Phishing examples on Antiphishing.biz

Hotmail and Microsoft fake pages detected

Microsoft/Outlook Phishing – Fake Account Verification Scam

This phishing campaign impersonates Microsoft (specifically Hotmail/Outlook) to steal email account credentials. The scam is presented in two steps: a deceptive warning page followed by a fake login form.

How it works:
The victim receives an email, SMS, or social media message—likely in Spanish—claiming their email account requires verification or is at risk of being suspended. The link leads to the first phishing page.

Step 1 – The Fake Verification Warning (First Screenshot)
This page displays:

A heading: “HOTMAIL PREMIUM”

A message in Spanish: “VERIFIQUE SU CUENTA DE CORREO ELECTRÓNICO DE FORMA CORRECTA PARA QUE SIGA DISFRUTANDO DE NUESTROS SERVICIOS”
(Translation: “Verify your email account correctly so that you continue enjoying our services.”)

A button: “VERIFICA TU CUENTA” (Verify your account)

A footer: “© Microsoft 2023”

The page uses urgency and fear—implying that failure to verify will result in loss of service.

Step 2 – Fake Microsoft Login Page (Second Screenshot)
After clicking “VERIFICA TU CUENTA,” the victim is taken to a fake Microsoft login page. This page asks for:

Correo electrónico (Email address)

It mimics Microsoft’s branding with the official Microsoft logo and the “Iniciar Sesión” (Sign in) header.

The goal:
The attacker aims to steal Microsoft/Outlook/Hotmail email credentials. Once they have the email address and password (likely captured on a subsequent page after the email is entered), they can:

Access the victim’s emails (searching for sensitive information or password reset links)

Reset passwords for other accounts linked to that email (banking, social media, etc.)

Use the compromised email to send further phishing messages to the victim’s contacts

Red flags to watch for:

No personalization: Legitimate Microsoft security alerts address you by your name or partial email address. This page uses a generic warning.

Suspicious URL: Both pages are hosted on domains that are not microsoft.com or outlook.com.

Poor Spanish grammar: The phrasing “VERIFIQUE … PARA QUE SIGA DISFRUTANDO” is slightly awkward. Official Microsoft communications are professionally localized.

No two-factor authentication (2FA) mention: Legitimate Microsoft account verification often involves 2FA or confirmation within the authenticator app—not simply clicking a link and entering a password.

Generic footer: The footer only shows “© Microsoft 2023” and a random “CREATE A FREE BIO SITE” link, which is completely unrelated to Microsoft and a clear indicator of a fake page.

Single-field login: The second page asks only for email initially, but a subsequent page would ask for a password. Phishing pages sometimes do this to first validate if the email is active before presenting the password field.

What to do if you encounter this:

Do not click “VERIFICA TU CUENTA” or enter any email or password.

If you are concerned about your Microsoft account, go directly to outlook.com or account.microsoft.com by typing the URL into your browser—never click links in unsolicited messages.

Legitimate Microsoft account verification never requires you to click a link in an email to “verify” your account. Instead, you may receive a code via SMS or email that you enter on the official site if you initiated a change.

Report the phishing page to Microsoft using their reporting tools: forward suspicious emails to [email protected] or use the “Report Message” add-in in Outlook.

Why this scam is effective:
Email accounts are a high-value target because they serve as the “keys to the kingdom” for password resets across other services. Spanish-speaking users may be less frequently targeted with localized phishing, making this campaign particularly dangerous. The use of Microsoft branding and the fear of losing email service prompts users to act quickly without scrutinizing the URL or page details.

Protective measures:

Enable two-factor authentication (2FA) on your Microsoft account to prevent unauthorized access even if your password is stolen

Always check the URL before entering credentials—Microsoft’s login pages always end in microsoft.com or live.com

Be suspicious of any message that creates urgency and asks you to “verify” your account by clicking a link

If in doubt, contact Microsoft support through official channels rather than using links in suspicious messages

Nuevo Banco del Chaco phishing page detected

Nuevo Banco del Chaco Phishing – Fake Platform Update Scam

This phishing campaign impersonates Nuevo Banco del Chaco (NBCH) , a bank serving the Chaco province in Argentina. The scam uses the pretext of a “platform update” or “security verification” to steal online banking credentials.

How it works:
The victim receives a phishing email, SMS, or social media message—likely in Spanish—claiming that the bank has updated its online banking platform (Home Banking) and that the user must verify their account to continue using services. The link leads to the first phishing page.

Step 1 – Fake Platform Update Notification (First Screenshot)
This page displays:

“VERIFIQUE SU CUENTA” (Verify your account) as a prominent heading

A message in Spanish: “TE INVITAMOS A CONOCER EL RENOVADO HOME BANKING. Mejoramos nuestra plataforma para que sea aún más fácil, ágil y cómoda para hacer tus operaciones.”
(Translation: “We invite you to get to know the renewed Home Banking. We improved our platform to make your transactions even easier, faster, and more convenient.”)

