Sahibinden phishing page detected

Fake Shipment Tracking Scam – “Receive Funds” Card Harvesting

This phishing campaign is designed to steal credit card details from users selling items online (likely on classified ad platforms such as Sahibinden, Letgo, or Facebook Marketplace). The scam creates a fake shipment tracking interface and pressures the seller to “receive funds” by entering their card information.

How it works:
The victim (a seller) receives a message from a potential buyer claiming they have paid for the item and that the payment is being held by a shipping or escrow service. The buyer sends a link to this fake tracking page.

Step 1 – Fake Shipment Tracking Page (First Screenshot)
The page uses Turkish lira and location details to appear legitimate.

Step 2 – Credit Card Harvesting Page (Second Screenshot)

The goal:
The attacker aims to steal the victim’s credit card details. There is no actual payment of 3000 TRY waiting to be received—the entire transaction is fabricated. If the victim enters their card details, the attacker can make unauthorized purchases or sell the information.

Red flags to watch for:

  • Illogical request for card details: To receive money (funds), you never need to enter your credit card details. Receiving funds typically requires providing a bank account number or using a payment service (e.g., PayPal, IBAN), not a credit card number, expiry date, and CVC.
  • Fake tracking status: The status timeline claims “the package is paid” and “funds are waiting to be received,” but the seller is being asked to pay—this is contradictory.
  • Suspicious URL: Both pages are hosted on domains that are not legitimate shipping or payment services. The URLs visible in the first screenshot (dpd cz.info orders... from previous examples) indicate a pattern of phishing domains.
  • Generic payment page: The second page lacks any recognizable payment processor branding (e.g., Stripe, Iyzico, PayPal) and does not use a secure payment gateway.
  • No actual buyer or order context: The seller has no way to verify the shipment or the buyer’s identity through legitimate channels.
  • Poor design consistency: The first page mixes shipment tracking elements with a “receive funds” button, which is not how legitimate shipping or payment services operate.

What to do if you encounter this:

  • Do not click “RECEIVE FUNDS” or enter any credit card details.
  • Do not enter your card number, expiry date, or CVC on this page.
  • If you are selling items online, never click links sent by buyers claiming payment is waiting. Legitimate buyers pay through official platform mechanisms or in cash upon pickup.
  • If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to the classified platform where the scam originated.

Why this scam is effective:
In Turkey, classified ad platforms are widely used, and sellers often ship items after receiving payment. This scam exploits the seller’s expectation of a legitimate transaction by providing a fake tracking number and shipment status. The “funds are waiting to be received” message creates excitement and urgency, overriding the suspicion that receiving money should never require entering credit card details.

Protective measures:

  • Always complete transactions through the official payment system of the platform you are using (e.g., Sahibinden’s “Güvenli Ödeme” system).
  • Never accept payment through links sent by buyers—insist on in-person cash or official platform transactions.
  • Remember: receiving money never requires your credit card information.
  • If a buyer claims they have paid through a shipping company or escrow service, verify directly with the official website of that service using a URL you type yourself—never click links in messages.

DIE Post (Swiss Post) phishing page detected

Fake Package Tracking Scam – “Receive Funds” Card Harvesting (Swiss/German Variant)

This phishing campaign is designed to steal credit card details from users selling items online (likely on classified ad platforms such as Ricardo, Tutti, or Facebook Marketplace) in Switzerland and German-speaking Europe. The scam creates a fake shipment tracking interface and pressures the seller to “receive funds” by entering their card information.

How it works:
The victim (a seller) receives a message from a potential buyer claiming they have paid for the item and that the payment is being held by a shipping or escrow service. The buyer sends a link to this fake tracking page.

Step 1 – Fake Tracking Status Page (First Screenshot)
The page instructs the seller to ship the item after “receiving” funds.

Step 2 – Fake Package Details Page (Second Screenshot)
Step 3 – Credit Card Harvesting Page (Third Screenshot)
The goal:
The attacker steals the victim’s credit card details. There is no actual payment of 105 CHF waiting to be received—the entire transaction is fabricated. If the victim enters their card details, the attacker can make unauthorized purchases or sell the information.

