells you your account will be locked if you do not act immediately – that is your signal to stop completely.

Take a breath. Close the message. Open the official website manually. If the message was real, you will see the same notification after you log in. If it was fake, you just saved yourself from losing your money.

What To Do If You Think You Have Been Targeted

If you have already entered your card details into a suspicious page, do not panic. Act quickly but calmly.

Contact your bank or credit card issuer immediately using the phone number on the back of your card. Do not use any contact information from the suspicious message or website. Tell them your card details may have been compromised and request a new card.

Review your recent transactions for any unauthorized charges. Look for small test transactions as well as larger ones. Report any suspicious activity to your bank immediately.

Change your password for the marketplace platform. Use a strong, unique password that you do not use anywhere else. Enable two-factor authentication on your account if the platform offers it.

Monitor your account activity for the next several weeks. Some criminals wait before using stolen card details to avoid detection.

Finally, report the phishing attempt to the platform’s security team. Your report could help protect other users from falling victim to the same scam.

A Final Word From The Security Team

The criminals are constantly evolving their tactics. They change their domain names. They refine their fake pages. They find new ways to bypass security measures. But one thing never changes: they need you to take an action they have scripted for you.

Your best defense is not a piece of software or a security product. Your best defense is awareness. Every time you are about to enter your payment information into a website, pause. Ask yourself whether the request makes sense. Ask yourself whether a legitimate business would ever ask for the information you are about to provide.

If something feels wrong, trust that feeling. Close the page. Open the official website directly. Verify through official channels. The extra thirty seconds it takes to do this might be the thirty seconds that save your entire bank account.

This attack was detected, analyzed, and neutralized by the Antiphishing.biz security team during daily link moderation procedures. The dangerous destination URL has been fully defanged within their infrastructure. But new domains will appear tomorrow, and the week after, and the month after that. The information in this guide will protect you regardless of what domain name the criminals choose.

Stay safe. Stay skeptical. And remember – no legitimate website will ever ask you how much money you have before taking it.

Before You Hit “Verify” On That Depop Alert, Read This Or Watch Your Money Disappear

Who This Guide Is For

This article is written specifically for you – a Depop seller who uses the platform to make a living, earn extra cash, or simply clear out your closet. You are not a cybersecurity expert. You do not have time to analyse every link that lands in your inbox. You just want to sell your items without drama.

And that is exactly why scammers have you in their crosshairs. Depop has grown into a massive global marketplace, and where money flows, criminals follow. According to a recent survey, 57% of Depop buyers reported being targeted by some kind of scam, the highest rate among all second‑hand platforms. Sellers are being hit just as hard – especially with the kind of phishing attack we are about to unpack.

This guide will show you exactly how the scam works, why it feels so real, and – most importantly – how to spot it before you lose a single penny.

The Scam That Pretends To Be Your Friend

Let me walk you through what happened to a real seller who almost fell for this trap. You will recognise the sequence immediately.

Step 1: The Panic Inducer

It starts with a message that looks like it came directly from Depop. The headline screams: “Orders Suspended”. The message tells you that your store operations have been temporarily halted because of a problem with your payment details. You need to “verify” your information immediately, or you will not be able to complete your pending sales.

A large, friendly “Verify” button waits for you at the bottom.

Security Notice: This scam layout was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the phishing source domain has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Actual screenshot of "Before You Hit “Verify” On That Depop Alert, Read This Or Watch Your Money Disappear" phishing interface captured during link moderation on our platform.
Figure 1: Live screenshot of the active phishing operation isolated on our infrastructure.

This is the hook. The scammer knows that the worst thing that can happen to a seller is lost orders. The thought of a sale slipping away creates instant anxiety. And when people panic, they stop double‑checking things. They click.

Step 2: The “Friendly” Operator

After you click, a chat window pops up. A support agent named “Amelia” welcomes you.

Her message is carefully written to sound warm and reassuring: “The process is secure and only done once” – and then she adds the killer line: “Amelia is a real person, not a robot.”

Actual screenshot 2 of "Before You Hit “Verify” On That Depop Alert, Read This Or Watch Your Money Disappear" phishing interface captured during link moderation on our platform.
Figure 2: Live screenshot of the active phishing operation isolated on our infrastructure.

This is pure psychological manipulation. By claiming to be a human being, the scammer tries to build instant trust. They want you to feel like you are talking to a helpful customer service representative who has your back. In reality, “Amelia” is either a script or a criminal sitting in a different time zone, waiting for you to hand over your card details.

Step 3: The Card Harvesting Form

The final page looks almost official. It displays logos of Visa, American Express, and Discover. It even claims: “All transactions comply with PCI DSS” – a fake security badge designed to make you think your data is safe.

Actual screenshot 3 of "Before You Hit “Verify” On That Depop Alert, Read This Or Watch Your Money Disappear" phishing interface captured during link moderation on our platform.
Figure 3: Live screenshot of the active phishing operation isolated on our infrastructure.

But look closely at what this page asks for:

  • Full card number
  • Expiration date
  • CVV (the three‑digit security code)
  • Name on the card
  • Billing address (street, city, postal code)

This is everything a thief needs to clone your card and empty your account. With these five pieces of information, a criminal can make fraudulent online purchases, sell your card details on underground markets, or even attempt identity theft.

And here is the part that should stop you cold: No legitimate platform, including Depop, will ever ask for your CVV to “verify” your account or restore your selling privileges. Period. End of story.

Why This Feels So Real (And Why You Almost Believed It)

If you are thinking “I would never fall for something this obvious” – stop right there. This scam works on smart, careful people every single day. Here is why.

They use your own fear against you. The threat of lost orders triggers a fight‑or‑flight response. Your brain stops analysing the URL and starts looking for the fastest way to fix the problem. The “Verify” button offers a quick solution. That is the trap.

