Peer-to-peer (P2P) marketplaces have revolutionized how we buy and sell online, but their popularity has also attracted highly sophisticated cybercriminals. Today, scammers no longer operate manually; they use automated scripts and fake brand interfaces to target victims’ bank accounts.
Our security team recently discovered and analyzed an active automated campaign targeting P2P platform users. Below, we break down how this sophisticated lookalike fraud works and how you can safeguard your financial data.
Who This Guide Is For
This article is written specifically for one group of people: regular buyers and sellers on peer-to-peer marketplaces like Jimoty, Mercari, and similar platforms. If you have ever listed an item for sale, replied to a classified ad, or entered your payment details on a website that connects strangers to buy and sell things, this guide is for you.
You are not a cybersecurity expert. You probably do not think about phishing attacks when you are trying to sell an old bicycle or buy a second-hand smartphone. That is exactly why the criminals behind this new scam have chosen to target people like you.
In Japan alone, phishing reports reached approximately 2.45 million cases in 2025, shattering all previous records. The Financial Services Agency of Japan has issued repeated warnings about impersonation scams targeting financial accounts, and the attack we are about to dissect represents the newest, most dangerous evolution of these threats. It is not a theory. It is not a distant possibility. It is happening right now to people using the same platforms you use every day.
The Scam That Knows How Much Money You Have
Let me paint a picture for you.
You are selling something on Jimoty, one of Japan’s largest classifieds platforms. You have been chatting with a potential buyer. Everything feels normal. Then you receive a message that looks like it came directly from the platform itself. It says your account has been restricted. It mentions the Financial Services Agency of Japan. It says you need to verify your identity immediately or you will lose access to your account.
There is a link. You click it. The page that opens looks exactly like the official Jimoty interface. Same colors. Same logos. Same layout. It even shows that your email and phone number have already been partially verified – a clever trick to make you trust the page.
Analysis Memo: This malicious interface was detected, analyzed, and contained firsthand by the
Antiphishing.bizsecurity team during our daily link moderation procedures. To protect the public, the dangerous destination URL has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.
You breathe a sigh of relief. This must be real. They already have some of your information.
Then the page asks for your credit card details. Not just the number and expiration date. Not just the CVV code. It asks for something no legitimate website has ever asked you before: the exact current available balance on your card.
This is not a mistake. This is not a glitch. This is the core feature of a new type of automated financial fraud.
How this scam actually works
Let me explain what is happening behind the scenes in plain language.
A traditional phishing attack simply steals your card details. The criminals then try to use those details to make purchases or withdraw money. They are guessing how much money you have. They are hoping your bank does not block the transaction.
This scam is different. It is smarter. It is more efficient. And it is far more destructive.
When you enter your card balance into the fake verification page, you are not just providing information. You are giving the criminals a precise target number. Their automated system reads that number and immediately calculates the largest possible transaction that can be approved without triggering your bank’s fraud alerts.
Here is what happens next, step by step.
First, you enter your full card number, expiration date, CVV, and your current balance. The page looks legitimate. It might even display logos of well-known payment processors to put you at ease.
Second, once you submit the form, the criminals’ system processes your information in real time. It knows exactly how much money to take. Not a small test transaction. Not a random amount. The exact amount that will drain your available balance completely.
Third – and this is the part that terrifies even experienced security professionals – the system is designed to bypass the two-factor authentication that is supposed to protect you. It captures the one-time password sent to your phone via SMS. It tricks you into approving push notifications from your banking app. It might even attempt to activate your device’s camera under the false pretense of biometric verification.
By the time you realize something is wrong, your money is already gone. The entire process takes seconds.
The Three Tricks That Make This Scam So Dangerous
The criminals behind this operation are not amateurs. They have studied how regular people think and behave online. They have built their attack around three psychological tricks that are almost impossible to resist unless you know what to look for.
Trick One: The Manufactured Emergency
The fake account restriction notice is designed to create panic. It cites real regulations from the Financial Services Agency of Japan. It uses official-sounding language. It tells you that you have limited time to fix the problem before your account is permanently locked.
When people panic, they stop thinking clearly. They stop checking URLs. They stop asking questions. They just want to solve the problem as quickly as possible. The criminals are counting on exactly that reaction.
Trick Two: The False Baseline Of Trust
The fake page does something very clever. It displays your email address and phone number as already verified. It shows checkmarks next to completed steps. This creates the illusion that you are continuing a process that has already started, not starting a new one from scratch.
Your brain interprets those pre-filled fields as evidence that the page is legitimate. After all, how would a fake website know your contact information? The answer is that the criminals collected it earlier, perhaps from a previous data breach or from the initial message they sent you. But in the moment, most people do not make that connection.
Trick Three: The Balance Question That Should Never Be Asked
This is the most revealing part of the entire scam. No legitimate business has any reason to ask for your current card balance. Not your bank. Not your credit card company. Not any online marketplace. Ever.
When you see a page asking for your available balance, you are looking at a definitive sign of fraud. There is no innocent explanation. There is no legitimate use case. The only reason to ask for that information is to calculate how much money can be stolen from you in a single transaction.
