Fake Payment Receipt Scam – “Receive Funds” Card Harvesting (Bulgarian Variant)
This phishing campaign is designed to steal credit card details from users selling items online (likely on classified ad platforms such as OLX.bg, Bazar.bg, or Facebook Marketplace) in Bulgaria. The scam creates a fake payment confirmation interface and pressures the seller to “receive funds” by entering their card information.
How it works:
The victim (a seller) receives a message from a potential buyer claiming they have paid for the item and that the payment is being held by a shipping or escrow service. The buyer sends a link to this fake payment page.
Step 1 – Fake Payment Confirmation Page (First Screenshot)
Step 2 – Credit Card Harvesting Page (Second Screenshot)
The goal:
The attacker steals the victim’s credit card details. There is no actual payment of 10,999 leva waiting to be received—the entire transaction is fabricated. If the victim enters their card details, the attacker can make unauthorized purchases or sell the information.
Red flags to watch for:
- Illogical request for card details: To receive money, you never need to enter your credit card details. Receiving funds typically requires providing a bank account number (IBAN) or using a payment service (e.g., PayPal, ePay)—not a credit card number, expiry date, and CVC.
- Suspicious URL: The pages are hosted on domains that are not legitimate shipping, escrow, or payment services. Always check the address bar.
- High-value item: Luxury watches like Ulysse Nardin are commonly used in scams because they command high prices, making the “payment” amount large enough to excite the seller.
- Fake buyer information: The name “…” and the Sofia address may be real or plausible, but they are not verifiable through the platform.
- Currency typo: The second page shows “10999 JB” instead of “10999 лв,” indicating the page was poorly translated or copied.
- No platform integration: Legitimate classified platforms in Bulgaria (OLX, Bazar) do not use external “Secure Offer” pages for payments. Buyers and sellers typically arrange payment directly or through platform-integrated options.
- Generic card form: The payment page lacks any recognizable Bulgarian payment processor branding (e.g., ePay, Borica) and does not use a secure, trusted payment gateway.
What to do if you encounter this:
- Do not click “ВЗЕМИ ПАРИТЕ” or enter any credit card details.
- Do not enter your card number, expiry date, or CVC on this page.
- If you are selling items online, never click links sent by buyers claiming payment is waiting. Legitimate buyers pay through official platform mechanisms, bank transfer, or cash on pickup.
- If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
- Report the phishing page to the classified platform where the scam originated.
Why this scam is effective:
Bulgaria has a thriving second-hand market for luxury watches and other high-value items. Sellers are often eager to close a sale and may not question a buyer who claims to have paid through a “secure” escrow service. The use of Bulgarian language, a real Sofia address, and a plausible buyer name makes the scam locally convincing. The large amount (10,999 leva) creates excitement and urgency, overriding suspicion.
Protective measures:
- Always complete transactions through the official payment system of the platform you are using, or use cash on pickup.
- Never accept payment through links sent by buyers—insist on bank transfer to your IBAN, or use trusted services like ePay or PayPal directly (by logging into your account, not through a link).
- Remember: receiving money never requires your credit card information.
- If a buyer claims they have paid through an escrow or shipping service, verify directly with the official website of that service using a URL you type yourself—never click links in messages.
- Be suspicious of any page that asks for your full credit card details outside of a well-known, trusted payment provider.