The bank’s name: “Nuevo Banco del Chaco SA”

A reference to the official website: www.nbch.com.ar

A button: “VERIFIQUE SU CUENTA”

The page mimics NBCH’s branding and uses the bank’s real website URL in the text to appear legitimate.

Step 2 – Fake Security Verification Page (Second Screenshot)
After clicking the verification button, the victim is taken to this page, which displays:

“VERIFICA TU CUENTA POR SEGURIDAD Y SIGUE DISFRUTANDO DE NUESTROS SERVICIOS”
(Translation: “Verify your account for security and continue enjoying our services”)

Another “VERIFIQUE SU CUENTA” button

Footer with a copyright notice and customer service phone numbers (which may be copied from the real bank)

The actual credential harvesting form likely appears after clicking the button on this second page (though not shown in the screenshots, such forms typically request User ID, password, or security details).

The goal:
The attacker aims to steal NBCH online banking credentials. By impersonating a legitimate “platform update” or “security verification,” the scam tricks users into entering their login details on a fake page, giving attackers direct access to their bank accounts.

Red flags to watch for:

Suspicious URL: Both pages are hosted on a domain (antiphishing.biz) that is not nbch.com.ar or any official NBCH domain.

No personalization: The messages address the user generically rather than using their name or account details.

Two-step verification process: Legitimate banks do not require clicking a link in an email to “verify” an account due to a platform update. Such updates are communicated via official app notifications or direct mail, and users are expected to log in normally (not through a provided link).

Unusual footer content: The second page includes “CREATE A FREE BIO SITE” at the bottom—a completely unrelated and suspicious addition that no legitimate bank would include.

Urgency without authentication: The page pressures the user to “verify” without requiring any prior authentication, which is a common phishing tactic.

Copy of official content: While the first page references the real NBCH website (www.nbch.com.ar), the phishing site itself is not on that domain. Attackers often copy legitimate URLs into text to mislead users.

What to do if you encounter this:

Do not click the “VERIFIQUE SU CUENTA” buttons or enter any personal information.

If you are an NBCH customer, always access your online banking by typing www.nbch.com.ar directly into your browser or by using the official NBCH mobile app.

Never log into your bank account through a link sent via email, SMS, or social media.

Report the phishing page to Nuevo Banco del Chaco using their official customer service channels (e.g., the phone numbers listed on their genuine website, not those on the phishing page).

Why this scam is effective:
Regional banks in Argentina, such as NBCH, have a strong local customer base. Phishing campaigns that use the pretext of a “platform update” exploit the fact that users may have heard about digital transformation efforts at their bank. The use of the real bank URL in the text and the familiar branding lowers suspicion. Additionally, the page is fully localized in Argentine Spanish, making it more convincing than generic phishing attempts.

Protective measures:

Always verify the URL in your browser’s address bar before entering any credentials

Bookmark the official bank website and use that bookmark to log in

Enable two-factor authentication (2FA) if offered by the bank

Be suspicious of any unsolicited message that asks you to “verify” or “update” your account

If you receive such a message, contact your bank directly using a phone number or email from your bank statement or official website—never use contact details provided in the suspicious message.

Facebook and Freefire fake pages detected

Free Fire “Skin Generator” Scam – Facebook Credential Harvesting

This phishing campaign targets players of Free Fire, a popular mobile battle royale game developed by Garena. The scam promises free in-game skins and diamonds through a fake “generator” tool. In reality, it is a multi-step scheme designed to steal victims’ Facebook login credentials (the primary method of logging into Free Fire on many devices).

How it works:
The victim encounters a link to this scam via YouTube videos, TikTok, Discord, Instagram, or other social media platforms, often with captions like “Free Fire Free Diamonds Generator 2023” or “Get Free Skins No Human Verification.”

Step 1 – Selection Page (First Screenshot)
The victim is presented with a page showing various skins (e.g., “Chocolate”) and diamonds. The interface mimics a legitimate selection menu, asking the user to choose what they want to “generate.”

Step 2 – Username & Platform Entry (Second Screenshot)
The victim is asked to enter their Free Fire username and select their platform. This is designed to make the scam feel personalized and legitimate.

Step 3 – Fake Progress Indicator (Third Screenshot)
A progress bar appears showing “Generating…” with a percentage (e.g., 15%). This builds anticipation and tricks the victim into believing the generator is working.

Step 4 – “Sponsor Activity” Requirement (Fourth Screenshot)
After the fake generation, the victim is told that to complete the process, they must complete a “sponsor activity” – typically described as a quick verification step that “helps pay for your skins.” A countdown timer (Time Left: 0442) creates urgency. The text appears in multiple languages (English and Dutch) to target a broader audience.