They fake the feeling of human support. The chat window is not a random pop‑up. It is designed to mimic the live chat tools that legitimate companies use. The name “Amelia” sounds friendly. The claim that she is a real person lowers your guard. You start to think, “If there is a human on the other end, this must be legit.”

They steal credibility from trusted brands. The Visa, American Express, and PCI DSS logos do not belong to the scammer. They are copied from real websites and pasted onto the fake page. Your brain sees those symbols and relaxes, because you have seen them a thousand times on legitimate checkout pages.

The domain name looks almost right. The fake page in this attack was hosted at likedepop.securedirect.cfd. It contains the word “Depop”, which is enough to fool a quick glance. But the real Depop domain is depop.com. The .cfd ending is a major red flag – legitimate businesses do not use cheap, obscure domain extensions.

The One Rule That Will Protect You From Every Phishing Attack

If you remember only one thing from this guide, make it this:

Never, ever click a link from an unsolicited message that claims your account has a problem.

Instead, do this:

Open a new browser tab. Type depop.com manually into the address bar. Log in to your account the normal way. If there is really an issue with your account, you will see a notification inside your dashboard after you log in. If you see nothing – the message was a scam. Close it and move on.

That one habit – typing the official URL yourself instead of clicking a link – will neutralise 99% of phishing attacks, including this one.

Expert Tips: How To Stay One Step Ahead

Here is the advice that security professionals give to their own families. Follow these rules, and you will make yourself a very hard target for scammers.

Turn on two‑factor authentication (2FA) right now. This is the single most effective security measure you can take. Depop supports 2FA. Go to My Depop > My account > Two‑factor authentication and toggle it on. This means that even if a scammer steals your password, they cannot access your account without the one‑time code sent to your phone. It adds an extra lock to your front door.

Never trust a chat window that asks for card details. Legitimate customer support will never – ever – ask you to type your credit card number, expiration date, or CVV into a chat box. If a pop‑up chat starts asking for this information, you are looking at a phishing page. Close it immediately.

Check the URL like a detective. Before you enter any sensitive information, look at the address bar. Is the domain exactly depop.com? Are there any extra words, misspellings, or unusual endings like .cfd, .top, .xyz, or .lat? If anything looks off, close the tab.

Be suspicious of urgency. Any message that says “act now or your account will be suspended” or “you have 24 hours to verify” is almost certainly a scam. Real companies do not pressure you with ticking clocks. They give you time to respond through official channels.

Use a virtual card for online selling. Many banks and services (such as Revolut, Privacy.com, or Citibank) offer virtual card numbers – temporary cards with spending limits. If you use a virtual card for your marketplace transactions, even if a scammer steals the number, they cannot exceed the limit you set. And you can cancel the virtual card instantly without affecting your main bank account.

What To Do If You Already Entered Your Card Details

Do not panic. But do not wait, either. Take these steps immediately.

Call your bank right now. Use the phone number on the back of your credit or debit card. Tell them that your card details may have been compromised in a phishing attack. Ask them to block the card and issue a new one. If any fraudulent charges have already appeared, report them immediately. The faster you act, the more likely you are to get your money back.

Review your recent transactions. Look for small test charges (often $0.00 or $1.00) as well as larger amounts. Criminals sometimes test a card with a tiny transaction before making a big purchase. Report anything you do not recognise.

Change your Depop password. Even if the phishing page did not ask for your password, it is better to be safe. Choose a strong, unique password that you do not use on any other website.

Enable 2FA if you have not already. This will prevent anyone from taking over your Depop account, even if they manage to steal your login credentials later.

Report the phishing page. Send the URL and screenshots to Depop’s security team. Your report could help protect other sellers from falling into the same trap.

A Final Word From The Security Team

The phishing attack described in this guide was intercepted, verified, and disabled by the Antiphishing.biz security team during their daily link moderation work. The dangerous domain no longer works. But new ones appear every week, using the same tactics, the same fake chat windows, and the same urgent messages.

The criminals behind these attacks are counting on one thing: that you will act before you think. They want you to click first and ask questions later. Do not give them that satisfaction.

Build a new habit today. When a message lands in your inbox claiming your account is in trouble, do not click. Do not panic. Do not chat with “Amelia”. Open a fresh browser tab. Type depop.com with your own fingers. Log in. Check for yourself.

That extra thirty seconds will save you from a world of financial pain. Stay safe out there.

If you found this guide helpful, share it with every seller you know. The more people understand this scam, the harder it becomes for criminals to profit.

That “Buyer” Just Sent You A Payment Confirmation? Stop. Read This First Or Watch Your Bank Account Empty.

Who This Guide Is For

This is for you – the Tise seller who uses the app to clear out your wardrobe, make some extra cash, or run a small second-hand business. You are not a cybersecurity expert, and you should not have to be one just to sell a pair of jeans online.

Tise is a beloved platform, especially in Norway and the rest of the Nordics. It calls itself the largest community for buying and reselling second-hand fashion in the region, with millions of users across Norway, Sweden, Denmark, and Finland. And last year, the global giant eBay saw how special this community is, acquiring Tise to help it grow even further. It is a great place. But as the community gets bigger, the people who want to take advantage of it get smarter.

This guide will show you exactly how a new, highly convincing scam works. We will walk through every step the criminals take, from the first message in your chat inbox to the fake page that tries to steal your card details. We will look at the tricks they use to make you panic, the small details they copy to make their fake page look real, and – most importantly – the simple, everyday habits that will protect your money forever.

The Story Of A Scam That Almost Worked

Let me tell you what happens to a Tise seller when they become the target of this attack. You will recognise the sequence immediately, because it is designed to look just like a normal sale.