Real Examples From The Front Lines
Security researchers at Antiphishing.biz recently intercepted one of these attacks in progress. The fraudulent page was hosted on a disposable domain called chilw-order.lat – a meaningless name that would never be used by a legitimate company. The page was impersonating Jimoty’s infrastructure and targeting Japanese consumers specifically.
The researchers documented that the attack relied on three distinct technical phases embedded within a single web page. The first phase displayed the fake account restriction notice citing Japanese financial regulations. The second phase requested the card details including the exact available balance in JPY. The third phase attempted to capture SMS one-time passwords and trick users into approving mobile banking push notifications while simultaneously attempting to activate device webcams under the guise of biometric verification.
This is not a theoretical threat. It is a fully operational criminal system that has already been deployed against real people.
In a separate but related trend, security researchers have observed the emergence of scam kits being sold on underground marketplaces. These turnkey solutions allow even technically unsophisticated criminals to launch sophisticated phishing campaigns with minimal effort. The operational footprint of these scam operations is smaller than ransomware, their visibility is lower than many credential-harvesting operations, and they are supported by a well-developed underground marketplace offering ready-made deployment packages.
Expert Advice: How To Protect Yourself Starting Today
You do not need to be a cybersecurity expert to protect yourself from this scam. You just need to follow a few simple rules every single time you interact with any online marketplace.
Rule One: Never Click Links In Messages About Account Problems
If you receive a message claiming your account has been restricted or needs verification, do not click any links in that message. Open a new browser tab. Type the marketplace’s official website address manually. Log into your account normally. If there is a real problem with your account, you will see a notification inside your account dashboard after you log in through the official website.
This single habit will protect you from almost every phishing attack in existence. Criminals rely on you clicking their links. Take that option away from them.
Rule Two: Check The Web Address Before You Enter Anything
Before you type any personal information into a website, look at the address bar of your browser. The real Jimoty website uses jmty.jp. The real Mercari uses mercari.com. The real Yahoo Auctions uses auctions.yahoo.co.jp.
If you see anything else – any variation, any extra words, any unfamiliar endings like .lat or .top or .xyz – close the tab immediately. The presence of a padlock icon in the address bar means nothing. Criminals can get SSL certificates for their fake websites just as easily as legitimate businesses can.
Rule Three: Never Share Your Card Balance With Anyone
Memorize this statement: No legitimate business will ever ask you for your current card balance. Not for verification. Not for security. Not for any reason.
If a website asks for your balance, you are looking at a scam. Close the page immediately. Report it to the platform if possible. Then go about your day knowing you just avoided a financial disaster.
Rule Four: Be Skeptical Of Pre-Filled Information
If a verification page already contains your email address or phone number, do not take that as proof of legitimacy. Criminals can obtain this information from many sources. They can also simply display placeholder text that looks like your information but is actually generic.
The only verification that matters is the web address in your browser’s address bar. Nothing else.
Rule Five: Use Virtual Cards When Possible
Many banks and financial services now offer virtual card numbers – temporary card numbers that you can generate for specific transactions or set with spending limits. If you regularly buy and sell on peer-to-peer marketplaces, using virtual cards adds an extra layer of protection. Even if a criminal obtains your virtual card number, they cannot exceed the limit you set, and you can cancel the virtual number at any time.
Rule Six: Slow Down
This is the most important advice I can give you. Phishing attacks work by creating urgency. They want you to act quickly without thinking. When you feel that sense of panic – when a message tells you your account will be locked if you do not act immediately – that is your signal to stop completely.
Take a breath. Close the message. Open the official website manually. If the message was real, you will see the same notification after you log in. If it was fake, you just saved yourself from losing your money.
What To Do If You Think You Have Been Targeted
If you have already entered your card details into a suspicious page, do not panic. Act quickly but calmly.
Contact your bank or credit card issuer immediately using the phone number on the back of your card. Do not use any contact information from the suspicious message or website. Tell them your card details may have been compromised and request a new card.
Review your recent transactions for any unauthorized charges. Look for small test transactions as well as larger ones. Report any suspicious activity to your bank immediately.
Change your password for the marketplace platform. Use a strong, unique password that you do not use anywhere else. Enable two-factor authentication on your account if the platform offers it.
Monitor your account activity for the next several weeks. Some criminals wait before using stolen card details to avoid detection.
Finally, report the phishing attempt to the platform’s security team. Your report could help protect other users from falling victim to the same scam.
A Final Word From The Security Team
The criminals are constantly evolving their tactics. They change their domain names. They refine their fake pages. They find new ways to bypass security measures. But one thing never changes: they need you to take an action they have scripted for you.
Your best defense is not a piece of software or a security product. Your best defense is awareness. Every time you are about to enter your payment information into a website, pause. Ask yourself whether the request makes sense. Ask yourself whether a legitimate business would ever ask for the information you are about to provide.
If something feels wrong, trust that feeling. Close the page. Open the official website directly. Verify through official channels. The extra thirty seconds it takes to do this might be the thirty seconds that save your entire bank account.
This attack was detected, analyzed, and neutralized by the Antiphishing.biz security team during daily link moderation procedures. The dangerous destination URL has been fully defanged within their infrastructure. But new domains will appear tomorrow, and the week after, and the month after that. The information in this guide will protect you regardless of what domain name the criminals choose.
Stay safe. Stay skeptical. And remember – no legitimate website will ever ask you how much money you have before taking it.