Step 5 – Facebook Login Phishing Page (Fifth Screenshot)
The “sponsor activity” leads to a fake Facebook login page. This page asks for:

Email or Phone

Password

Once the victim enters their Facebook credentials, the information is sent directly to the attacker.

The goal:
The attacker steals the victim’s Facebook login credentials. Since many Free Fire players log into the game using their Facebook account, gaining access to the Facebook account effectively gives the attacker control over the victim’s Free Fire account as well. Attackers can then:

Steal or sell the Free Fire account

Access personal information linked to Facebook

Use the compromised Facebook account to spread the scam further to the victim’s friends

Red flags to watch for:

“Too good to be true” offer: No legitimate service provides free in-game currency or rare skins through an external “generator.” Such items must be purchased or earned through official game events.

No official branding: The pages use generic “FREE FIRE” text but lack official Garena branding, logos, or copyright notices.

Request for credentials: The final step asks for Facebook login details. No legitimate in-game reward system ever requires entering Facebook credentials on a third-party site.

Fake “sponsor activity” concept: The “sponsor activity” is a common phishing tactic to justify why the user must complete an additional step, often involving a credential harvest or survey scam.

Multiple languages: The presence of Dutch text alongside English suggests a broad targeting but also indicates unprofessional localization—official Garena communications are consistently in one language per region.

Countdown timer: The timer creates artificial urgency to pressure the user into completing the “verification” without thinking.

Suspicious URL: All pages are hosted on domains that are not garena.com or facebook.com.

What to do if you encounter this:

Do not enter your Free Fire username, select a platform, or proceed through any steps.

Do not enter your Facebook email/phone and password on the final page.

If you have already entered your Facebook credentials, change your Facebook password immediately, enable two-factor authentication (2FA), and check for any unauthorized activity.

If you use the same password for other accounts, change those passwords as well.

Report the phishing page to Facebook and to Garena (Free Fire’s developer).

Why this scam is effective:
Free Fire is extremely popular, especially among younger audiences who may be eager for free in-game items. The multi-step process with progress bars and “sponsor activity” explanations makes the scam feel elaborate and legitimate. The use of Facebook as the final credential harvest is strategic because many Free Fire players have their game progress tied directly to their Facebook account—losing Facebook access means losing their game progress and purchases.

Protective measures:

Never trust third-party “generators” or “hacks” that promise free in-game currency or items. They are always scams.

Enable two-factor authentication (2FA) on your Facebook account to protect it even if your password is stolen.

Log into Free Fire only through the official app and official Garena methods.

Educate younger gamers about these scams, as they are frequently targeted.

Freefire fake page ad Facebook phishing revealed

Free Fire “Rewards Generator” Scam – Facebook Credential Harvesting (Variant)

This phishing campaign targets Free Fire players by promising free in-game rewards (skins, diamonds, rare items) through a fake “generator” tool. The scam uses a multi-step process designed to steal victims’ Facebook login credentials, which are commonly used to access Free Fire accounts.

How it works:
The victim encounters a link to this scam via YouTube, TikTok, Discord, Instagram, or other social media platforms with enticing claims of free rewards.

Step 1 – Reward Selection Page (First Screenshot)
The victim lands on a page displaying numerous reward icons (weapons, skins, items) with “COLLECT” buttons. The page includes:

A suspicious URL: lesilesalacarte.com/… (not associated with Garena)

Text indicating “Fake MWM got a game reward” (likely a tester’s note)

Garena branding to appear legitimate

Step 2 – Username & Platform Entry (Second Screenshot)
The victim is asked to:

Enter their Player Username (Free Fire in-game name)

Select their platform

Click “START THE TRANSFER”

This step collects basic information and creates the illusion of a personalized reward delivery.

Step 3 – Reward Confirmation (Third Screenshot)
After entering credentials, the victim sees another page filled with reward icons and “COLLECT” buttons. This reinforces the belief that rewards are ready to be claimed. A “Back to reward” link allows navigation, but all paths lead to the verification trap.

Step 4 – “Manual Human Verification” Requirement (Fourth Screenshot)
This page claims:

“Manual Human Verification is Required.”

Explanation: many robots try to use the generator, so to prove the user is human, they must complete a “quick task” (register a phone number or download a mobile app).

The instructions claim: “All applications are safe and must be running for 30 seconds to complete verification. You can delete apps later.”

This is a classic social engineering tactic to convince victims to complete the next step.

Step 5 – Facebook Login Phishing Page (Fifth Screenshot)
The “VERIFY NOW” button leads to a fake Facebook login page. This page asks for:

Mobile number or email address

Password

The page mimics Facebook’s mobile login interface and includes multiple language options to appear authentic.

