Fake Google Play gift card

This set of screenshots shows a PSN (PlayStation Network) Gift Card generator scam, using the same template as the previous Xbox, Amazon, and other “free gift card” scams. The victim is lured with promises of free PSN vouchers ($15, $25, $50, or $100) and then forced to complete surveys or offers – with no code ever delivered.

Threat Analysis: PSN Gift Card Generator Scam – Survey / Offer Fraud

How the scam works:

  1. The Lure – The victim sees an ad or link promising a free PSN gift card. The page displays PlayStation gift card images and fake “Recent Activity” messages (e.g., “User with IP: 65.2.36.1 is verifying for 350 Gift Card Code…”).
  2. Choosing the Value – The victim selects a card amount ($15, $25, $50, or $100). This creates a false sense of personalization.
  3. Fake Technical Progress – The page shows fake “connecting to server” messages (# Connecting to PSN Server…, # Server is up, # Meterpreter session, etc.) and displays a partial fake code (e.g., “E62U 4GMF 2FPF”). These are designed to mimic a real code generator.
  4. “Complete 2 Offers” / Survey Wall – After the fake progress, the victim is told “Complete 2 Offers down below, and your Prize will unlock automatically” or “Take a FREE Survey to Become a Millionaire Now!” This redirects to paid offers, subscription forms, or lead generation pages.
  5. “Complete A Sponsor Activity” – The final step always requires the victim to complete a “sponsor activity” (survey, app download, or registration). The scammer earns affiliate commissions for each completed action.

The goal:
The attacker earns money through:

  • Affiliate commissions – each time a victim signs up for a paid offer, service, or subscription
  • Lead generation – collecting personal data (name, email, phone, etc.) to sell
  • Credit card harvesting – if any offers ask for payment details

No PSN gift card code is ever generated or delivered. Any displayed codes are fake and invalid.

Red flags to watch for:

  • Free PSN gift card promise: Sony / PlayStation does not give away codes through online generators.
  • Fake technical messages: Legitimate code generation does not exist. The “Meterpreter” and “port 445” references are copied from hacking tools to look impressive but are completely unrelated.
  • “Complete offers to unlock”: A real gift card never requires surveys or offers.
  • Suspicious domain: unlock3r.net is not an official PlayStation domain.
  • Fake “Recent Activity”: The IP address and verification messages are fabricated.

What to do if you encounter this:

  • Do not click any buttons, complete offers, or provide personal information.
  • Close the page immediately.
  • If you have already entered payment details, contact your bank.

Protective measures:

  • Only obtain PSN gift cards from PlayStation Store, official retailers, or authorized resellers.
  • Never complete “human verification” or “sponsor activity” offers – these are always scams.
  • Use an ad blocker to avoid such scam ads.

Fake Fortnite gift

These screenshots show a Fortnite V-Bucks generator scam, targeting players of the popular game. The victim is promised free V-Bucks (2,500) in exchange for entering their username and completing “human verification” – which leads to surveys and paid offers. No V-Bucks are ever delivered.

Threat Analysis: Fortnite V-Bucks Generator Scam – Survey / Offer Fraud

How the scam works:

  1. The Lure – The victim sees an ad or link promising a free V-Bucks generator. The page asks for the victim’s GamingID/Username and Platform (e.g., PC, Xbox, PlayStation).
  2. Fake Generation – After entering a username, the page shows fake progress messages (“Successfully connected to username Htya354”, “2500 V-Bucks”, “Generate”, etc.) to create the illusion that the generator is working.
  3. “Manual Verification Required” – The victim is told that human verification is needed to complete the process.
  4. “Complete Human Verification” – The victim is asked to click “Verify Now” and is then redirected to an offer wall or survey page, often labeled “Take a FREE Survey to Become a Millionaire Now!” A countdown timer (e.g., “5 minutes 36 seconds Left”) creates urgency.
  5. Survey / Offer Wall – The victim must complete paid offers, sign up for services, or provide personal information. The scammer earns affiliate commissions for each completed action.

