The fake DitchIt card verification scam is a high-level phishing threat targeting users on classified marketplaces, utilizing fake, secure-looking checkout pages to steal full credit card details and cardholder information. This fraud technique often involves directing users off-platform, requesting balance verification, and harvesting data to drain user accounts.
Target: Users of DitchIt (Marketplace & Resale App)
Threat Level: High (Credit Card Skimming)
Phishing Method Description
This attack uses a “Payment Verification” pretext. Scammers often contact sellers on the DitchIt app, pretending to be interested buyers. They claim they have already paid for the item and send a link to “verify your card” or “receive your funds.”
The link leads to a professional-looking clone of a DitchIt-branded page. Instead of a login, the page features a Card Data Entry Form designed to harvest:
Full Name
Credit/Debit Card Number
Expiration Date
CVV Code (Security code on the back)
Account Balance (Scammers ask for this to know how much they can steal immediately).
⚠️ Red Flags to Watch For
Third-Party Links: DitchIt processes payments within the app. If a “buyer” sends you an external link to ditchit-payout.com or verification-ditchit.net, it is 100% a scam.
The “Balance” Request: Legitimate payment processors never ask you to type in your current card balance to receive money. This is a common tactic in Eastern European and North American marketplace scams.
Urgent Tone: The page often says, “You must verify your card within 10 minutes to receive the payment,” forcing the victim to act without thinking.
🛡️ How to Protect Yourself
Stay In-App: Never leave the official DitchIt application to complete a transaction or “verify” your identity. All legitimate prompts will happen inside the app’s secure environment.
The “Receiving Money” Logic: To receive money, you usually only need to provide an email (for Interac) or a bank account number. You never need to provide your CVV or your card’s expiration date to get paid.
Check the URL: DitchIt’s official domain is ditchit.ca. Any other variation, especially those ending in .xyz, .top, or .info, should be closed immediately.
Zero Trust for SMS/Chat Links: If someone you don’t know sends you a link via the in-app chat or SMS claiming to be “Support,” treat it as a threat.