Red flags to watch for:

  • Illogical request for card details: To receive money, you never need to enter your credit card details. Receiving funds typically requires providing a bank account number (IBAN) or using a payment service (e.g., Twint, PayPal)—not a credit card number, expiry date, and CVC.
  • Suspicious URL: The pages are hosted on domains that are not legitimate shipping or payment services. (From the visible URL bar in the first screenshot, the domain appears unrelated to any known Swiss shipping company.)
  • Fake tracking status: The status text is poorly written (“Empfangen von Vergnugen” is not a standard DHL, Swiss Post, or other carrier status message).
  • Copied footer content: The second page contains a footer about “traditional hutters of the land” (likely copied from an unrelated website), which has nothing to do with package delivery.
  • No login or verification: Legitimate payment processes do not ask for full credit card details on a page reached via an unsolicited link.
  • Price in CHF, but tracking in German: While Swiss shipping uses German, the overall design and errors suggest the page was not created by a professional Swiss company.
  • Generic card form: The payment page lacks any recognizable payment processor branding (e.g., Stripe, Datatrans, PayPal) and does not use a secure payment gateway.

What to do if you encounter this:

  • Do not enter any credit card details, expiry date, or CVC.
  • Do not click “Submit” or any buttons on these pages.
  • If you are selling items online, never click links sent by buyers claiming payment is waiting. Legitimate buyers pay through official platform mechanisms (e.g., Ricardo’s payment system, Twint, or cash on pickup).
  • If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to the classified platform where the scam originated.

Why this scam is effective:
High-value items like the “Tripp Trapp” child’s chair are frequently sold on second-hand platforms in Switzerland and Germany. Sellers are eager to complete the sale and may not question a buyer who claims to have paid via an escrow or shipping service. The use of Swiss francs (CHF) and a real address in St. Moritz makes the scam appear locally relevant. The multi-step process with a tracking number and package details gives the illusion of a legitimate transaction.

Protective measures:

  • Always complete transactions through the official payment system of the platform you are using.
  • Never accept payment through links sent by buyers—insist on in-person cash, Twint, or platform-integrated payments.
  • Remember: receiving money never requires your credit card information.
  • If a buyer claims they have paid through a shipping company or escrow service, verify directly with the official website of that service using a URL you type yourself—never click links in messages.
  • Be suspicious of any page that asks for your full credit card details outside of a well-known, trusted payment provider.

Econt phishing page in Bulgarian revealed

Fake Payment Receipt Scam – “Receive Funds” Card Harvesting (Bulgarian Variant)

This phishing campaign is designed to steal credit card details from users selling items online (likely on classified ad platforms such as OLX.bg, Bazar.bg, or Facebook Marketplace) in Bulgaria. The scam creates a fake payment confirmation interface and pressures the seller to “receive funds” by entering their card information.

How it works:
The victim (a seller) receives a message from a potential buyer claiming they have paid for the item and that the payment is being held by a shipping or escrow service. The buyer sends a link to this fake payment page.

Step 1 – Fake Payment Confirmation Page (First Screenshot)
Step 2 – Credit Card Harvesting Page (Second Screenshot)
The goal:
The attacker steals the victim’s credit card details. There is no actual payment of 10,999 leva waiting to be received—the entire transaction is fabricated. If the victim enters their card details, the attacker can make unauthorized purchases or sell the information.

Red flags to watch for:

  • Illogical request for card details: To receive money, you never need to enter your credit card details. Receiving funds typically requires providing a bank account number (IBAN) or using a payment service (e.g., PayPal, ePay)—not a credit card number, expiry date, and CVC.
  • Suspicious URL: The pages are hosted on domains that are not legitimate shipping, escrow, or payment services. Always check the address bar.
  • High-value item: Luxury watches like Ulysse Nardin are commonly used in scams because they command high prices, making the “payment” amount large enough to excite the seller.
  • Fake buyer information: The name “…” and the Sofia address may be real or plausible, but they are not verifiable through the platform.
  • Currency typo: The second page shows “10999 JB” instead of “10999 лв,” indicating the page was poorly translated or copied.
  • No platform integration: Legitimate classified platforms in Bulgaria (OLX, Bazar) do not use external “Secure Offer” pages for payments. Buyers and sellers typically arrange payment directly or through platform-integrated options.
  • Generic card form: The payment page lacks any recognizable Bulgarian payment processor branding (e.g., ePay, Borica) and does not use a secure, trusted payment gateway.

What to do if you encounter this:

  • Do not click “ВЗЕМИ ПАРИТЕ” or enter any credit card details.
  • Do not enter your card number, expiry date, or CVC on this page.
  • If you are selling items online, never click links sent by buyers claiming payment is waiting. Legitimate buyers pay through official platform mechanisms, bank transfer, or cash on pickup.
  • If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to the classified platform where the scam originated.

Why this scam is effective:
Bulgaria has a thriving second-hand market for luxury watches and other high-value items. Sellers are often eager to close a sale and may not question a buyer who claims to have paid through a “secure” escrow service. The use of Bulgarian language, a real Sofia address, and a plausible buyer name makes the scam locally convincing. The large amount (10,999 leva) creates excitement and urgency, overriding suspicion.