The goal:
The attacker earns money through:

  • Affiliate commissions – each time a victim signs up for a paid offer, subscription, or service
  • Lead generation – collecting personal data (username, email, etc.) to sell
  • Credit card harvesting – if any offers ask for payment details

No V-Bucks are ever generated or added to the victim’s Fortnite account.

Red flags to watch for:

  • Free V-Bucks promise: Epic Games does not give away V-Bucks through online generators.
  • Fake technical messages: Real game currency cannot be “generated” by a website.
  • “Human Verification” redirecting to surveys: Legitimate verification does not require completing paid offers.
  • Countdown timer and urgency tactics: Designed to pressure victims into acting without thinking.
  • Suspicious domain: realxyz.xyz is not an official Epic Games domain.

What to do if you encounter this:

  • Do not enter your Fortnite username, click any buttons, or complete any offers.
  • Close the page immediately.
  • If you have already entered payment information, contact your bank.

Protective measures:

  • Remember: there are no legitimate V-Bucks generators. Any such site is a scam.
  • Only obtain V-Bucks through the official Fortnite store or authorized retailers.
  • Never complete “human verification” offers – these are always scams.
  • Use an ad blocker to avoid such scam ads.

Fake Roblox gift

This series of screenshots shows a Robux generator scam targeting Roblox players. The victim is promised free Robux (in-game currency) in exchange for entering their username and completing “human verification” – which leads to surveys and paid offers. No Robux are ever delivered.

Threat Analysis: Roblox Robux Generator Scam – Survey / Offer Fraud

How the scam works:

  1. The Lure – The victim sees an ad or link promising “UNLIMITED Robux.” The page claims to be an online generator and includes fake testimonials and a “START NOW!” button.
  2. Platform Selection – The victim is asked to select their platform (PC, mobile, etc.) to make the scam feel personalized.
  3. Username & Amount Selection – The victim enters their Roblox username and selects how many Robux they want (e.g., 1000). This information is captured but never used to actually add Robux.
  4. Fake “Processing” Messages – The page shows fake technical messages like “Obtaining a service manager handle…” and a countdown timer (e.g., “0d13h23m27s”) to create urgency and simulate a real generator.
  5. “Human Verification Required” – The victim is told that due to “unusually high traffic” or “processing your request,” they must complete a human verification step. A “Verify Now!” button appears.
  6. Offer / Survey Wall – The victim is redirected to a page that says “Complete an Offer down below” or “Take a FREE Survey to Become a Millionaire Now!” A timer and “Waiting for completion” message pressure the victim to complete paid offers, sign up for subscriptions, or provide personal information.

The goal:
The attacker earns money through:

  • Affiliate commissions – each time a victim signs up for a paid offer, service, or subscription
  • Lead generation – collecting Roblox usernames and other personal data to sell
  • Credit card harvesting – if any offers ask for payment details

No Robux are ever generated or added to the victim’s Roblox account.

Red flags to watch for:

  • Free Robux promise: Roblox does not give away Robux through online generators.
  • Fake technical messages and countdown timers: These are designed to look impressive but have no real function.
  • “Human Verification” leading to surveys: Legitimate verification never requires completing paid offers.
  • Suspicious domain: realxyz.xyz is not an official Roblox domain.
  • Fake “Unusually high traffic” message: A common tactic to justify the verification step.

What to do if you encounter this:

  • Do not enter your Roblox username, click any buttons, or complete any offers.
  • Close the page immediately.
  • If you have already entered payment information, contact your bank.

Protective measures:

  • Remember: there are no legitimate Robux generators. Any such site is a scam.
  • Only obtain Robux through the official Roblox website or authorized retailers.
  • Never complete “human verification” offers – these are always scams.
  • Use an ad blocker to avoid such scam ads.

Social media phishing with fake Freefire gift card detected

These screenshots show a phishing campaign that uses fake Free Fire gift cards as a lure to steal login credentials for various platforms (game accounts, social media, or Google). The victim is promised a free gift card (210, 530, 1080, or 2200 units) and then asked to log in, handing over their phone number/email and password.

Pay attention to the domain of the website.

