Blocket “Safe Payment / Shipping” Phishing
Target: Buyers and Sellers on Blocket (Sweden)
Threat Level: Critical (Bank Account Takeover & BankID Hijacking)
Phishing Method Description
This attack targets users of the Swedish marketplace Blocket. Scammers usually contact a seller or buyer via WhatsApp or SMS, claiming they want to use “Blocket Paket” (shipping service) or a fake “Direct Payment” system to complete the deal.
The link leads to a high-fidelity clone of the Blocket or BankID verification page. The phishing kit is specifically designed to harvest:
Personal Identity Number (Personnummer)
Credit/Debit Card Details (Number, Expiry, CVV)
BankID Authentication: The fake site triggers a real BankID or Mobile BankID request on the victim’s phone. Thinking they are “verifying the payment,” the victim enters their PIN, which actually authorizes the attacker to log into their real bank account or sign a fraudulent transaction.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is blocket.se. Phishing sites use lookalikes such as blocket-betalning.online, verifera-blocket.net, frakt-blocket.com, or free subdomains like blocket-portal.web.app.
Off-Platform Communication: If a buyer or seller insists on moving the conversation from Blocket’s internal chat to WhatsApp or SMS, it is a major warning sign.
Urgent Payment Links: Blocket will never send you a link via SMS or WhatsApp asking you to “enter your card details to receive money.”
🛡️ How to Protect Yourself
Stay on the Platform: Use only the official Blocket Paket and payment systems integrated directly into the Blocket app or website.
The “No Link” Rule: Never click on links sent by other users to “confirm a payment” or “track a package.” If the payment is real, it will show up in your official Blocket account.
Verify BankID Context: Before entering your PIN in the BankID app, always check the “Requester” (Mottagare) and the action. If you are selling an item, you should not be “signing” or “authenticating” a login to your bank.
Zero Trust for Card Requests: You do not need to provide your CVV code to receive money. If a site asks for it to “verify your account for a payout,” it is a scam.
💡 Expert Security Tip: The “BankID Relay” Attack
The Method:
This case highlights a Real-Time Authentication Relay. Scammers are acting as a “live bridge” between the victim and their bank.
The Trap:
When you enter your Personnummer on the fake Blocket site, the attacker enters it on the real bank website. You receive a BankID notification. If you sign it, you aren’t “confirming a sale”—you are signing the attacker into your bank account.
How to Protect Yourself:
Check the App carefully: In the BankID app, it will show who is requesting the identification (e.g., “Logga in på [Din Bank]”). If you see your bank’s name while you are supposedly on “Blocket,” cancel immediately.
Never trust “Verification” links: Blocket and banks in Sweden will never ask you to identify yourself via BankID through a link sent in a private message.