Protective measures:

  • Always complete transactions through the official payment system of the platform you are using, or use cash on pickup.
  • Never accept payment through links sent by buyers—insist on bank transfer to your IBAN, or use trusted services like ePay or PayPal directly (by logging into your account, not through a link).
  • Remember: receiving money never requires your credit card information.
  • If a buyer claims they have paid through an escrow or shipping service, verify directly with the official website of that service using a URL you type yourself—never click links in messages.
  • Be suspicious of any page that asks for your full credit card details outside of a well-known, trusted payment provider.

Leo Express phishing page in Bulgarian detected

Fake Order Confirmation Scam – “Receive Funds” Card Harvesting (Bulgarian Variant – Lower Value Item)

This phishing campaign is designed to steal credit card details from users selling items online (likely on classified ad platforms such as OLX.bg, Bazar.bg, or Facebook Marketplace) in Bulgaria. The scam creates a fake “order confirmation” page and pressures the seller to “receive funds” by entering their card information.

How it works:
The victim (a seller) receives a message from a potential buyer claiming they have paid for the item. The buyer sends a link to this fake order confirmation page.

Step 1 – Fake Order Confirmation Page (First Screenshot)
Step 2 – Credit Card Harvesting Page (Second Screenshot)
After clicking “Продължи,” the victim is taken to this page.

The goal:
The attacker steals the victim’s credit card details. There is no actual payment of 399 BGN waiting to be received—the entire transaction is fabricated. If the victim enters their card details, the attacker can make unauthorized purchases or sell the information.

Red flags to watch for:

  • Illogical request for card details: To receive money, you never need to enter your credit card details. Receiving funds typically requires providing a bank account number (IBAN) or using a payment service (e.g., PayPal, ePay)—not a credit card number, expiry date, and CVC.
  • Suspicious URL: The pages are hosted on domains that are not legitimate classified or payment platforms. Always check the address bar.
  • “Frozen funds” pretext: The phrase “средствата са замразени” (funds are frozen) is a common phishing tactic to create urgency and legitimacy, but no real platform freezes funds waiting for card details.
  • Fake delivery options: The page claims “Доставка от наш куриер” (Delivery by our courier) and “Доставката се заплаща от купувача” (Delivery is paid by the buyer), but these are just text elements—not interactive or verifiable services.
  • Product description inconsistencies: The second page has a typo (“Koxxeno axe” instead of “Кожено яке”), indicating poor translation or copying.
  • Same address as previous scam: The delivery address (бул. „Македония“ 2, Sofia) appears in multiple Bulgarian phishing campaigns, suggesting a template being reused by attackers.
  • Generic card form: The payment page lacks any recognizable Bulgarian payment processor branding (e.g., ePay, Borica) and does not use a secure, trusted payment gateway.

What to do if you encounter this:

  • Do not click “Продължи” or enter any credit card details.
  • Do not enter your card number, expiry date, or CVC on this page.
  • If you are selling items online, never click links sent by buyers claiming payment is waiting. Legitimate buyers pay through official platform mechanisms, bank transfer, or cash on pickup.
  • If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to the classified platform where the scam originated.

Why this scam is effective:
This scam uses a moderately priced item (399 BGN) rather than an expensive luxury watch, making it more relatable to average sellers. The “frozen funds” language creates a sense of urgency and false legitimacy. The use of a real Sofia address, Bulgarian language, and detailed product description (SuperDry jacket with size details) makes the transaction appear genuine. Sellers who are eager to complete the sale may overlook the critical red flag: entering credit card details to receive money.

Protective measures:

  • Always complete transactions through the official payment system of the platform you are using, or use cash on pickup.
  • Never accept payment through links sent by buyers—insist on bank transfer to your IBAN, or use trusted services like ePay or PayPal directly (by logging into your account, not through a link).
  • Remember: receiving money never requires your credit card information.
  • If a buyer claims they have paid through an escrow or shipping service, verify directly with the official website of that service using a URL you type yourself—never click links in messages.
  • Be suspicious of any page that asks for your full credit card details outside of a well-known, trusted payment provider.

Grailed fake page detected

Grailed Marketplace Phishing – Fake “Item Sold” & Card Harvesting

This phishing campaign impersonates Grailed, a popular peer-to-peer marketplace for men’s clothing and vintage items. The scam targets sellers by creating a fake “item sold” confirmation page and then requesting credit card details under the guise of “receiving funds.”

