ISTANBUL – The listing looked routine enough: a smartphone, reasonably priced, posted on one of Turkey’s most popular secondhand platforms. The prospective buyer seemed enthusiastic. Then came the WhatsApp message with a payment link.
That link – mimicking the platform’s own escrow interface, pixel-for-pixel – was the trap. The seller, expecting a deposit into a secure holding account, instead handed over a one-time verification code to someone who had already staged the entire exchange to steal it. The money moved in seconds. The seller didn’t know they were a victim until the balance was gone.
What makes this particular fraud dangerous is not its technical sophistication. It is something subtler: the scam works precisely because the systems it imitates are genuinely trustworthy. Ergün Kılıç, chairman of Turkey’s Consumer Rights Association, and cybercrime attorney Dr. Ceren Küpeli warned this week that criminal networks have begun systematically impersonating the secure payment mechanisms of secondhand marketplaces – and the resulting wave of victims extends far beyond financial loss. Some of them, they said, are receiving calls from prosecutors.
The pattern is consistent enough that Kılıç now refers to it as a distinct fraud category. Criminals pose as buyers, contact sellers via WhatsApp or SMS after pulling them off the platform’s internal messaging system, and dispatch a link to a cloned version of the site’s payment interface. The fakery holds: the color scheme, the typography, the step-by-step confirmation flow. Everything except the destination of the funds.
“No legitimate secure payment system will ever ask a seller to share a verification code or transfer money for account confirmation,” Kılıç said in remarks reported by the Anadolu Agency Saturday. The statement is simple enough. The problem is that the scam architecture is designed specifically to make that rule feel irrelevant – to construct a context in which sharing a code seems not just reasonable, but necessary.
The mechanism hinges on a feature virtually every digital payment system now uses: the one-time password, or OTP. Sent to a registered mobile number to authenticate a transaction, OTPs are supposed to be unforgeable precisely because they expire in seconds and live only on the account holder’s phone. Scammers have found a way around that constraint without breaking any cryptography. They simply ask the seller for the code directly, framing it as a required step in the platform’s own onboarding process. “We’ve processed your payment – just share the code to confirm your account,” the message might read, sometimes appended with a countdown clock to manufacture urgency.
The scammers, Küpeli explained, often perform a secondary trick that experts call a circular transfer loop. After the initial funds are taken, the victim receives another message: the system, they are told, did not process the first payment correctly. If they send the same amount again, the original transaction will be automatically refunded. Some victims send twice, even three times, before the exchange goes silent.
The fraud has spread beyond the classic profile of individual shoppers. Technology products, real estate listings, short-term rentals and boutique social-media shops are all now documented vectors. The common thread is that the conversation migrates off the platform – to WhatsApp, to SMS – before any financial request is made. That migration is the first signal of danger. Küpeli was explicit: legitimate payment systems send no links from outside their own applications. The buy button in the platform’s own interface is the only sanctioned path.
AI-generated fake payment portals have dramatically lowered the barrier to entry for this kind of fraud. Sites that once took days of design work to clone can now be reconstructed in under five minutes using publicly available generative tools, and the resulting forgeries pass casual inspection. The visual mimicry – stolen logos, familiar color schemes, real product images scraped from the original listing – is no longer the hard part. The social engineering script, rehearsed across thousands of transactions, has become the primary weapon.
The legal dimension of this scam is its most underreported hazard. Criminal networks rarely move stolen funds directly into their own accounts. Instead, they route transactions through chains of intermediate IBANs – often belonging to people who have no idea their banking details have been used. Sometimes those details are purchased on dark-web markets, stripped from earlier data breaches. Sometimes they are obtained through separate scams that convince account holders they are participating in a legitimate financial service.
The result, Küpeli warned, is that money moved through these relay accounts can show up in forensic audits as part of a criminal network – even when the account holder is entirely innocent. “A transfer with an unexplained description or vague reference can be linked to the fraud chain during technical analysis,” she said. “The person may be asked to give a statement as a suspect.” Preserving every chat record, transaction receipt, and screenshot from the original listing is not optional. It is the only evidence that establishes the transfer’s commercial context and separates an innocent seller from a money mule in the eyes of investigators.
Meta, which operates WhatsApp, has acknowledged the scale of the problem. TechCrunch reported in March that the company launched new device-linking warnings on WhatsApp and began testing message-scanning in Messenger to flag suspicious payment requests before users click through. The company said it detected and disrupted roughly 8 million accounts engaged in scam operations during the first half of 2025 alone – a number that reflects the industrial scale of the operations but also suggests that detection remains reactive rather than preventive.
The proliferation of phishing tools available to low-skill actors has made individual vigilance harder to sustain. A fraudster using this escrow impersonation method does not need to hack anything. They need one seller who is distracted, one verification code shared in a moment of confusion, and a cloned URL that appears legitimate on a small phone screen. The Anti-Phishing Working Group recorded more than 892,000 phishing attacks in the third quarter of 2025 alone, with SMS-based fraud rising nearly 35 percent in that period, according to its most recent quarterly report.
The remedies Küpeli prescribed are operational rather than technical. Marketplace platforms should filter any hyperlink sent through their internal messaging systems, make identity verification via national digital ID mandatory for anyone posting a listing, and deploy AI-based real-time alerts on anomalous payment patterns. Sellers who have already been defrauded face a narrower and more urgent set of options: contact the bank within the first hour to request a transaction freeze, file a complaint with the public prosecutor’s office simultaneously, and hand over every piece of documentation that traces the original listing from start to finish.
She did not offer reassurance about recovery timelines. Investigations move slowly. The IBAN chains are long. Fake app interfaces leave traces, but tracing them takes time that money does not have.
What this fraud reveals, beyond its mechanics, is a design problem in how trust travels across digital ecosystems. Secure payment systems work because users trust them. That trust, once established, becomes transferable – and criminal networks have learned to transfer it deliberately, borrowing the credibility of one system to launder the deception of another. The escrow guarantee was supposed to be the safeguard. In this version of the scam, it is the bait.