Act One: The “Interested Buyer”

It all starts with a message inside your Tise chat. A person expresses interest in an item you have listed. They seem genuine. They ask a normal question. You feel good – a sale might be coming.

Then, suddenly, they claim to have made the payment. They say they have sent the money. But there is a problem. To “receive the funds” or “confirm the sale”, you need to click a short link they provide. They might even sound helpful or a little urgent, saying something like, “Just click this link to complete the transaction on your end.”

This is the hook. The scammer knows that you are excited about the sale. You want it to go smoothly. And because the message comes from inside the Tise chat – where all your legitimate conversations happen – your guard is already down.

In many cases, the link is sent through a shortener or an intermediate web address. This is a deliberate tactic. The criminals use these extra steps to hide the real destination from automated security scanners, making it harder for anyone to flag the link as dangerous before it reaches you.

Act Two: The Page That Looks Just Like Home

When you click the link, you are not taken to Tise. You are taken to a page that is designed to look exactly like Tise.

The criminals have built a perfect visual copy. The layout uses the same typography, the same logo formatting, the same search bar placement, and the same corporate color palette as the real Tise. They even use flawless Norwegian text. If you are a local seller, this page speaks your language with complete accuracy.

This is not a coincidence. This is brand impersonation. The goal is to make you feel comfortable and familiar, so you do not question where you really are.

Act Three: The 24-Hour Lockdown Message

At the top of this fake page, you see a headline that stops you cold: “Hei, din Tise-konto er midlertidig begrenset” – “Hi, your Tise account is temporarily restricted.”

The message below explains that your seller account has been locked. It says you have a strict deadline – within 24 hours – to confirm your identity and your bank details. If you do not act, you will lose access to your account.

This is the panic trigger. The thought of your account being locked, especially right when you are trying to complete a sale, creates instant anxiety. Your brain shifts into problem-solving mode. The urgency pushes you to act fast, without double-checking anything.

And right there, on the page, is a large, inviting button that reads “Verifiser nå” – “Verify now”.

Act Four: The Form That Takes Everything

You click the button. A new page opens. It asks for your full credit card number, expiration date, CVV code, and your BankID codes.

Let me be extremely clear: This is not a verification. This is a harvest.

With these four pieces of information, the criminals do not need to guess anything. They can drain your bank account immediately. They can initiate unauthorized wire transfers without any further input from you. They can sell your complete financial profile – your name, your card number, your security codes – on underground marketplaces where other criminals buy them in bulk.

And here is the part that should make you angry, not scared: A legitimate marketplace never demands that a seller enter full credit card details to receive money for a sold item. Payments on Tise are handled through pre-linked bank accounts. You set up your payment method once. You do not re-enter your card information every time someone buys something from you.

The Three Dirty Tricks That Make This Scam So Dangerous

The criminals behind this operation are not guessing. They have studied how real people think and behave online. They have built their attack around three psychological tricks that are almost impossible to resist unless you know what to look for.

Trick One: They Start Inside The Trust Zone

The initial message arrives in your official Tise chat inbox. That is the most trusted place on the platform. You have had dozens of real conversations there. Your brain has learned to associate that inbox with safety and legitimacy.

By starting the attack there, the scammer bypasses your first line of defense. You do not question the message because it is sitting right next to all your other real conversations. This is a deliberate choice. They are hiding in plain sight.

Trick Two: They Create A Manufactured Emergency

The 24-hour lockdown notice is pure panic fuel. When people are afraid of losing their account – and the money that comes with it – they stop thinking clearly. They stop checking URLs. They stop asking smart questions. They just want to fix the problem as fast as possible.

Incident Report: This deceptive layout was logged, cross-checked, and neutralized firsthand by the Antiphishing.biz security team during our standard URL vetting operations. To protect the public, the dangerous destination URL has been safely deactivated within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Actual screenshot of "That “Buyer” Just Sent You A Payment Confirmation? Stop. Read This First Or Watch Your Bank Account Empty." phishing interface captured during link moderation on our platform.
Figure 1: Visual proof of the live scam infrastructure captured during routine moderation.

The scammers are counting on that exact reaction. The deadline is fake. The lockdown does not exist. The only real emergency is the one they created inside your head.

Trick Three: They Steal Legitimacy From Real Brands

The fake page uses the exact same fonts, colors, and logos as the real Tise. It even copies the official language and tone. This is not an accident. The scammers know that your brain sees those familiar elements and relaxes. The brand has done the hard work of building trust over years. The criminal just steals that trust and uses it against you.

And in case you still have doubts, the page displays a title in your browser tab that says “Tise | TISE.NO”. That looks convincing. But the actual address in your browser’s address bar – the real URL – has nothing to do with Tise. It is a cheap, generic domain like the one identified in this attack, ordernzt.net. The fake title is just window dressing.

The One Rule That Will Save You Every Time

If you remember only one thing from this entire guide, make it this:

Never, ever click a payment or verification link sent to you by another user inside a marketplace chat.

No matter how official the message looks. No matter how urgent the warning seems. No matter how nicely the “buyer” asks.

Instead, do this simple, five-second habit:

Open a new tab in your browser. Manually type the real Tise website address – tise.com or tise.no – into the address bar. Log into your account the normal way. Then check your account dashboard.

If there is a genuine problem with your account, you will see a notification there. Right inside the official platform. If you see nothing – and you will see nothing – then the message you received was a scam. Close it, report it, and move on with your day.

That one habit – typing the official URL yourself instead of clicking a link – will shut down this entire attack before it even gets started.

Expert Tips: How To Stay One Step Ahead Of The Scammers

Here is the advice that security professionals share with their own families. Follow these rules, and you will become a very difficult target for criminals.