How it works:
The victim (a seller) receives a message—likely through Grailed’s messaging system, email, or social media—claiming that their item has been purchased. The message includes a link to this fake Grailed-branded payment page.

Step 1 – Fake Grailed Item Sold Page (First Screenshot)
The page is designed to look like Grailed’s official checkout or payment confirmation interface.

Step 2 – Credit Card Harvesting Page (Second Screenshot)
After clicking “Take it now,” the victim is taken to this page.

The goal:
The attacker steals the victim’s credit card details. There is no actual sale of the jacket—the entire transaction is fabricated. If the victim enters their card details, the attacker can make unauthorized purchases or sell the information.

Red flags to watch for:

  • Illogical request for card details: On a legitimate marketplace like Grailed, sellers do not enter credit card details to receive payment. Sellers provide payout information (bank account or PayPal) once, during account setup. Payments are automatically processed.
  • Suspicious URL: The pages are hosted on domains that are not grailed.com. Always check the address bar before entering any information.
  • Mismatched payment method: The first page offers PayPal or card, but the second page only asks for card details—even if the seller selected PayPal, the scam would still present the card form.
  • Fake buyer address: The address in Milan may be real, but Grailed does not display the buyer’s full address to the seller before payment is completed. Sellers only receive shipping addresses after a legitimate sale is confirmed through the platform.
  • “Take it now” button: Grailed’s legitimate interface uses “Buy Now” or “Make an Offer,” not “Take it now.”
  • Fake authentication badges: While Grailed does offer authentication for certain items, the badges on this page are copied and used out of context to build false trust.
  • No login required: Legitimate Grailed sales require the seller to be logged into their account. This page does not ask for Grailed credentials—it jumps straight to payment details, which is not how the platform works.
  • Generic card form: The payment page lacks Grailed’s actual payment processor branding (Grailed uses PayPal and Stripe) and does not have the expected secure checkout interface.

What to do if you encounter this:

  • Do not click “Take it now” or enter any credit card details.
  • Do not enter your card number, expiry date, or CVC on this page.
  • If you are a Grailed seller, always log into your Grailed account directly (type grailed.com into your browser) to check for real sales. Legitimate sales will appear in your “Sales” dashboard.
  • Never click links in messages claiming someone has purchased your item—always verify through the official platform.
  • If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Grailed’s support team ([email protected]) so they can take action.

Why this scam is effective:
Grailed has a dedicated community of sellers who frequently list high-value streetwear and vintage items. Sellers are eager to make a sale and may click a link in a message without thinking. The page closely mimics Grailed’s design, uses correct terminology (“Authenticated,” “Buyer Protection”), and includes realistic-looking buyer details. The $75 price point is modest enough to be believable but high enough to motivate the seller to act quickly.

Protective measures:

  • Always log into the platform (Grailed, eBay, etc.) directly to confirm sales—never rely on links in messages.
  • Never enter credit card details to receive payment. Receiving money requires your payout information (bank account or PayPal), which is set once in account settings, not entered per transaction.
  • Enable two-factor authentication (2FA) on your Grailed account and associated email.
  • Be suspicious of any message that directs you to an external page to “complete” a transaction.
  • If a buyer claims they have purchased your item but you don’t see it in your official account dashboard, it is a scam.

FedEx phishing page in Slovak revealed

A two-step classified ads/phishing scam targeting users in Slovakia. The scam combines fake branding from FedEx and Slovenská pošta (Posta.sk) with a fake payment confirmation page to steal credit card details.

FedEx & Posta.sk Phishing Scam – Fake “Funds Received” & Card Harvesting (Slovak Variant)

This phishing campaign targets sellers on Slovak classified platforms (such as Bazar.sk) by impersonating both FedEx and Slovenská pošta (Posta.sk) . The scam creates a fake “funds received” page and then pressures the seller to “link a card” to receive payment.

How it works:
The victim (a seller) receives a message from a potential buyer claiming they have paid for the item and that the payment is being held by a shipping service. The buyer sends a link to this fake FedEx/Posta.sk payment page. The scam also includes a fake chat support window to add credibility.

Step 1 – Fake FedEx & Posta.sk “Funds Received” Page (First Screenshot)
Step 2 – Credit Card Harvesting Page & Fake Chat Support (Second Screenshot)
After clicking the “Received” button, the victim is taken to this page.

The goal:
The attacker steals the victim’s credit card details. There is no actual payment of 50 €—the entire transaction is fabricated. The fake chat support window is designed to add legitimacy and answer any questions the victim might have, guiding them to complete the card form.

