Fake Order Confirmation Scam – “Receive Funds” Card Harvesting (Bulgarian Variant – Lower Value Item)
This phishing campaign is designed to steal credit card details from users selling items online (likely on classified ad platforms such as OLX.bg, Bazar.bg, or Facebook Marketplace) in Bulgaria. The scam creates a fake “order confirmation” page and pressures the seller to “receive funds” by entering their card information.
How it works:
The victim (a seller) receives a message from a potential buyer claiming they have paid for the item. The buyer sends a link to this fake order confirmation page.
Step 1 – Fake Order Confirmation Page (First Screenshot)
Step 2 – Credit Card Harvesting Page (Second Screenshot)
After clicking “Продължи,” the victim is taken to this page.
The goal:
The attacker steals the victim’s credit card details. There is no actual payment of 399 BGN waiting to be received—the entire transaction is fabricated. If the victim enters their card details, the attacker can make unauthorized purchases or sell the information.
Red flags to watch for:
- Illogical request for card details: To receive money, you never need to enter your credit card details. Receiving funds typically requires providing a bank account number (IBAN) or using a payment service (e.g., PayPal, ePay)—not a credit card number, expiry date, and CVC.
- Suspicious URL: The pages are hosted on domains that are not legitimate classified or payment platforms. Always check the address bar.
- “Frozen funds” pretext: The phrase “средствата са замразени” (funds are frozen) is a common phishing tactic to create urgency and legitimacy, but no real platform freezes funds waiting for card details.
- Fake delivery options: The page claims “Доставка от наш куриер” (Delivery by our courier) and “Доставката се заплаща от купувача” (Delivery is paid by the buyer), but these are just text elements—not interactive or verifiable services.
- Product description inconsistencies: The second page has a typo (“Koxxeno axe” instead of “Кожено яке”), indicating poor translation or copying.
- Same address as previous scam: The delivery address (бул. „Македония“ 2, Sofia) appears in multiple Bulgarian phishing campaigns, suggesting a template being reused by attackers.
- Generic card form: The payment page lacks any recognizable Bulgarian payment processor branding (e.g., ePay, Borica) and does not use a secure, trusted payment gateway.
What to do if you encounter this:
- Do not click “Продължи” or enter any credit card details.
- Do not enter your card number, expiry date, or CVC on this page.
- If you are selling items online, never click links sent by buyers claiming payment is waiting. Legitimate buyers pay through official platform mechanisms, bank transfer, or cash on pickup.
- If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
- Report the phishing page to the classified platform where the scam originated.
Why this scam is effective:
This scam uses a moderately priced item (399 BGN) rather than an expensive luxury watch, making it more relatable to average sellers. The “frozen funds” language creates a sense of urgency and false legitimacy. The use of a real Sofia address, Bulgarian language, and detailed product description (SuperDry jacket with size details) makes the transaction appear genuine. Sellers who are eager to complete the sale may overlook the critical red flag: entering credit card details to receive money.
Protective measures:
- Always complete transactions through the official payment system of the platform you are using, or use cash on pickup.
- Never accept payment through links sent by buyers—insist on bank transfer to your IBAN, or use trusted services like ePay or PayPal directly (by logging into your account, not through a link).
- Remember: receiving money never requires your credit card information.
- If a buyer claims they have paid through an escrow or shipping service, verify directly with the official website of that service using a URL you type yourself—never click links in messages.
- Be suspicious of any page that asks for your full credit card details outside of a well-known, trusted payment provider.