Spoofing Freefire gift card

An authorization request appears on the phishing page.

Google phishing with fake Freefire gift.

Twitter phishing with spoofing Freefire gift.

Facebook phishing with fraud Freefire gift.

Threat Analysis: Free Fire Gift Card Phishing – Credential Harvesting

How the scam works:

  1. The Lure – The victim sees an ad, social media post, or direct message promising a free Free Fire gift card. The page displays gift card options with different values (e.g., 210, 530, 1080, 2200) and instructs the victim to “Choose your Card!”
  2. Login Page – After selecting a card, the victim is taken to a page that says “Log in to the game account” and asks for:
  • Phone number or email address
  • Password The same login form appears across multiple variants (Twitter, Google, generic game account).
  1. Credential Theft – When the victim enters their credentials and clicks “Login,” the information is sent to the attacker. The victim may then be redirected to the real game or social media site, making the scam less noticeable.

The goal:
The attacker steals login credentials to:

  • Take over the victim’s Free Fire (Garena) account linked to Facebook or Google
  • Access the victim’s social media or email account (depending on which platform’s login was mimicked)
  • Use compromised accounts to spread the scam further
  • Sell accounts or credentials on criminal markets

Red flags to watch for:

  • Free gift card promise: Garena / Free Fire does not give away in-game currency through external websites.
  • Login page on a suspicious domain: The URL contains edutexme.xyz, not an official Free Fire, Facebook, or Google domain.
  • Login form after selecting a gift card: A legitimate giveaway would not ask for your password to claim a prize.
  • Generic design: The pages lack official Free Fire branding and security indicators.

What to do if you encounter this:

  • Do not enter your phone number, email, or password.
  • If you have already entered credentials, change your password immediately on the real platform (e.g., Free Fire, Facebook, Google) and enable two‑factor authentication.
  • Always access official giveaways through the game’s official website or social media channels – never through random links.

Protective measures:

  • Remember: no legitimate giveaway requires your password.
  • Check the URL carefully – official Free Fire domains end with garena.com or freefire.com.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on all gaming and social media accounts.

Amazon spoofing pages detected

These two screenshots show a two‑step Amazon phishing campaign. The first page steals the victim’s email and password, while the second page harvests personal information (full name, address, phone number, date of birth) – enough data for identity theft or to answer security questions.

Threat Analysis: Amazon Phishing – Credential & Personal Data Harvesting

How the scam works:

Step 1 – Fake Sign‑In Page (First Screenshot)
The victim receives a phishing email or message claiming an account issue, order problem, or the need to verify their information. The link leads to this page, which mimics the Amazon login interface. The victim is asked to enter their email/phone and password. The page shows a static email address (“[email protected]”) as a placeholder – a clear sign of a phishing template.

Step 2 – Billing Address Verification Page (Second Screenshot)
After submitting credentials, the victim is taken to a second page that claims “Verification needed” and asks for:

  • Full name
  • Address (street, city, state, ZIP)
  • Phone number
  • Date of birth

A fake URL containing “amazoon” (a misspelling of Amazon) and a suspicious domain (cloudns.ph) is visible.

The goal:
The attacker collects:

  • Amazon account credentials (email and password)
  • Personal identity information (full name, address, phone, DOB)

With this data, the attacker can:

  • Log into the victim’s Amazon account to make fraudulent purchases
  • Use the personal information for identity theft
  • Answer common security questions (“What is your date of birth?” “What is your address?”) to take over other accounts
  • Sell the complete profile on criminal markets

Red flags to watch for:

  • Suspicious URL: The second page shows ap-webappsaamaazoonsign-in0.cloudns.ph – this is not amazon.com. The misspelling “aamaazoon” and the .cloudns.ph domain are clear giveaways.
  • Fake placeholder email: The first page displays a nonsensical email ([email protected]) – Amazon would never pre‑fill your sign‑in page with someone else’s email.
  • Request for date of birth and full address after login: Amazon does not ask for this information again during a normal “verification” flow.
  • Outdated copyright: The footer shows “© 1996-2021” – a phishing page often copies an old year.
  • Unsolicited verification request: Amazon does not send links requiring customers to log in and then enter their full address and DOB to verify an account.