Turn on two-factor authentication (2FA) right now. This is your digital seatbelt. It means that even if someone steals your password, they cannot get into your account without a one-time code sent to your phone. Tise supports this. Go into your account settings and turn it on. It takes two minutes and adds a massive layer of protection.

Keep all conversations inside the Tise chat. The Tise Help Center explicitly warns users: if someone asks to move the conversation to another platform like Messenger, WhatsApp, or SMS, that is a major red flag. There is no legitimate reason to take a transaction outside Tise’s own system. Doing so is almost always an attempt to bypass the platform’s security controls.

Never click links sent by another user. This is Tise’s own advice, and it is golden. Links sent in chat messages are often attempts at phishing, where the person tries to obtain sensitive information such as card details. The link might look unusual or overly long, or it might pretend to belong to a legitimate service like a shipping company. If it is a link, do not touch it.

Check the address bar like a detective. Before you enter any personal information on a webpage, look at the browser’s address bar. Is the domain exactly tise.com or tise.no? Are there any extra words, misspellings, or strange endings like .net, .top, or .xyz? If anything looks off, close the tab immediately. The Antiphishing.biz team noted that the fake page in this attack used the domain ordernzt.net, which has no connection to the real platform.

Understand how payments actually work. Tise handles payments through pre-linked bank accounts. You set up your payment method once. You do not re-enter your card details to receive money for a sale. If a page asks for your full credit card information, CVV, or BankID codes to “verify” you, you are looking at a scam. Legitimate marketplaces never demand this.

Be suspicious of urgency. Any message that says “act now or your account will be locked” or “you have 24 hours to verify” is almost certainly a scam. Real companies do not pressure you with ticking clocks. They give you time to respond through official channels.

Use a virtual card for online selling. Many banks and services (such as Revolut, Privacy.com, or others) offer virtual card numbers – temporary cards with spending limits. If you use a virtual card for your marketplace transactions, even if a scammer steals the number, they cannot exceed the limit you set. And you can cancel the virtual card instantly without affecting your main bank account.

What To Do If You Think You Have Been Targeted

Do not panic. But do not wait, either. Take these steps immediately.

Call your bank right now. Use the phone number on the back of your credit or debit card. Tell them that your card details may have been compromised in a phishing attack. Ask them to block the card and issue a new one. If any fraudulent charges have already appeared, report them immediately. The faster you act, the more likely you are to get your money back.

Review your recent transactions. Look for small test charges (often very small amounts like $0.00 or $1.00) as well as larger ones. Criminals sometimes test a card with a tiny transaction before making a big purchase. Report anything you do not recognise.

Change your Tise password. Even if the phishing page did not ask for your password, it is better to be safe. Choose a strong, unique password that you do not use on any other website.

Enable 2FA if you have not already. This will prevent anyone from taking over your Tise account, even if they manage to steal your login credentials later.

Report the phishing attempt to Tise. Use the in-app reporting tools to flag the user who sent you the suspicious message. The Tise Help Center has a simple way to do this. Your report could help protect other sellers from falling into the same trap.

Consider filing a police report. In some cases, especially if you have suffered a financial loss, contacting the police can be an important step.

A Final Word From The Security Team

The phishing attack described in this guide was intercepted, verified, and disabled by the Antiphishing.biz security team during their daily link moderation work. The dangerous domain no longer works. But new domains will appear tomorrow, and the week after, and the month after that.

The criminals behind these attacks are counting on one thing: that you will act before you think. They want you to click first and ask questions later. Do not give them that satisfaction.

Build a new habit today. When a message lands in your chat inbox claiming a payment has been made or your account is restricted, do not click. Do not panic. Do not follow the link. Open a fresh browser tab. Type tise.com or tise.no with your own fingers. Log in. Check for yourself.

That extra thirty seconds will save you from a world of financial pain.

Stay safe out there. And if you found this guide helpful, share it with every seller you know. The more people understand this scam, the harder it becomes for criminals to profit.

One Fake Refund Form Cost Her $6,000: The Airline Tech Support Scam That Turns Your Panic Into Their Payday

Who This Guide Is For

This article is written for you – anyone who has ever received a confusing charge notification from an airline, a travel agency, or a tech subscription service and wondered, “Did I actually buy this?”

You check your email and see a receipt for a $1,278 charge from an airline. You have never flown that airline. You do not recognize the seat booking or the reference number. Your heart rate spikes. Your first instinct? Find the customer support number and get this fixed immediately.

Threat Intel: This malicious interface was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the phishing source domain has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users detect replica fraud techniques before financial damage occurs.

Actual screenshot of "One Fake Refund Form Cost Her ,000: The Airline Tech Support Scam That Turns Your Panic Into Their Payday" phishing interface captured during link moderation on our platform.
Figure 1: Actual screenshot of the active phishing operation intercepted by our security systems.

That instinct is exactly what the scammers are counting on.

This attack targets frequent flyers, business travelers, vacation planners, and anyone with a credit card linked to online services. It does not matter whether you are tech-savvy or barely comfortable booking flights online. The scam is built to bypass your rational brain and speak directly to your fear of losing money.

Over the past two years, fake airline customer support scams have caused victims to lose thousands of dollars. One Canadian woman lost $6,000 after scammers impersonated airline support accounts while her family was urgently trying to deal with a cancelled flight. Another airline customer lost over $17,000 during a single phone call with a fraudster who used internal systems to legitimize the transaction.

This guide walks through the exact mechanics of a real, intercepted attack. It explains why the trap works, how to recognize it before you lose a single penny, and what to do if you have already fallen into it.

How The Trap Gets Sprung: The Four-Step Extraction Machine

The attack documented by the Antiphishing.biz security team reveals a highly organized, multi-layered fraud operation. It is not a random phishing email. It is a coordinated sequence designed to move you from confusion to panic to action – and from action to financial loss.