The goal:
The attacker steals the victim’s Facebook credentials. Since Free Fire accounts are often linked to Facebook, this grants the attacker access to both the Facebook account and the associated Free Fire game account. Attackers can then:

Steal or sell the Free Fire account (including any purchased items or progress)

Access personal information on Facebook

Use the compromised Facebook account to spread the scam to the victim’s friends

Red flags to watch for:

“Too good to be true” offer: No legitimate service provides free in-game currency or rare items through an external website. Garena sells diamonds and items only through official channels.

Suspicious URL: The initial page is hosted on lesilesalacarte.com, a domain completely unrelated to Garena (garena.com) or Free Fire.

No official branding consistency: While the pages use the Free Fire and Garena names, they lack official logos, copyright notices, and professional design elements.

“Human verification” scam pattern: The requirement to “verify” by completing a task (phone registration, app download) is a classic phishing tactic. No legitimate game reward system uses such methods.

Facebook login request: The final step asks for Facebook credentials. Legitimate in-game rewards never require logging into Facebook through a third-party site.

Multiple “COLLECT” buttons: The repetitive design is meant to overwhelm the user and create a sense of abundance, but it is unprofessional and inconsistent with official Garena interfaces.

“Back to reward” loop: The navigation allows users to go back, but all paths eventually lead to the same phishing request.

What to do if you encounter this:

Do not enter your Free Fire username, select a platform, or click any “COLLECT” or “START THE TRANSFER” buttons.

Do not complete any “human verification” tasks, especially those asking for phone numbers or app downloads.

Do not enter your Facebook email/phone and password on the final page.

If you have already entered your Facebook credentials, change your Facebook password immediately, enable two-factor authentication (2FA), and check for any unauthorized activity.

Report the phishing page to Facebook and to Garena (Free Fire’s developer).

Why this scam is effective:
Free Fire has a massive global player base, especially among younger audiences who may be more susceptible to offers of free premium content. The multi-step process with multiple reward icons and the “human verification” explanation makes the scam appear legitimate and elaborate. The use of Facebook as the final credential harvest is strategic—once attackers have Facebook access, they can compromise the game account and potentially spread the scam further.

Protective measures:

Never trust third-party “generators” or “hacks” that promise free in-game currency or items. They are always scams.

Enable two-factor authentication (2FA) on your Facebook account to prevent unauthorized access even if your password is stolen.

Log into Free Fire only through the official app and official Garena methods.

Educate younger gamers about these scams, as they are frequently targeted through social media platforms.

Facebook phishing page detected

Free Fire “Anniversary Event” Scam – Facebook Credential Harvesting (Indonesian Variant)

This phishing campaign targets Free Fire players in Indonesia and other Indonesian-speaking regions by promoting a fake “anniversary event” offering free rewards. The scam uses localized language and cultural references to appear legitimate.

How it works:
The victim encounters a link to this scam via social media platforms (YouTube, TikTok, Instagram, Facebook) or messaging apps, often with captions promoting a Free Fire anniversary giveaway.

Step 1 – Fake Anniversary Promotion (First Screenshot)
The victim lands on a page with:

A suspicious URL: dangerous walkmiepaltreks.com/… (clearly not an official domain)

Indonesian text: “EXCEPT YANG DI TUNGBU-TUNGBU PARA BURNHOR DENGAN BERBABAN HADIAN KEREN JIJIN AND ELJIYY SPECIALI FREE DIFFS IN THIS ANNIVERSARY”
(Note: The text contains multiple typos and nonsensical phrases, likely machine-translated or poorly written.)

A heading: “4TH ANNIVERSARY”

A button: “AMBIL HADIAH” (Take Prize)

Step 2 – Login Request (Third Screenshot – second image failed to load)
After clicking “AMBIL HADIAH,” the victim is taken to a page that instructs:

Indonesian: “LIGHT DENGAN AKUR ANDA UNTUK MEDIAPATKAN HADIAN ANDA”
(Rough translation: “Login with your account to get your prize”)

A button: “Login dengan Facebook” (Login with Facebook)

Step 3 – Fake Facebook Login Page (Fourth Screenshot)
Clicking the login button leads to a fake Facebook login page. This page:

Asks for Nomer ponsel atau email (Mobile number or email) and Kata Sandi (Password)

Includes Facebook branding and language options (Bahasa Indonesia, English, etc.)

Is designed to steal the victim’s Facebook credentials

The goal:
The attacker steals the victim’s Facebook login credentials. Since many Free Fire players in Indonesia use Facebook to log into the game, gaining access to the Facebook account gives attackers control over the associated Free Fire account as well.

Red flags to watch for:

Suspicious URL: The initial page is hosted on a domain unrelated to Garena or Free Fire (dangerous walkmiepaltreks.com with obvious typos).