What to do if you encounter this:

  • Do not enter your email, password, address, or date of birth.
  • If you have already entered your Amazon credentials, change your password immediately and enable two‑factor authentication. Also check your Amazon account for unauthorized orders.
  • If you entered personal information (address, DOB), monitor your credit reports and consider placing a fraud alert.
  • Always access Amazon by typing amazon.com directly into your browser.

Protective measures:

  • Bookmark the official Amazon login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate amazon.com domains.
  • Enable two‑factor authentication on your Amazon account.
  • Never provide your date of birth or full address on a page you reached via a link – Amazon already has this information on file.
  • Check the URL carefully: Look for misspellings (amazoon instead of amazon) and unusual top‑level domains (.ph, .cloudns.ph, etc.).

Preparation for Laposte phishing revealed

This screenshot shows a phishing page impersonating La Poste (laposte.net) , the French postal service’s email platform. The page asks for the victim’s email address and password – the classic login credentials for a webmail account.

Threat Analysis: La Poste Phishing – Email Credential Harvesting

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their mailbox. The link leads to this page, which mimics the official laposte.net login interface. The victim is asked to enter their email address and password and click “Se connecter” (Sign in). The credentials are captured and sent to the attacker.

The goal:
The attacker steals the victim’s laposte.net email credentials to:

  • Access private messages and personal information
  • Reset passwords for other online accounts (banking, social media, etc.) linked to that email
  • Send further phishing messages to the victim’s contacts
  • Sell the credentials on criminal markets

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not laposte.net. Official La Poste login pages are only on laposte.net or labanquepostale.fr domains.
  • Minimal design / missing security features: The page lacks the full branding, security notices, and two‑factor authentication options that appear on the real laposte.net login page.
  • Unsolicited login request: La Poste does not send links requiring users to log in to resolve account issues.
  • No personalization: A legitimate login page may show a security image or personalized message after entering the email address – this page does not.

What to do if you encounter this:

  • Do not enter your email address or password.
  • If you are a laposte.net user, always access your mailbox by typing laposte.net directly into your browser.
  • If you have already entered your credentials, change your laposte.net password immediately and enable two‑factor authentication if available.
  • Report the phishing page to La Poste’s security team.

Protective measures:

  • Bookmark the official laposte.net login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate laposte.net domains.
  • Enable two‑factor authentication on your email account.
  • Be suspicious of any unsolicited message that asks you to log in via a link.

SFR mail phishing detected

This screenshot shows a phishing page impersonating SFR Mail, a French email and internet service provider. The page is hosted on a free Wix.com website and mimics the SFR login interface to steal identifiants (identifier) and mot de passe (password) .

Threat Analysis: SFR Mail Phishing – Credential Harvesting on Wix

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their mailbox. The link leads to this page, which is built on a free Wix subdomain (visible in the URL noreplay10.wixsite.com/fm-site). The page copies SFR’s branding, including promotional banners, navigation menus, and footer links. The victim is asked to enter their identifiant (mobile number, email, or NeufID) and password, then click “Me connecter.” A CAPTCHA (“Je ne suis pas un robot”) is added to make the page appear more legitimate. The credentials are captured and sent to the attacker.

The goal:
The attacker steals SFR account credentials to:

  • Access the victim’s email and personal information
  • Reset passwords for other online accounts linked to that email
  • Use the account to send further phishing messages
  • Potentially compromise the victim’s internet and mobile services

Red flags to watch for:

  • Suspicious URL: The page is on noreplay10.wixsite.com/fm-site – not sfr.fr. Wix is a free website builder, not used by legitimate telecom providers for login pages.
  • Visible Wix banner: The blue banner at the top (“Ce site a été conçu sur la plateforme WIX.com”) is a clear indicator that this is not an official SFR page.
  • Copied content: The promotional banners, menu items, and footer links are copied from the real SFR website. Attackers use this to make the page look authentic, but the domain gives it away.
  • Unsolicited login request: SFR does not send links requiring users to log in to resolve account issues.
  • Generic “I’m not a robot” CAPTCHA: While SFR may use CAPTCHAs, its presence on a Wix page is not a guarantee of safety – it is copied to appear legitimate.