Step One: The Fake Invoice That Creates Panic

It begins with an urgent message. An email or SMS arrives in your inbox. It looks like an automated receipt from a well-known airline, travel agency, or tech company. The message states that a large charge – in this specific attack, $1,278 – has already been authorized on your account for something you never purchased. The receipt mentions seats that you never booked.

The message does something clever, however. It does not include a direct refund link. Most people have learned not to click suspicious links in emails. The scammers know this. So instead of a link, the message provides a toll-free customer assistance number. In the intercepted attack, that number was 1-860-616-0240.

Why is this effective? Because a phone number feels safe. You are not clicking a mysterious link. You are calling a person. Your brain registers this as the responsible, cautious choice. You are taking action the old-fashioned way.

What you do not realize is that the phone number is the trap door.

Step Two: The Fake Call Center That Sounds Real

When you dial that number, you are not connected to an airline’s automated enterprise system. You are connected directly to a fraudulent call center. The person who answers introduces themselves as a support agent. They sound professional. They sound calm. They sound like they have done this a thousand times.

The operative asks for your fake invoice number – which is conveniently displayed in the original email – and verifies it. They confirm that a pending transaction exists on your account. They express concern. They assure you that they can reverse the charge immediately. All you need to do is follow a simple process.

This is the psychological pivot point. You came in feeling anxious and confused. Now you are speaking to a helpful person who understands the problem and promises to fix it. The relief you feel lowers your guard completely.

Step Three: The Single-Use Link That Leads Nowhere Good

To “process the cancellation,” the operative generates a single-use, highly customized short link via an API. They send it to you by SMS or chat. The link is unique to you. It contains information that only you and the scammer share. This personalization makes it feel legitimate and secure.

When you click the link, you are taken to a payment page. It looks professional. It includes familiar elements like Google Pay and Apple Pay integration, plus a standard reCAPTCHA widget. The presence of these recognizable global tech components lowers your suspicion. Your brain sees these trusted logos and relaxes, assuming you are interacting with a heavily audited payment architecture.

Step Four: The Inversion That Steals Your Money

Here is where the magic trick happens – and why this scam is so dangerous.

The operative on the phone tells you that you are entering your payment details into a secure cancellation portal to verify your identity and receive a reverse credit. They explain that the system needs to confirm you are the legitimate cardholder before processing the refund. This sounds plausible. Many legitimate services ask for payment confirmation.

But the truth is the exact opposite of what you have been told.

The page you are looking at is not a cancellation portal. It is a standard merchant billing portal. Every field you fill out – your full credit card number, expiration date, CVV, and billing address – is being collected to execute a live charge. When you click the blue button that says “Process Payment” or “Verify,” you are not canceling anything. You are authorizing the scammers to pull $1,278 directly out of your bank account.

Let me repeat that because it is the most important sentence in this guide:

The scammers trick you into paying them to cancel a charge that never existed in the first place.

You receive a fake invoice for $1,278. You call a fake support number. A fake agent tells you to enter your card details into a fake cancellation portal. And then the fake portal charges you the real $1,278.

The invoice was fiction. The charge becomes fact.

The Three Psychological Levers The Scammers Pull

Understanding why this scam works is the first step to making sure it never works on you.

Lever One: The Appearance of Knowledge

Look closely at the payment page in the intercepted attack. Under “Transaction Details,” every field – the victim’s full legal name, private email address, phone number, and the exact target amount – is permanently hardcoded and locked. You cannot edit these fields. They are frozen in place.

This is not a technical limitation. It is a deliberate design choice.

When you see a page that already knows your name, your email, and the amount you supposedly owe, your brain concludes that this must be legitimate. The system already knows who you are. It already has your information. You are not providing anything new. You are just confirming what is already there.

This creates an illusion of a secure, formal system. The locked fields reinforce the false legitimacy of the support agent who guided you there. The page feels official because it appears to have been waiting for you.

Lever Two: The Misdirection of Trusted Logos

The page embeds official merchant integration styles for Google Pay and Apple Pay alongside a standard reCAPTCHA widget. These are real, legitimate components used by thousands of trusted websites.

Scammers do not create fake versions of these logos. They embed the actual code that displays the real logos. When you see a Google Pay button, your brain registers that Google is involved. When you see a reCAPTCHA checkbox, your brain registers that security verification is happening.

But these components prove nothing about who is running the page. A scammer can embed a real reCAPTCHA just as easily as a legitimate merchant can. The presence of these logos does not mean the page is safe. It only means the scammer knows how to copy and paste code.

Lever Three: The Refund Request That Should Never Exist

This is the single most reliable red flag in the entire attack. No legitimate company – airline, bank, subscription service, or any other business – requires a customer to input a full credit card number, expiration date, and CVV code on a web form to receive a refund or cancellation.

Think about this logically. If a company needs to refund you money, they already have your payment information on file. They do not need you to re-enter it. They do not need you to “verify” your card to process a credit. The only reason a page would ask for your full card details is to charge you.

Repeat this to yourself until it becomes automatic: Refunds do not require your credit card number. Purchases do.

The Real Stories Behind The Statistics

This is not abstract theory. Real people are losing real money to these exact tactics.

A woman from North Vancouver lost $6,000 after scammers impersonated airline customer support accounts on social media. Her family was urgently trying to deal with a cancelled flight when the fraudsters struck. They used fake social media replies, WhatsApp calls, refund promises, and money transfers through payment platforms to extract thousands of dollars from a panicked traveler.

In another documented case, a United Airlines customer lost over $17,000 during a three-hour phone call with a fraudster. The scammer allegedly used United’s internal systems to legitimize the transaction, leaving the victim with a valid flight booking and a massive fraudulent charge. The victim thought they were dealing with official support. They were dealing with a criminal who knew exactly how to sound authentic.