Red flags to watch for:

  • Illogical request for card details: To receive money (prijať platbu), you never need to enter your credit card details. Receiving funds typically requires providing a bank account number (IBAN) or using a payment service—not a credit card number, expiry date, and CVC.
  • Mixed branding: The page uses both FedEx and Posta.sk logos, which is unusual—these are separate companies. A legitimate transaction would not involve both.
  • Fake chat support: The chat window is not a live support feature but a scripted message designed to reassure victims. Legitimate shipping companies do not use embedded chat windows to walk users through payment receipt.
  • Suspicious URL: The pages are hosted on domains that are not fedex.com, posta.sk, or bazar.sk. Always check the address bar.
  • Reference to Bazar.sk: The chat message mentions Bazar.sk (a Slovak classified site), but the payment page is not on the Bazar.sk domain.
  • Poor grammar and formatting: The Slovak text contains some stylistic inconsistencies, and the “Secured by SSL and RSA-Protocol” badge is generic and not linked to a real security certificate.
  • No login required: Legitimate sales on Bazar.sk or payments via shipping companies do not require entering credit card details on a third-party page.

What to do if you encounter this:

  • Do not click “Prijal 50 €” or enter any credit card details.
  • Do not interact with the fake chat support or follow its instructions.
  • If you are selling items on Bazar.sk or similar platforms, always verify any sale by logging into your account directly—never click links sent by buyers.
  • If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Bazar.sk, FedEx, and Slovenská pošta.

Why this scam is effective:
This scam cleverly combines multiple trusted brands (FedEx, Posta.sk, Bazar.sk) to create a false sense of legitimacy. The fake chat support window is a particularly sophisticated touch—it mimics the “live chat” features common on e-commerce sites and provides a seemingly helpful explanation for why the card details are needed. The relatively low amount (50 €) makes the transaction feel plausible, and the 3-day deadline creates urgency.

Protective measures:

  • Always log into the platform (Bazar.sk, etc.) directly to check for sales—never rely on links in messages.
  • Never enter credit card details to receive payment. Receiving money requires your bank account or PayPal details, which are set once in your account settings, not entered per transaction.
  • Be suspicious of any page that asks for your full credit card details outside of a well-known, trusted payment provider.
  • If a buyer claims they have paid through a shipping company or escrow service, verify directly with the official website of that service using a URL you type yourself—never click links in messages.
  • Legitimate chat support will not ask you to enter card details in a separate form; they will guide you to the official website’s secure payment section.

Yad2 phishing page in Hebrew detected

This is a two-step classified ads/phishing scam targeting users in Israel, impersonating the popular Israeli classified platform Yad2. The scam is designed to steal credit card details from sellers by creating a fake “payment received” notification.

Yad2 Classifieds Phishing – Fake “Payment Received” & Card Harvesting (Israeli Variant)

This phishing campaign impersonates Yad2, a leading classified advertisements platform in Israel. The scam targets sellers by creating a fake transaction confirmation page and then requesting credit card details under the guise of “receiving funds” for a sold item.

How it works:
A seller receives a message—likely via the Yad2 messaging system, SMS, or other chat app—from a potential buyer claiming to have paid for the item. The message includes a link to a phishing page that mimics Yad2’s payment interface.

Step 1 – Fake Payment Confirmation Page
The first page displays:

  • The Yad2 logo and branding
  • A specific item (in this case, a product listed at 490 ILS, Israeli shekels)
  • Fabricated buyer details, including a name and an address in Haifa
  • A fake reference or tracking number
  • A button designed to make the seller believe they can “receive” or “claim” the payment

The page is designed to look like an official Yad2 payment confirmation, creating the impression that the buyer has already paid and the funds are waiting.

Step 2 – Credit Card Harvesting Page
After clicking the button, the seller is taken to a second page that requests:

  • Full credit card number
  • Expiration date (month and year)
  • CVC security code

This page also displays the transaction amount (490 ILS) and a reference number to maintain the illusion of a legitimate payment process.

The goal:
The attacker steals the seller’s credit card details. There is no actual buyer or payment—the entire transaction is fabricated. Once the seller submits their card information, the attacker can make unauthorized purchases or sell the data.