What to do if you encounter this:

  • Do not enter your identifier or password.
  • If you are an SFR customer, always access your mailbox by typing sfr.fr directly into your browser or using the official SFR app.
  • If you have already entered your credentials, change your SFR password immediately and enable two‑factor authentication if available.
  • Report the phishing page to SFR’s fraud team (e.g., via [email protected] or their official reporting form).

Protective measures:

  • Bookmark the official SFR login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Never log in on a page hosted on a free website builder (Wix, Weebly, Strikingly, etc.) – legitimate services use their own domains.
  • Enable two‑factor authentication on your email and telecom accounts.
  • Be suspicious of any unsolicited message that asks you to log in via a link.

Orange phishing

These screenshots show multiple phishing pages impersonating Orange, a major French telecommunications provider. The pages are designed to steal customers’ login credentials (email/mobile number and password). Several of them are hosted on free website builders (Wix), which is a clear red flag.

Threat Analysis: Orange Phishing – Fake Login Pages (French Telecom Scam)

This phishing campaign targets Orange customers in France. The scam uses various fake login pages that mimic the official Orange authentication portal. The goal is to trick victims into entering their Orange account identifier (email address or mobile number) and password.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, unpaid bill, or the need to verify their information. The message includes a link to a fraudulent login page. The page looks similar to the real Orange login interface, often including copied branding, menu items, and even fake CAPTCHA or “reCAPTCHA” badges to appear legitimate. Once the victim enters their credentials and clicks a button (e.g., “Continuer” or “S’identifier”), the information is sent to the attacker.

The goal:
The attacker steals Orange account credentials to:

  • Access the victim’s personal information, billing details, and mobile/internet services
  • Perform SIM swapping (porting the victim’s phone number) to bypass SMS‑based two‑factor authentication for banking or other accounts
  • Use the compromised account to send further phishing messages to contacts
  • Sell the credentials on criminal markets

Red flags to watch for (across all variants):

  • Suspicious URL: The pages are hosted on domains that are not orange.fr. Some are on free website builders like wixsite.com. Legitimate Orange login pages are only on official Orange domains.
  • Visible “Wix.com” or other free‑hosting banners: These banners appear on several screenshots (“This site was designed with the WIX.com website builder”) – a clear sign of a fake page.
  • Unsolicited login request: Orange does not send links requiring customers to log in to resolve account issues. Always type orange.fr directly.
  • Generic or missing security features: Real Orange login pages may display a security phrase or personalized greeting. These fake pages lack such personalization.
  • Fake reCAPTCHA / CAPTCHA badges: Some pages include a “I am not a robot” checkbox or reCAPTCHA label to appear more trustworthy, but this does not guarantee legitimacy.

What to do if you encounter this:

  • Do not enter your Orange identifier or password.
  • If you are an Orange customer, always access your account by typing orange.fr directly into your browser or using the official Orange app.
  • If you have already entered your credentials, change your Orange password immediately and contact Orange customer service to watch for SIM swapping attempts.
  • Report the phishing page to Orange’s fraud team (e.g., via [email protected] or their official reporting form).

Protective measures:

  • Bookmark the official Orange login page and use that bookmark exclusively.
  • Use a password manager – it will only autofill on legitimate orange.fr domains.
  • Enable two‑factor authentication on your Orange account if available.
  • Never log in via a link in an unsolicited message – always type the address manually.
  • Avoid entering credentials on pages hosted on free platforms (Wix, Weebly, Strikingly, etc.) – legitimate telecom providers do not use these for login portals.

Facebook phishing with PUBG Mobile spoofing page

A phishing campaign targeting PUBG Mobile players uses fake “Lucky Spin” pages to steal Facebook credentials by promising free, exclusive in-game rewards. These deceptive websites mimic official branding and capture user data via fraudulent login forms, leading to account theft and potential sale on the dark web. To protect your account, only trust promotions from official PUBG Mobile channels and enable two-factor authentication.