Fake airline customer support numbers are now showing up as top search results through paid advertisements. Attackers are increasingly using hijacked ad accounts – not just fake ones – to push their fraudulent phone numbers to the top of Google and Bing search results. Instead of sending victims to a fake website, scammers bring them straight into a live conversation, where they can manipulate them in real time.

This attack vector has become so widespread that security researchers have documented campaigns impacting users across at least 48 organizations in the United States, affecting industries such as healthcare, manufacturing, and technology. Activity was first observed in early 2026 and escalated rapidly due to the attackers’ ability to blend malicious content into legitimate-looking search results.

Expert Advice: How To Spot This Scam Before It Costs You

You do not need to be a cybersecurity professional to protect yourself. You just need to change a few habits and remember a handful of simple rules.

Rule One: Never Call The Number In An Unexpected Invoice Email

If you receive an email or text message claiming a charge has been made to your account – especially if it is for an amount you do not recognize – do not call the number provided in that message. The number is almost certainly fraudulent.

Instead, open a new browser tab. Go directly to the official website of the airline, bank, or service mentioned in the message. Find their customer support contact information on their official site. Call that number. Ask them to verify whether the charge is legitimate.

This takes an extra three minutes. Those three minutes could save you thousands of dollars.

Rule Two: Understand That Refunds Never Require Your Card Details

Commit this to memory: A legitimate refund does not require you to enter your full credit card number, expiration date, CVV, or billing address. The company already has that information if they need to credit your account. If a refund requires a card, it is not a refund. It is a charge.

If you are on a call with someone who claims to be processing a refund and they send you a link to a page that asks for your card details, hang up immediately. You are talking to a scammer.

Rule Three: Be Suspicious of Pre-Filled Information

A page that already contains your name, email, and invoice amount does not prove legitimacy. Scammers can obtain this information from previous data breaches, from public records, or from the initial message you received. The locked fields are a psychological trick, not a security feature.

The only thing that proves a page is legitimate is the web address in your browser’s address bar. Check it carefully. Is the domain exactly the official domain of the company you think you are dealing with? Are there any misspellings, extra words, or unusual endings like .net, .top, or .xyz? If anything looks off, close the tab.

Rule Four: Be Wary Of Payment Pages With Google Pay And Apple Pay But No Company Affiliation

Familiar payment logos create a false sense of security. A page can embed a real Google Pay button and still be entirely fraudulent. The presence of these logos means nothing. Focus on the domain name and the context. Does the page display a clear company name and logo that matches the airline or service you originally contacted? If not, you are in the wrong place.

Rule Five: If A Support Agent Sends You A Link, Treat It As Hostile

Legitimate customer support agents rarely send links to payment pages during a phone call. When they do – for example, to process a payment for a new booking – the link will be clearly associated with the company’s official domain. A link that contains random words, numbers, or unfamiliar endings like the one documented in this attack (/Airtickt240-860-6160) is a definitive technical marker of fraud.

Rule Six: Use A Credit Card Instead Of A Debit Card For Travel Bookings

Credit cards offer significantly better fraud protection than debit cards. If a fraudulent charge appears on your credit card, you can dispute it and the card issuer will typically remove the charge while they investigate. With a debit card, the money leaves your bank account immediately, and recovering it can be a much longer, more difficult process.

Rule Seven: Enable Transaction Alerts On All Your Cards

Set up text or email alerts for every transaction above a certain threshold – say, $1 or $10. This way, if a fraudulent charge occurs, you will know about it within seconds. The faster you detect fraud, the faster you can report it and limit your losses.

What To Do If You Think You Have Been Targeted

If you have already entered your card details into a suspicious page, time is critical. Take these steps immediately.

First, call your bank or credit card issuer right now. Use the phone number on the back of your physical card – not any number from the suspicious message or page. Tell them that your card details may have been compromised in a phishing attack. Ask them to block the card and issue a new one. If any fraudulent charges have already appeared, report them immediately and request a chargeback.

Second, review your recent transactions. Look for small test charges (often $0.00 or $1.00) as well as larger amounts. Criminals sometimes test a card with a tiny transaction before making a big purchase. Report anything you do not recognize to your bank.

Third, change your passwords. If you use the same email address and password combination on other websites, scammers may attempt to reuse those credentials. Change your passwords for your email account, your bank login, and any travel or airline accounts you hold. Use strong, unique passwords for each service.

Fourth, file a report. Report the incident to your local police. File a complaint with the Federal Trade Commission (if you are in the US) or your country’s equivalent consumer protection agency. If the scam involved a specific airline or travel company, report it to their security team as well.

Fifth, warn others. Share what happened with friends and family. The more people understand how this scam works, the fewer victims the criminals will find.

One More Thing: The New Frontier Of Travel Scams

This particular attack uses a phone number and a fake payment page. But scammers are constantly evolving their tactics.

Fake airline customer support numbers are now appearing at the top of search results through paid advertisements. When you search “Delta customer service” or “United Airlines refund,” you may see sponsored results that look official but actually lead to fraudulent call centers. Search engine companies are fighting this, but new ads appear constantly.

Social media is another battleground. Scammers create fake support accounts on X (formerly Twitter), Facebook, and Instagram that mimic official airline profiles. When you tweet at an airline about a problem, a scam account may reply with a phone number or link before the real airline responds.

Fake flight cancellation texts are also widespread. These messages appear to come from your airline, include your name and flight number, and tell you to call a number to rebook. When you call, you reach a scammer who offers to book you a new ticket – for a price – even though your original flight was never canceled.

The common thread across all these scams is the phone number. The scammers want you to call. Once you are on the phone, they have your attention, your trust, and your willingness to follow instructions. Do not give them that opportunity.

