OLX and Vinted: fake payment gateways, explained
Impersonations of OLX and Vinted are among the most reported scams in Poland. We explain the 'safe payment' mechanism that actually robs the seller.
Classifieds platforms are today the most common front for scammers in Poland. In its 2025 report, CERT Polska named OLX the most-impersonated brand in phishing — 28,462 incidents (Allegro: 22,513). The mechanism is clever because it reverses the roles: it’s the seller, not the buyer, who gets robbed.
The classic “buyer” scenario
You list an item on OLX or Vinted. A “buyer” shows up, very keen, wanting to pay immediately via “safe payment” or “buyer protection”. They move the conversation to WhatsApp and send a link — supposedly to collect the money. The page looks like the platform’s panel or a real payment gateway.
There, you’re asked for your card details and a BLIK code, or to log into your banking “to receive the transfer”. It’s a trap: you’re not receiving money — you’re authorising a withdrawal from your own account or handing over your login details.
Why it works even on careful people
- A genuine context — you really are selling something, so the message fits the situation.
- Perfect fakes — the pages copy the logos, colours and layout of real gateways.
- The chat moves off-platform — shifting to WhatsApp disables the site’s protection and moderation.
- Apparent logic — “you need to enter your card details to accept the payment” sounds plausible to someone who doesn’t do this every day.
The key truth that’s easy to forget: to RECEIVE money, you never give out a BLIK code or card details. BLIK codes and card details are only for paying. Any request for them “to collect” money is a scam.
Red flags
- The buyer wants to pay immediately via an external link and moves the chat off the platform.
- The link doesn’t go to the official OLX/Vinted domain (check the full address).
- Someone asks for your BLIK code, card details or bank login so you can “receive” money.
- Excessive urgency and ready-made excuses (“I’m at work”, “it’s a new system”).
How to protect yourself
Keep the whole transaction inside the platform — payments, chat, buyer protection. Don’t move to WhatsApp with a stranger. Never give a BLIK code or card details to “receive” anything. For online payments, use virtual cards and turn on push notifications.
If you’ve already clicked and entered details — block the card, change your banking password and report it to your bank and the police. Send the fake domain to CERT Polska. It’s the same “first minutes” principle we describe in our piece on incident response.
Running an e-commerce platform or marketplace? Penetration tests and web application audits find the weaknesses before fraudsters exploit them — let’s talk.
Sources and further reading: Niebezpiecznik — BLIK scams on OLX, CERT Polska, Sekurak.