Week 14: Classifieds phishing – fivefold increase in reports in a year

08.04.2025 - The National Cyber Security Centre (NCSC) regularly warns about classifieds scams. Classifieds offer scammers a wide range of opportunities: typical examples of scams include selling non-existent goods or failing to pay for goods that have already been shipped. In recent weeks, there has been a sharp increase in reports of classifieds phishing – a type of scam that targets credit card details, Twint and even e-banking accounts.

We regularly warn about classifieds scams, as classifieds websites offer many opportunities for scammers. In recent weeks, there has been a worrying increase in reports of classifieds phishing, from less than 50 reported cases a year ago to over 250 in February 2025.

Graph showing the increase in classifieds phishing scams since January 2024.

One type of classifieds scam targets sellers: typically, an interested party will contact you shortly after you post your ad on the classifieds website. You quickly come to an agreement and discuss payment methods on WhatsApp. The buyer suggests using a well-known company, usually Swiss Post. They then claim to have made the payment and send you a genuine-looking link with the company’s name in it, where you can supposedly collect the money. The pages that open when you click on the link look deceptively real and so do not arouse suspicion – but are actually designed by the scammer to steal sensitive information, such as your bank account details.

In order to appear credible, scammers adapt the pages you are linked to. For example, you may see the correct price and sometimes even a photo of the item being sold.

Scam website that looks like the real Swiss Post website, where you can supposedly collect money.

The next step is to choose whether you want to transfer the money to your credit card or to your Twint account. If you choose credit card, you will be asked to enter your credit card details – in this case it is simple credit card phishing. If you choose the Twint option, however, you will be taken to a page with the Twint logos of various banks, as is the case with many online shops.

Page where you can supposedly select Twint applications for different financial institutions.

Clicking on your bank’s Twint icon opens an exact copy of their login page. After entering your contract number, login and password, a window appears telling you to wait and not to close the window, otherwise the process will be stopped. This is a trick used by the scammers to stall you: at this very moment, they are secretly trying to log in to your real e-banking account. To do this successfully, they will soon need you to provide the two-factor authentication code – a security feature used for all e-banking accounts.

After entering your e-banking login data, a window appears asking you to wait three minutes.

After a while, a help window appears asking if you have an access card reader. The scammers then give you a code to enter – the same code that they received from the real e-banking portal when they secretly entered your login and password. When you enter this code into your access card reader and then give the newly generated code to the scammers, you are giving them access to your e-banking account. They can use this access to make a direct debit or link your Twint account to their own number.

Once you have entered your bank details, the scammer asks for your preferred two-factor authentication method – in this case, the code displayed on your card reader.

Direct attacks on prepaid Twint accounts

Scammers posing as buyers may claim they’ve already made the agreed payment and instruct you, the seller, to transfer the money to your prepaid Twint account. Their real aim is to steal your account. They start by asking for your login details – your phone number and Twint PIN – to initiate the takeover. Next, they trick you into providing the verification code that you automatically receive via text message. With your phone number, your six-digit Twint PIN, and the two-factor authentication code, the scammers can transfer your account to their device and gain full access.

Phishing site designed to take over victims’ Twint accounts.

Stealing credit card details as a fallback

But that’s not all. If something goes wrong or the scammers aren't online, they have another trap built in: their victims are redirected to another phishing site that asks for their credit card details. This way, at the very least, the scammers get their hands on your credit card details.

Credit card phishing page that is displayed if the scammers’ attack on e-banking account fails.

Recommendations

As a seller, you should never give out your credit card details or a Twint PIN. The buyer does not need this information to send you money.
Never pass on codes you receive by text message.
Never click on links in suspicious emails or text messages, and if you do, never enter any personal information on the website you are directed to.
Wait for the full payment to be credited to your account before shipping the product, or arrange for the buyer to pay cash when collecting the product. Do not accept cheques.
Do not rely on email payment confirmations. They can be faked. Check your account directly to confirm that you have received the full payment.
Be suspicious if the buyer wants to pay more than originally agreed.
If you are selling an item, do not pay any supposed shipping or transaction fees.

Current statistics

Last week's reports by category:

Current figures