The Bottom Line

The tech support and flight booking scam is a masterpiece of psychological manipulation. It uses your own fear of losing money to trick you into handing over your card details. The fake invoice creates panic. The fake call center provides comfort. The fake cancellation portal completes the theft.

But the scam has a fatal weakness. It relies entirely on you taking action without verifying the source. Every single step of the attack falls apart if you pause, take a breath, and ask one simple question: “Does this make sense?”

Why would an airline charge me for seats I never booked?

Why would they need my card details to cancel a charge that was supposedly already authorized?

Why is the support number in this email different from the number on the airline’s official website?

The answers to these questions will always lead you to the same conclusion: close the message, close the tab, hang up the phone, and go directly to the official source.

The scammers are counting on your panic. Do not give it to them. Stay calm. Stay skeptical. And remember – no legitimate refund has ever required you to type in your credit card number to receive it.

This attack was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during automated link scanning workflows. The phishing source domain has been completely disabled within their infrastructure to protect the public.

Xfinity Just Sent You A Policy Update? Stop. Don’t Click Anything Until You Read This.

Who This Guide Is For

This article is written for you – anyone who pays an Xfinity bill, logs into an Xfinity account, or relies on Comcast for internet, TV, or home phone service. You are not a cybersecurity expert. You do not spend your days analyzing email headers or inspecting SSL certificates. You just want your services to work and your personal information to stay private.

But that is exactly why scammers have you in their crosshairs. Xfinity has millions of customers across the United States, and where there are accounts, there are criminals trying to break into them.

In early 2026, authorities in New Jersey issued urgent scam warnings targeting Verizon and Xfinity customers. Scammers have been sending waves of fake emails and texts, trying to trick customers into giving up their login credentials. The Antiphishing.biz security team recently intercepted, verified, and locked down one of these campaigns in real time. The attack used a simple but devastating two-page trick designed to steal usernames and passwords from unsuspecting Xfinity account holders.

This guide will walk you through exactly how that attack worked, why it nearly fooled the people who saw it, and – most importantly – the simple habits that will keep your account safe forever.

The Two-Page Trap That Steals Your Xfinity Login

Let me show you exactly what happens when you become the target of this phishing campaign. The attack is designed to feel harmless at first. That is what makes it so dangerous.

Page One: The Innocent “Thanks For Choosing” Screen

The first page you see looks like a simple welcome message. It displays the Xfinity logo, a friendly “Thanks for choosing xfinity” greeting, and a single button that says “click here to continue”.

Incident Report: This scam layout was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the hostile origin link has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "Xfinity Just Sent You A Policy Update? Stop. Don’t Click Anything Until You Read This." phishing interface captured during link moderation on our platform.
Figure 1: Visual proof of the active phishing operation isolated on our infrastructure.

That is it. No request for personal information. No urgent warning about your account being locked. Just a polite thank-you and a button.

This page has no real function. It exists for one reason only: to make you click that button and move to the next screen.

Why would scammers add an extra step? Because it lowers your guard. By the time you reach the second page, you have already taken an action. You have already committed to the process. Your brain is no longer in alert mode. You are just following the flow.

Page Two: The Fake Sign-In Form

After you click, you are taken to a second page that mimics Xfinity’s real login screen as closely as possible. It asks for your email, mobile number, or username, followed by your password. A “Let’s go” button waits at the bottom.

Actual screenshot 2 of "Xfinity Just Sent You A Policy Update? Stop. Don’t Click Anything Until You Read This." phishing interface captured during link moderation on our platform.
Figure 2: Visual proof of the active phishing operation isolated on our infrastructure.

The page includes fake legal text: “By signing in, you agree to our Terms of Service and Privacy Policy.” This is designed to make the page feel legitimate and official.

Once you enter your Xfinity ID and password and click that button, your information is sent directly to the attackers. They now have full access to your account. They can view your billing information, change your service plan, order new equipment in your name, and – worst of all – try the same email and password combination on other websites like your bank, your social media accounts, or your email provider.

The Real Stories Behind The Warning

This is not a theoretical threat. Scammers have been actively targeting Xfinity customers using multiple different stories, all designed to create the same sense of urgency.

One widely reported scam sends emails claiming that Xfinity’s Terms of Service and Privacy Policy have changed. The email threatens that customers will lose access to their emails if they do not click a link immediately. Another scam claims that a user changed their Wi-Fi network name or password and encourages the customer to click a link to reconnect. Both use the same technique: a phony link that leads to a fake login page designed to steal passwords and personal information.

The Middlesex County Prosecutor’s Office in New Jersey issued an alert in early 2026 warning residents about these exact scams. The alert noted that senior citizens are especially vulnerable to these tactics and urged customers to never click unsolicited links or provide login information.

One customer shared their experience on a neighborhood forum: they received an email claiming their Xfinity account had been accessed from Pakistan. Shortly after, they noticed unauthorized changes to their account settings. Another customer reported that after clicking a link in a fake Xfinity email and paying what they thought was a small bill, the scammers continued to harass them with calls and messages. The link was the entry point, and the damage did not stop there.

Even the official Xfinity Community Forums are filled with reports from users who suspect they have encountered phishing attempts. One forum participant offered a crucial piece of advice: any official email from Comcast or Xfinity viewed on the website will have a verified logo displayed before it. If you do not see that logo, you can be certain the email is not from Xfinity. That simple visual check can save you from a world of trouble.

The Four Red Flags That Give Away The Fake Page

The Antiphishing.biz team documented a clear set of differences between a real Xfinity login page and the fake version. Here is what you need to look for.

Red Flag One: The Web Address

A real Xfinity login page starts with https://login.xfinity.com/ or customer.xfinity.com. The fake page uses suspicious, unrelated domains – often github.io, free hosting services, or misspelled domains like xfinity-login.xyz. If the address in your browser bar does not say exactly xfinity.com or customer.xfinity.com, you are in the wrong place.