Poor Indonesian grammar: The text contains multiple misspellings and awkward phrasing (e.g., “EXCEPT YANG DI TUNGBU-TUNGBU,” “BERBABAN HADIAN,” “JIJIN AND ELJIYY”). Official Garena announcements use correct, professional Indonesian.

No official branding: The pages lack official Garena or Free Fire logos and copyright notices.

Anniversary timing: While Free Fire does have anniversary events, they are always announced and hosted on official channels (ff.garena.com), never through third-party domains.

Facebook login requirement: No legitimate Free Fire event requires logging into Facebook through a third-party link. Official events are accessed within the game app or on official Garena websites.

Multiple typos: The heading “4MWERSARY” instead of “4TH ANNIVERSARY” is a clear typo that indicates a fake page.

What to do if you encounter this:

Do not click “AMBIL HADIAH” or “Login dengan Facebook.”

Do not enter your Facebook email/phone and password on the fake login page.

If you are a Free Fire player, always check official Free Fire social media accounts and the official website (ff.garena.com) for legitimate event information.

If you have already entered your Facebook credentials, change your Facebook password immediately, enable two-factor authentication (2FA), and check for any unauthorized activity.

Report the phishing page to Facebook and to Garena.

Why this scam is effective:
Indonesia has a massive Free Fire player base, and anniversary events are highly anticipated. Scammers exploit this by creating fake “anniversary giveaway” pages that mimic the excitement of official events. The use of the Indonesian language (even with errors) makes the scam more convincing to local users than generic English phishing pages.

Protective measures:

Never click links claiming to offer free Free Fire rewards from unofficial sources.

Always access Free Fire events through the official game app or official Garena websites.

Enable two-factor authentication (2FA) on your Facebook account.

Be suspicious of any page that asks for your Facebook login credentials outside of facebook.com.

DPD phishing page in Czech detected

DPD Czech Phishing – Fake “Buyer Payment Confirmation” & Card Harvesting

This phishing campaign impersonates DPD, a legitimate international parcel delivery service, specifically targeting customers in the Czech Republic. The scam uses the pretext of a “buyer payment confirmation” to trick victims into entering credit card details on a fake payment page.

How it works:
The victim receives a phishing email or SMS claiming that a buyer has paid for a shipment or that a package requires payment confirmation. The link leads to a series of fake DPD-branded pages.

Step 1 – Fake DPD Landing Page (First Screenshot)
The page displays:

A suspicious URL: dpd cz.info orders7657 pw/… (not the official DPD domain)

DPD branding and navigation links (copied from the real DPD website)

A heading: “Potvrzení o zaplacení kupujícím” (Buyer payment confirmation)

A button or link likely leading to the next step (not fully visible in this screenshot)

The page mimics DPD’s legitimate Czech website layout to appear authentic.

Step 2 – Fake DPD Information Page (Second Screenshot)
This page displays legitimate-looking DPD content about the company’s services, corporate social responsibility, and support. Attackers often copy entire sections from real websites to make the phishing page appear credible. The page includes:

DPD’s real branding, mission statements, and navigation menus

Social media links and cookie policy information (copied from the official site)

However, the page is hosted on the fraudulent domain, not dpd.cz.

Step 3 – Bank Selection Page (Third Screenshot)
The victim is directed to a page asking them to select their bank from a list of major Czech and international banks, including:

MONETA

mBank

UniCredit

Raiffeisen BANK

Česká spořitelna

KB (Komerční banka)

Fio banka

and many others

This page is designed to make the victim believe they are about to complete a legitimate payment through their own bank’s secure portal.

Step 4 – Credit Card Harvesting Page (Fourth Screenshot)
After selecting a bank, the victim is taken to a page that requests:

Full credit card number (placeholder: XXXX XXXXX XXXXX XXXXX)

Expiry date (MM/YY)

Cardholder name and surname

The page displays a DPD logo and an amount: 2999 Kč (Czech koruna), along with a transaction number (#163962098).

The goal:
The attacker steals the victim’s credit card details (card number, expiry date, and cardholder name). With this information, they can make fraudulent online purchases, create cloned cards, or sell the data. There is no legitimate payment—the entire “buyer confirmation” and delivery context is fabricated.

Red flags to watch for:

Suspicious URL: The initial page is hosted on dpd cz.info orders7657 pw/…. The official DPD Czech domain is dpd.cz. Any deviation (extra words, misspellings, or different TLDs like .info) is a red flag.

Unusual request for card details: DPD does not process payments through a “bank selection” page that asks for full credit card details on a third-party site. Legitimate DPD payments are handled through integrated payment gateways (e.g., ComGate, GoPay) on the official website.

Context mismatch: The scam combines a “buyer payment confirmation” (suggesting the victim is receiving money) with a request for the victim’s own credit card details. This is illogical—receiving money does not require entering your card information.