Red flags to watch for (without quoting specific text):

  • Illogical request for card details: A seller receiving money should never be asked to enter their credit card information. Receiving funds requires providing bank account details (such as IBAN) or linking a payout method like PayPal—not entering a full card number, expiry date, and CVC.
  • Suspicious URL: The pages are hosted on a domain that is not yad2.co.il. Always check the address bar before entering any information.
  • Fake buyer details: The scam includes plausible but unverifiable buyer information (name, address) to make the transaction seem real. On legitimate Yad2 transactions, payment details and buyer information are handled through the platform’s official system, not displayed on a third-party page.
  • No login required: A legitimate sale on Yad2 would appear in the seller’s account dashboard after logging in. This scam bypasses that entirely, asking for card details without any account authentication.
  • Generic payment form: The second page lacks integration with Yad2’s actual payment providers (such as credit card gateways or PayPal) and does not display the security indicators expected from a legitimate checkout page.

What to do if you encounter this:

  • Do not click any buttons claiming payment is ready.
  • Do not enter your credit card number, expiry date, or CVC on such pages.
  • If you are selling on Yad2, always log into your account directly (by typing yad2.co.il into your browser) to check for real sales and payment status.
  • Never trust links sent by buyers claiming they have paid—legitimate buyers use the platform’s official payment or communication channels.
  • If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Yad2’s support team so they can take action to protect other users.

Why this scam is effective:
Yad2 is one of Israel’s most widely used platforms for buying and selling second-hand goods. Sellers are accustomed to receiving messages from buyers and may not suspect a link that appears to show a legitimate-looking payment confirmation. The use of Hebrew text, local addresses, and shekel amounts makes the scam culturally and contextually convincing. The relatively modest amount (490 ILS) is realistic for a typical second-hand item, reducing suspicion.

Protective measures:

  • Always verify any sale by logging directly into your Yad2 account—never through a link sent in a message.
  • Never enter credit card details to receive payment. Payment to sellers is typically handled through bank transfer, cash on pickup, or platform-integrated payment methods that do not require re-entering card details for each transaction.
  • Be suspicious of any message that creates urgency or claims payment is already “waiting” but requires you to click an external link.
  • Enable two-factor authentication (2FA) on your email and any linked payment accounts.
  • If a buyer sends you a link to “claim” payment, treat it as a red flag and verify directly through the platform’s official app or website.

Royal Mail phishing page revealed

Gumtree Classifieds Phishing – Fake “Payment Received” Scam (UK Variant)

This phishing campaign impersonates Gumtree, a widely used classified advertisements platform in the United Kingdom. The scam targets sellers by creating a fake “payment received” page that claims a buyer has already paid for an item. The page includes a fake chat support window to add credibility and pressure the seller into entering credit card details on a following page.

How it works:
A seller receives a message—likely via Gumtree’s messaging system, SMS, email, or another chat app—from a supposed buyer claiming to have paid for the item. The message includes a link to this phishing page.

The Fake Payment Confirmation Page
This single page displays:

  • A prominent payment receipt heading
  • An item description (in this case, a boiler model) with a price in GBP (£395)
  • Fabricated buyer details, including a name and a shipping address
  • A message stating that the buyer has already paid and that the seller should ship the item or await a courier after “receiving funds”
  • Instructions implying that the seller must take action to claim the payment
  • A prominent button designed to initiate the “receipt” of funds
  • A fake chat support window that appears to show a pre-written message claiming to be from Gumtree support, explaining that the buyer paid through Gumtree and that the seller can get full payment immediately

The goal:
The attacker intends to steal the seller’s credit card details. While this screenshot does not show the card entry form, the pattern from similar scams indicates that clicking the “receive” button leads to a second page requesting full credit card number, expiry date, and CVC. There is no actual payment—the buyer, the order, and the support chat are all fabricated.

Red flags to watch for (without quoting specific text):

  • Illogical request flow: The page asks the seller to “receive” money but does so by directing them to a button that leads to a card entry form. In legitimate transactions, sellers receive money directly to their bank account or PayPal—they never need to enter card details to claim payment.
  • Fake chat support: The embedded chat window is not a live support feature but a scripted message designed to reassure the victim. Legitimate Gumtree transactions do not include a live chat pop-up that explains payment processes on third-party pages.
  • Suspicious URL: The page is hosted on a domain that is not gumtree.com. Always check the address bar before entering any information.
  • Vague buyer address: The shipping address appears nonsensical (“Pearland_45562 Garret Locks”)—a tactic to make the listing seem specific without using real identifiable information.
  • No account login required: A legitimate sale on Gumtree would appear in the seller’s account dashboard after logging in. This page bypasses account authentication entirely and asks for sensitive information directly.
  • Pressure to ship: The page instructs the seller to ship the item after “receiving funds” and within a specific timeframe, creating urgency to bypass critical thinking.
  • Mixed branding: While the page references Gumtree in the fake chat, the overall design lacks official Gumtree branding consistency and security indicators.