Red Flag Two: The Missing Security Features

Real Xfinity pages show a green lock icon and a valid security certificate issued to Comcast. Fake pages often lack visible security indicators altogether, or they use certificates issued to unknown entities. While a padlock icon alone does not guarantee a page is safe – scammers can get SSL certificates too – the absence of one or a certificate issued to a strange company name is a clear warning.

Red Flag Three: The Missing Account Options

Real Xfinity login pages include standard account recovery options like “Forgot password?” or “Create an account” links. The fake page documented by Antiphishing.biz had no such options. It was stripped down to just the logo and the form. If a login page feels incomplete or bare-bones, treat it with suspicion.

Red Flag Four: The Unnecessary Extra Click

Real Xfinity takes you directly to the login form. The fake page uses an intermediate “click here to continue” step. This extra click serves no legitimate purpose. It is a psychological trick designed to lower your guard before you reach the credential-harvesting form. Any login flow that makes you click an unnecessary button before asking for your password should raise an alarm.

Expert Advice: How To Keep Your Xfinity Account Safe

You do not need to be a cybersecurity professional to protect yourself. You just need to change a few simple habits and remember a handful of rules.

Rule One: Never, Ever Click Links In Unexpected Messages

If you receive an email or text message claiming to be from Xfinity – especially one that warns you about policy changes, Wi-Fi issues, or account problems – do not click any links inside that message. Scammers are counting on you to click. Take that option away from them.

The Middlesex County Prosecutor’s Office put it bluntly: do not click unsolicited links. Do not provide your login information. The only safe way to access your account is to open a new browser tab, type xfinity.com or customer.xfinity.com manually into the address bar, and log in from there.

Rule Two: If You Are Unsure, Call Xfinity Directly

Xfinity has a customer service number for exactly this situation: 1-800-934-6489 (1-800-Xfinity). If you receive a suspicious message and you are not sure whether it is legitimate, call that number. Do not call any number provided in the suspicious message itself. Use the official number, and ask them to verify whether the message came from them.

Authorities have emphasized this repeatedly: call your service provider directly if you receive a suspicious message. A quick phone call takes five minutes and could save you from losing access to your entire account.

Rule Three: Enable Two-Factor Authentication On Your Xfinity Account

Two-factor authentication (2FA) is your digital seatbelt. Even if a scammer steals your password, they cannot get into your account without the one-time code sent to your phone or email. It blocks attackers even when they have your credentials.

Law enforcement agencies recommend enabling two-step verification whenever it is available. Xfinity supports this feature. Go into your account settings and turn it on today. It takes two minutes and adds a massive layer of protection.

Rule Four: Look For The Verified Logo In Official Xfinity Emails

If you read your email on Xfinity’s website, any legitimate message from Comcast or Xfinity will display a verified logo before you even open it. If you do not see that logo, the email is not from Xfinity. This is a quick, reliable visual check that can stop you from clicking a dangerous link.

Rule Five: Never Share Personal Information With Anyone Who Contacts You Unexpectedly

The Middlesex County Prosecutor’s Office warns that customers should never share personal information such as date of birth, Social Security number, account login information, or bank account details with anyone who contacts them unexpectedly. Xfinity already has this information on file. They will not call or email you asking for it.

Rule Six: Block Suspicious Phone Numbers

If you receive a scam text or call from a suspicious number, block it immediately. Report it as spam or junk through your phone’s built-in tools. This reduces the chance that you will be targeted again from the same number.

Rule Seven: Report Scams When You See Them

If you receive a phishing attempt, report it. You can report scams to the Federal Trade Commission at reportfraud.ftc.gov, to the Internet Crime Complaint Center at ic3.gov, or to your local police department. Each report helps authorities track scam campaigns and warn others.

Xfinity also has its own reporting process. To report a scam email sent to or from a Comcast.net email account, follow the instructions under the “How do I report phishing email” heading on Xfinity’s support pages.

What To Do If You Have Already Entered Your Credentials

If you realize that you have entered your Xfinity username and password into a suspicious page, do not panic. But do not wait, either. Take these steps immediately.

First, go directly to the official Xfinity website by typing xfinity.com into your browser’s address bar. Change your password right away. Choose a strong, unique password that you do not use on any other website.

Second, check your account for unauthorized changes. Look for new equipment orders, plan changes, or unfamiliar email addresses added to your account. If you see anything you did not authorize, contact Xfinity customer service at 1-800-934-6489 to report it.

Third, if you use the same email address and password combination on any other websites – your bank, your email provider, your social media accounts – change those passwords immediately. Scammers will try the stolen credentials on other popular services to see where else they work.

Fourth, enable two-factor authentication if you have not already. This will prevent the scammer from getting back into your account even if they still have your old password.

Fifth, report the phishing attempt to the FTC and to Xfinity. Your report could help protect other customers from falling into the same trap.

The Bottom Line

The fake Xfinity login page scam is a masterpiece of psychological manipulation, not technical sophistication. It uses an unnecessary extra click to lower your guard. It copies Xfinity’s branding to create false familiarity. It relies entirely on you taking action without checking where you really are.

But the scam has a fatal weakness. It falls apart the moment you pause, take a breath, and ask one simple question: “Did I get here by clicking a link in an email or text message?”

If the answer is yes, close the page. Open a new tab. Type xfinity.com with your own fingers. Log in the normal way. That thirty-second habit will protect you from this attack and every other phishing attempt that lands in your inbox.

The scammers are counting on your speed, your trust, and your fear of losing service. Do not give them any of those things. Stay calm. Stay skeptical. And always type the address yourself.

This attack was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during automated link scanning workflows. The phishing source domain has been completely disabled within their infrastructure to protect the public.


.