Copied content: The second page contains legitimate DPD text, but it is hosted on a fake domain. Attackers often copy entire sections of real websites to make their pages look authentic.

Generic transaction details: The transaction number (#163962098) and amount (2999 Kč) are fabricated and not tied to any real shipment.

No login or tracking number: A legitimate DPD payment confirmation would require a tracking number or reference to a specific shipment. This page lacks any such identifier.

What to do if you encounter this:

Do not select your bank or enter any credit card details.

Do not enter any personal information on these pages.

If you are expecting a package from DPD, go directly to dpd.cz and enter your tracking number to check its status.

If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.

Report the phishing page to DPD Czech and to the relevant anti-phishing authorities.

Why this scam is effective:
DPD is a widely used delivery service in the Czech Republic. The scam exploits the common scenario of e-commerce transactions where buyers pay for shipments. The copied legitimate content from DPD’s real website makes the fake pages visually convincing. The bank selection list with well-known Czech banks adds to the illusion of authenticity, making victims believe they are being redirected to a secure banking portal.

Protective measures:

Always type the official URL (dpd.cz) directly into your browser to track shipments or make payments.

Never click links in unsolicited emails or SMS messages claiming delivery issues or payment confirmations.

Be suspicious of any page that asks for your credit card details outside of a well-known, secure payment gateway (e.g., ComGate, GoPay) on the official merchant site.

Check the URL carefully—phishing domains often contain the brand name but add extra words, use different TLDs (.info, .site, .xyz), or have slight misspellings.

Sahibinden phishing page detected

Fake Shipment Tracking Scam – “Receive Funds” Card Harvesting

This phishing campaign is designed to steal credit card details from users selling items online (likely on classified ad platforms such as Sahibinden, Letgo, or Facebook Marketplace). The scam creates a fake shipment tracking interface and pressures the seller to “receive funds” by entering their card information.

How it works:
The victim (a seller) receives a message from a potential buyer claiming they have paid for the item and that the payment is being held by a shipping or escrow service. The buyer sends a link to this fake tracking page.

Step 1 – Fake Shipment Tracking Page (First Screenshot)
The page uses Turkish lira and location details to appear legitimate.

Step 2 – Credit Card Harvesting Page (Second Screenshot)

The goal:
The attacker aims to steal the victim’s credit card details. There is no actual payment of 3000 TRY waiting to be received—the entire transaction is fabricated. If the victim enters their card details, the attacker can make unauthorized purchases or sell the information.

Red flags to watch for:

Illogical request for card details: To receive money (funds), you never need to enter your credit card details. Receiving funds typically requires providing a bank account number or using a payment service (e.g., PayPal, IBAN), not a credit card number, expiry date, and CVC.
Fake tracking status: The status timeline claims “the package is paid” and “funds are waiting to be received,” but the seller is being asked to pay—this is contradictory.
Suspicious URL: Both pages are hosted on domains that are not legitimate shipping or payment services. The URLs visible in the first screenshot (dpd cz.info orders... from previous examples) indicate a pattern of phishing domains.
Generic payment page: The second page lacks any recognizable payment processor branding (e.g., Stripe, Iyzico, PayPal) and does not use a secure payment gateway.
No actual buyer or order context: The seller has no way to verify the shipment or the buyer’s identity through legitimate channels.
Poor design consistency: The first page mixes shipment tracking elements with a “receive funds” button, which is not how legitimate shipping or payment services operate.

What to do if you encounter this:

Do not click “RECEIVE FUNDS” or enter any credit card details.
Do not enter your card number, expiry date, or CVC on this page.
If you are selling items online, never click links sent by buyers claiming payment is waiting. Legitimate buyers pay through official platform mechanisms or in cash upon pickup.
If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
Report the phishing page to the classified platform where the scam originated.

Why this scam is effective:
In Turkey, classified ad platforms are widely used, and sellers often ship items after receiving payment. This scam exploits the seller’s expectation of a legitimate transaction by providing a fake tracking number and shipment status. The “funds are waiting to be received” message creates excitement and urgency, overriding the suspicion that receiving money should never require entering credit card details.

Protective measures:

Always complete transactions through the official payment system of the platform you are using (e.g., Sahibinden’s “Güvenli Ödeme” system).
Never accept payment through links sent by buyers—insist on in-person cash or official platform transactions.
Remember: receiving money never requires your credit card information.
If a buyer claims they have paid through a shipping company or escrow service, verify directly with the official website of that service using a URL you type yourself—never click links in messages.

DIE Post (Swiss Post) phishing page detected

Fake Package Tracking Scam – “Receive Funds” Card Harvesting (Swiss/German Variant)

This phishing campaign is designed to steal credit card details from users selling items online (likely on classified ad platforms such as Ricardo, Tutti, or Facebook Marketplace) in Switzerland and German-speaking Europe. The scam creates a fake shipment tracking interface and pressures the seller to “receive funds” by entering their card information.