What to do if you encounter this:

  • Do not click the button to “receive” funds or proceed to any next step.
  • Do not enter any credit card details, even if a subsequent page asks for them.
  • If you are selling on Gumtree, always log into your account directly (by typing gumtree.com into your browser) to check for real sales and messages. Legitimate transactions appear in your account inbox and dashboard.
  • Never trust links sent by buyers claiming they have paid—especially if they direct you to an external page.
  • If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Gumtree’s support team.

Why this scam is effective:
Gumtree is one of the UK’s most popular platforms for selling second-hand goods, especially household items like appliances. Sellers are often eager to complete a sale and may click a link in a message without suspicion. The fake chat support window is a particularly convincing touch—it mimics the “live chat” features common on e-commerce sites and provides a seemingly helpful explanation for why the seller needs to “claim” the payment. The £395 price point is realistic for a boiler, making the scam plausible.

Protective measures:

  • Always verify any sale by logging directly into your Gumtree account—never through a link sent in a message.
  • Never enter credit card details to receive payment. Sellers provide payout details (bank account) during account setup; payments are processed automatically.
  • Be suspicious of any page that includes a pop-up chat window claiming to explain a payment process—legitimate platforms do not use such tactics on external pages.
  • If a buyer sends you a link to “claim” payment, treat it as a red flag and verify directly through the platform’s official app or website.
  • Enable two-factor authentication (2FA) on your email and any linked payment accounts.

Subito phishing page detected

Subito.it Classifieds Phishing – Fake “Secure Funds Receipt” Scam (Italian Variant)

This phishing campaign impersonates Subito.it, the most widely used classified advertisements platform in Italy. The scam targets sellers by creating a fake “order” page that claims a buyer has initiated a purchase, then directs the seller to a card harvesting page under the pretext of “receiving funds securely.”

How it works:
A seller receives a message—likely via Subito’s messaging system, SMS, or other chat app—from a supposed buyer claiming to have paid for the item. The message includes a link to the first phishing page.

Step 1 – Fake Order Confirmation Page
The first page displays:

  • Subito branding and a product listing (in this case, a Samsung Galaxy Watch)
  • A price in euros (€130) plus shipping
  • Payment method logos (Visa, PayPal, etc.) to appear legitimate
  • Order details including the buyer’s name and the item
  • A prominent button implying the seller can securely receive funds

The page mimics Subito’s official interface, giving the impression that the transaction is already in progress.

Step 2 – Credit Card Harvesting Page with Fake Chat Support
After clicking the button, the seller is taken to a second page that:

  • Requests full credit card number, expiration date, and CVC
  • Displays the same transaction amount and a reference number
  • Includes a fake chat support window with a pre-written message
  • The chat message claims to be from Subito, explaining that the package has been paid for and that the seller must enter card details to verify their identity and confirm the payment. It falsely states the site is protected by end-to-end encryption.

The goal:
The attacker steals the seller’s credit card details. There is no actual buyer or payment—the entire transaction is fabricated. The fake chat window is designed to answer objections and pressure the seller into completing the card form.

Red flags to watch for:

  • Illogical request for card details: A seller receiving money should never be asked to enter their credit card number, expiry date, and CVC. Receiving funds requires bank account details (IBAN) or a linked payout method—not card credentials.
  • Fake chat support: The embedded chat window is not a live support feature but a scripted message. Legitimate Subito transactions do not include a pop-up chat that explains payment procedures on a third-party page.
  • Suspicious URL: The pages are hosted on a domain that is not subito.it. Always check the address bar before entering any information.
  • No login required: A legitimate sale on Subito would appear in the seller’s account dashboard after logging in. This scam bypasses account authentication entirely.
  • Generic payment form: The second page lacks integration with Subito’s actual payment system (Tantum) and does not display the expected security indicators of a legitimate checkout page.
  • Pressure to act: The combination of a realistic product price (€130) and the fake chat’s reassuring tone is designed to lower the seller’s guard and encourage quick action.

What to do if you encounter this:

  • Do not click any buttons promising to “receive” funds.
  • Do not enter your credit card details, expiry date, or CVC on such pages.
  • If you are selling on Subito, always log into your account directly (by typing subito.it into your browser) to check for real sales and messages.
  • Never trust links sent by buyers claiming they have paid—especially those directing you to external pages.
  • If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Subito’s support team.

Why this scam is effective:
Subito.it is Italy’s dominant classified platform, with millions of users. Sellers are accustomed to receiving messages about their listings and may not suspect a link that appears to show a legitimate order confirmation. The fake chat support window adds a layer of “customer service” that can convince hesitant victims. The €130 price point for a Samsung Galaxy Watch is realistic, making the scam plausible.