This screenshot shows a phishing page impersonating Facebook, luring victims with a promise of an “Additional Reward for Season II” for PUBG MOBILE. The page asks for the victim’s mobile number or email address and password to “connect” the game account.

Threat Analysis: Facebook / PUBG Mobile Phishing – Credential Harvesting

How it works:
The victim receives a link via social media, SMS, or messaging app promising a free reward (e.g., in‑game currency, skins, or other bonuses) for PUBG Mobile. The link leads to this page, which mimics the Facebook login interface. The victim is told they must log in with Facebook to claim the reward. When they enter their phone number/email and password and click “Log In,” the credentials are captured and sent to the attacker.

The goal:
The attacker steals Facebook credentials to:

  • Take over the victim’s Facebook account
  • Access the linked PUBG Mobile account (and any other connected games or services)
  • Post spam or malicious links from a trusted account
  • Use the same email/password combination to compromise other accounts (credential stuffing)
  • Sell the account or its data on criminal markets

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not facebook.com. Legitimate Facebook login pages are only on official Facebook domains.
  • Reward lure: Facebook does not offer “season rewards” for PUBG Mobile via a login page. This is a common gaming scam tactic.
  • No personalization or security indicators: The page lacks the security badges, privacy shortcuts, and personalized elements (e.g., profile picture, saved account) that appear on a real Facebook login page.
  • Unsolicited reward offer: Any unsolicited message promising free in‑game currency or rewards in exchange for logging in via a link is almost certainly a scam.

What to do if you encounter this:

  • Do not enter your Facebook email/phone or password.
  • If you have already entered your credentials, change your Facebook password immediately and enable two‑factor authentication (2FA). Also check for any unauthorized activity or connected apps.
  • Always access Facebook by typing facebook.com directly into your browser.
  • Claim in‑game rewards only through the official game app or store – never through external links.

Protective measures:

  • Bookmark the official Facebook login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your Facebook account.
  • Be suspicious of any unsolicited message that asks you to log in to claim a reward.
  • Never log in to Facebook via a link sent in a message or posted on social media.

Instagram phishing page revealed

This screenshot shows a phishing page impersonating Instagram, designed to steal login credentials (phone number, username, email, and password). The page is hosted on a suspicious domain unrelated to Instagram.

Threat Analysis: Instagram Phishing – Credential Harvesting

How it works:
The victim receives a phishing email, SMS, or social media message claiming a security alert, account issue, or the need to verify their information. The link leads to this page, which mimics the Instagram login interface. The victim is asked to enter their phone number, username, or email and password, then click “Log in.” The credentials are captured and sent to the attacker.

The goal:
The attacker steals Instagram account credentials to:

  • Access private messages and personal information
  • Post spam, scams, or malicious links from a trusted account
  • Use the account to send further phishing messages to the victim’s followers
  • Attempt credential reuse on other platforms (email, banking, etc.)

Red flags to watch for:

  • Suspicious URL: The page is hosted on kannage.xyz, not instagram.com. Legitimate Instagram login pages are only on official Instagram / Meta domains.
  • Generic design: While the page copies Instagram’s layout, the domain and lack of security indicators (e.g., valid SSL certificate matching Instagram) reveal its fraudulent nature.
  • Unsolicited login request: Instagram does not send links requiring users to log in to resolve account issues or claim rewards.
  • No personalization or two‑factor prompt: A real Instagram login may show a profile photo or ask for a verification code – this page does not.

What to do if you encounter this:

  • Do not enter your username, phone number, email, or password.
  • If you have already entered your credentials, change your Instagram password immediately and enable two‑factor authentication (2FA). Also check for any unauthorized activity or connected apps.
  • Always access Instagram by typing instagram.com directly into your browser or using the official app.

Protective measures:

  • Bookmark the official Instagram login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate instagram.com domains.
  • Enable two‑factor authentication on your Instagram account.
  • Be suspicious of any unsolicited message that asks you to log in via a link.