Step 1 – Fake Tracking Status Page (First Screenshot)
The page instructs the seller to ship the item after “receiving” funds.

Step 2 – Fake Package Details Page (Second Screenshot)
Step 3 – Credit Card Harvesting Page (Third Screenshot)
The goal:
The attacker steals the victim’s credit card details. There is no actual payment of 105 CHF waiting to be received—the entire transaction is fabricated. If the victim enters their card details, the attacker can make unauthorized purchases or sell the information.

Red flags to watch for:

Illogical request for card details: To receive money, you never need to enter your credit card details. Receiving funds typically requires providing a bank account number (IBAN) or using a payment service (e.g., Twint, PayPal)—not a credit card number, expiry date, and CVC.
Suspicious URL: The pages are hosted on domains that are not legitimate shipping or payment services. (From the visible URL bar in the first screenshot, the domain appears unrelated to any known Swiss shipping company.)
Fake tracking status: The status text is poorly written (“Empfangen von Vergnugen” is not a standard DHL, Swiss Post, or other carrier status message).
Copied footer content: The second page contains a footer about “traditional hutters of the land” (likely copied from an unrelated website), which has nothing to do with package delivery.
No login or verification: Legitimate payment processes do not ask for full credit card details on a page reached via an unsolicited link.
Price in CHF, but tracking in German: While Swiss shipping uses German, the overall design and errors suggest the page was not created by a professional Swiss company.
Generic card form: The payment page lacks any recognizable payment processor branding (e.g., Stripe, Datatrans, PayPal) and does not use a secure payment gateway.

What to do if you encounter this:

Do not enter any credit card details, expiry date, or CVC.
Do not click “Submit” or any buttons on these pages.
If you are selling items online, never click links sent by buyers claiming payment is waiting. Legitimate buyers pay through official platform mechanisms (e.g., Ricardo’s payment system, Twint, or cash on pickup).
If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
Report the phishing page to the classified platform where the scam originated.

Why this scam is effective:
High-value items like the “Tripp Trapp” child’s chair are frequently sold on second-hand platforms in Switzerland and Germany. Sellers are eager to complete the sale and may not question a buyer who claims to have paid via an escrow or shipping service. The use of Swiss francs (CHF) and a real address in St. Moritz makes the scam appear locally relevant. The multi-step process with a tracking number and package details gives the illusion of a legitimate transaction.

Protective measures:

Always complete transactions through the official payment system of the platform you are using.
Never accept payment through links sent by buyers—insist on in-person cash, Twint, or platform-integrated payments.
Remember: receiving money never requires your credit card information.
If a buyer claims they have paid through a shipping company or escrow service, verify directly with the official website of that service using a URL you type yourself—never click links in messages.
Be suspicious of any page that asks for your full credit card details outside of a well-known, trusted payment provider.

Econt phishing page in Bulgarian revealed

Fake Payment Receipt Scam – “Receive Funds” Card Harvesting (Bulgarian Variant)

This phishing campaign is designed to steal credit card details from users selling items online (likely on classified ad platforms such as OLX.bg, Bazar.bg, or Facebook Marketplace) in Bulgaria. The scam creates a fake payment confirmation interface and pressures the seller to “receive funds” by entering their card information.

Step 1 – Fake Payment Confirmation Page (First Screenshot)
Step 2 – Credit Card Harvesting Page (Second Screenshot)
The goal:
The attacker steals the victim’s credit card details. There is no actual payment of 10,999 leva waiting to be received—the entire transaction is fabricated. If the victim enters their card details, the attacker can make unauthorized purchases or sell the information.

Red flags to watch for:

Illogical request for card details: To receive money, you never need to enter your credit card details. Receiving funds typically requires providing a bank account number (IBAN) or using a payment service (e.g., PayPal, ePay)—not a credit card number, expiry date, and CVC.
Suspicious URL: The pages are hosted on domains that are not legitimate shipping, escrow, or payment services. Always check the address bar.
High-value item: Luxury watches like Ulysse Nardin are commonly used in scams because they command high prices, making the “payment” amount large enough to excite the seller.
Fake buyer information: The name “…” and the Sofia address may be real or plausible, but they are not verifiable through the platform.
Currency typo: The second page shows “10999 JB” instead of “10999 лв,” indicating the page was poorly translated or copied.
No platform integration: Legitimate classified platforms in Bulgaria (OLX, Bazar) do not use external “Secure Offer” pages for payments. Buyers and sellers typically arrange payment directly or through platform-integrated options.
Generic card form: The payment page lacks any recognizable Bulgarian payment processor branding (e.g., ePay, Borica) and does not use a secure, trusted payment gateway.