Protective measures:

  • Always verify any sale by logging directly into your Subito account—never through a link sent in a message.
  • Never enter credit card details to receive payment. Sellers provide payout details (bank account) during account setup; payments are processed automatically.
  • Be suspicious of any page that includes a pop-up chat window claiming to explain a payment process—legitimate platforms do not use such tactics on external pages.
  • If a buyer sends you a link to “claim” payment, treat it as a red flag and verify directly through the platform’s official app or website.
  • Enable two-factor authentication (2FA) on your email and any linked payment accounts.

DPD phishing page in Slovak detected

DPD & Posta.sk Phishing – Fake “Funds Receipt” Scam with PS5 Lure (Slovak Variant)

This phishing campaign impersonates DPD and Slovenská pošta (Posta.sk) to target sellers on Slovak classified platforms (such as Bazar.sk). The scam uses a PlayStation 5 (PS5) as the fake item—a high-value, frequently sought-after product—to make the transaction seem plausible and urgent. The scam includes a fake chat support window to pressure the seller into entering credit card details.

How it works:
A seller receives a message—likely via Bazar.sk’s messaging system, SMS, or other chat app—from a supposed buyer claiming to have paid for the item. The message includes a link to the first phishing page.

Step 1 – Fake DPD & Posta.sk “Funds Received” Page
The first page displays:

  • DPD logo
  • A heading suggesting receipt of funds
  • A high-value item: PlayStation 5 (PS5) with a price in euros (€500)
  • Text referencing Posta.sk as a transaction guarantor
  • A button implying the funds have been received or can be claimed
  • A generic security badge (SSL/RSA)

Step 2 – Credit Card Harvesting Page with Fake Chat Support
After clicking the button, the seller is taken to a second page that:

  • Requests full credit card number, expiration date, and CVC
  • Displays the same transaction amount (€500) and a reference number
  • Includes a fake chat support window with pre-written messages
  • The chat messages claim to be from support, explaining that the buyer paid through Bazar.sk and that the seller must “link” their card to receive the payment

The goal:
The attacker steals the seller’s credit card details. There is no actual buyer or payment—the entire transaction is fabricated. The fake chat window is designed to answer objections and pressure the seller into completing the card form.

Red flags to watch for:

  • Illogical request for card details: A seller receiving money should never be asked to enter their credit card number, expiry date, and CVC. Receiving funds requires bank account details (IBAN) or a linked payout method—not card credentials.
  • Mixed branding: The page uses both DPD and Posta.sk branding, which is unusual—these are separate companies. A legitimate transaction would not involve both.
  • Fake chat support: The embedded chat window is not a live support feature but a scripted message. Legitimate shipping companies and classified platforms do not use pop-up chats on external pages to guide users through payment receipt.
  • Suspicious URL: The pages are hosted on a domain that is not dpd.sk, posta.sk, or bazar.sk. Always check the address bar.
  • High-value lure: The PS5 is a popular, often hard-to-find item. Scammers use such products to attract sellers and create urgency.
  • No account login required: A legitimate sale would appear in the seller’s Bazar.sk account dashboard after logging in. This scam bypasses account authentication entirely.

What to do if you encounter this:

  • Do not click any buttons claiming funds are ready.
  • Do not enter your credit card details, expiry date, or CVC on such pages.
  • If you are selling on Bazar.sk or similar platforms, always log into your account directly (by typing the official URL) to check for real sales and messages.
  • Never trust links sent by buyers claiming they have paid—especially those directing you to external pages.
  • If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Bazar.sk, DPD, and Slovenská pošta.

Why this scam is effective:
This scam combines multiple trusted brands (DPD, Posta.sk, Bazar.sk) to create a false sense of legitimacy. The PS5 is a highly desirable item with a realistic second-hand price (€500), making the transaction plausible. The fake chat support window adds a layer of “customer service” that can convince hesitant victims. The pressure to “link” a card to receive payment is presented as a simple technical step, lowering suspicion.

Protective measures:

  • Always verify any sale by logging directly into your Bazar.sk or other platform account—never through a link sent in a message.
  • Never enter credit card details to receive payment. Sellers provide payout details (bank account) during account setup; payments are processed automatically.
  • Be suspicious of any page that includes a pop-up chat window claiming to explain a payment process—legitimate platforms do not use such tactics on external pages.
  • If a buyer sends you a link to “claim” payment, treat it as a red flag and verify directly through the platform’s official app or website.
  • Enable two-factor authentication (2FA) on your email and any linked payment accounts.