What to do if you encounter this:

Do not click “ВЗЕМИ ПАРИТЕ” or enter any credit card details.
Do not enter your card number, expiry date, or CVC on this page.
If you are selling items online, never click links sent by buyers claiming payment is waiting. Legitimate buyers pay through official platform mechanisms, bank transfer, or cash on pickup.
If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
Report the phishing page to the classified platform where the scam originated.

Why this scam is effective:
Bulgaria has a thriving second-hand market for luxury watches and other high-value items. Sellers are often eager to close a sale and may not question a buyer who claims to have paid through a “secure” escrow service. The use of Bulgarian language, a real Sofia address, and a plausible buyer name makes the scam locally convincing. The large amount (10,999 leva) creates excitement and urgency, overriding suspicion.

Protective measures:

Always complete transactions through the official payment system of the platform you are using, or use cash on pickup.
Never accept payment through links sent by buyers—insist on bank transfer to your IBAN, or use trusted services like ePay or PayPal directly (by logging into your account, not through a link).
Remember: receiving money never requires your credit card information.
If a buyer claims they have paid through an escrow or shipping service, verify directly with the official website of that service using a URL you type yourself—never click links in messages.
Be suspicious of any page that asks for your full credit card details outside of a well-known, trusted payment provider.

Leo Express phishing page in Bulgarian detected

Fake Order Confirmation Scam – “Receive Funds” Card Harvesting (Bulgarian Variant – Lower Value Item)

This phishing campaign is designed to steal credit card details from users selling items online (likely on classified ad platforms such as OLX.bg, Bazar.bg, or Facebook Marketplace) in Bulgaria. The scam creates a fake “order confirmation” page and pressures the seller to “receive funds” by entering their card information.

How it works:
The victim (a seller) receives a message from a potential buyer claiming they have paid for the item. The buyer sends a link to this fake order confirmation page.

Step 1 – Fake Order Confirmation Page (First Screenshot)
Step 2 – Credit Card Harvesting Page (Second Screenshot)
After clicking “Продължи,” the victim is taken to this page.

The goal:
The attacker steals the victim’s credit card details. There is no actual payment of 399 BGN waiting to be received—the entire transaction is fabricated. If the victim enters their card details, the attacker can make unauthorized purchases or sell the information.

Red flags to watch for:

Illogical request for card details: To receive money, you never need to enter your credit card details. Receiving funds typically requires providing a bank account number (IBAN) or using a payment service (e.g., PayPal, ePay)—not a credit card number, expiry date, and CVC.
Suspicious URL: The pages are hosted on domains that are not legitimate classified or payment platforms. Always check the address bar.
“Frozen funds” pretext: The phrase “средствата са замразени” (funds are frozen) is a common phishing tactic to create urgency and legitimacy, but no real platform freezes funds waiting for card details.
Fake delivery options: The page claims “Доставка от наш куриер” (Delivery by our courier) and “Доставката се заплаща от купувача” (Delivery is paid by the buyer), but these are just text elements—not interactive or verifiable services.
Product description inconsistencies: The second page has a typo (“Koxxeno axe” instead of “Кожено яке”), indicating poor translation or copying.
Same address as previous scam: The delivery address (бул. „Македония“ 2, Sofia) appears in multiple Bulgarian phishing campaigns, suggesting a template being reused by attackers.
Generic card form: The payment page lacks any recognizable Bulgarian payment processor branding (e.g., ePay, Borica) and does not use a secure, trusted payment gateway.

What to do if you encounter this:

Do not click “Продължи” or enter any credit card details.
Do not enter your card number, expiry date, or CVC on this page.
If you are selling items online, never click links sent by buyers claiming payment is waiting. Legitimate buyers pay through official platform mechanisms, bank transfer, or cash on pickup.
If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
Report the phishing page to the classified platform where the scam originated.

Why this scam is effective:
This scam uses a moderately priced item (399 BGN) rather than an expensive luxury watch, making it more relatable to average sellers. The “frozen funds” language creates a sense of urgency and false legitimacy. The use of a real Sofia address, Bulgarian language, and detailed product description (SuperDry jacket with size details) makes the transaction appear genuine. Sellers who are eager to complete the sale may overlook the critical red flag: entering credit card details to receive money.

Protective measures:

Always complete transactions through the official payment system of the platform you are using, or use cash on pickup.
Never accept payment through links sent by buyers—insist on bank transfer to your IBAN, or use trusted services like ePay or PayPal directly (by logging into your account, not through a link).
Remember: receiving money never requires your credit card information.
If a buyer claims they have paid through an escrow or shipping service, verify directly with the official website of that service using a URL you type yourself—never click links in messages.
Be suspicious of any page that asks for your full credit card details outside of a well-known, trusted payment provider.