MARKETPLACE SCAMS

Allegro Lokalnie fake-buyer scam: the "I'll pay by courier" link that empties your account

Q: Is the Allegro Lokalnie courier payment link a scam?

Yes. If a buyer wants to pay through Allegro courier or delivery and sends you a link to enter card details or your bank login to receive the money, it is phishing. Receiving a payment is passive and never requires your card number, CVV, or banking password. Real Allegro payment and delivery happen only inside the app or on the official site.

Q: The buyer sent a PDF invoice, not a link. Is that safer?

No. CERT Polska warned about exactly this variant. The PDF faktura itself is usually not infected, which is why it slips past suspicion, but it contains a Confirm or Potwierdz button that leads to the same fake Allegro page asking for your card or e-banking login. A clean PDF is not proof of safety. Never tap a button inside an invoice sent by a buyer.

You listed something on Allegro Lokalnie. A "buyer" messages you, says they will pay through courier delivery, and sends a link to confirm the payment. That link is the whole attack, and it targets sellers, not buyers.

SafeBrowz Threat Research Security ResearchJune 18, 20268 min read

Bottom line first

Verdict: scam. If a buyer on Allegro Lokalnie wants to "pay through courier" and sends you a link to enter your card number, CVV, or online-banking login to receive the money, it is phishing. Here is the rule that ends the whole scam in one sentence: you never enter card details or bank login to RECEIVE money. Receiving a payment is passive and automatic. Anyone who sends a seller a link to "confirm" or "collect" a payment is a scammer. Real Allegro payment and delivery only ever happen inside the app or on the official site.

What Allegro Lokalnie is, and why the scam targets sellers

Allegro is Poland's biggest e-commerce marketplace. Allegro Lokalnie is its free classifieds platform, the local-listings sibling that works like OLX or Facebook Marketplace. The important detail is this: on Allegro Lokalnie a listing has no built-in payment. You post an item, a buyer contacts you, and the two of you arrange handover and money between yourselves. That gap, the missing payment rail, is exactly the hole the scam crawls through.

Because there is no native checkout, a scammer can pretend that one exists. They pose as an eager buyer, claim they will "pay through Allegro delivery" or "the courier service", and then send the seller a link to a page that looks like an official Allegro Lokalnie payment screen. The seller, who genuinely wants the sale to go through, is the target. The buyer is the bait.

This is the Polish member of a scam family you may already know. It is the same mechanic as the OLX, Vinted, and Wallapop fake-buyer scams across Europe. If you have read our breakdown of the Vinted and Leboncoin fake-buyer scam in France, the Allegro Lokalnie version will feel like a translation of the same script.

Variant one: the "pay by delivery" phishing link

The first variant is fast and direct. Shortly after you post a listing, a message arrives. The wording rotates, but the structure is stable:

"Hi, I want to buy this. Let's do it through Allegro courier so it is safe for both of us. I have already paid, just confirm here to receive the money: [link]"
"I cannot pick it up myself, so I will send a courier. Allegro delivery has reserved the payment. Click to collect it: [link]"
"Payment is on hold in the Allegro system. To release it to your card, confirm your details on this page: [link]"

The link points to a page that mimics Allegro Lokalnie down to the logo and colours. It tells the seller to enter a card number plus CVV, or an online-banking login, "to receive the payment". That is the trap. Entering a card and CVV does not pull money toward you. It hands your card to the scammer, who charges it or registers it for fraudulent payments. Entering your bank login hands over your account, and the next thing that moves is your balance, out.

The pages live on throwaway lookalike domains. They cram "allegrolokalnie" into the address and then append a string of junk on a cheap top-level domain. Real Allegro never does this. The examples below are illustrative lookalikes of the kind reported in the wild. Click any of them to drop it into the live checker further down and watch SafeBrowz flag it:

allegrolokalnie.ioferta.shop
allegrolokalnie.lokalna-oferta38473.cfd
allegrolokalnie-platnosc.vercel.app

Notice the pattern. The real brand name appears in the string, but never as the actual registrable domain. The true domain is the part right before the first single slash. On allegrolokalnie.ioferta.shop the real domain is ioferta.shop, not Allegro at all. The same goes for endless throwaway variants on .shop, .cfd, .me, .net, .top, and .icu. Reported examples include allegrolokalnie.me and allegrolokalnie.net. None of them is Allegro.

🛡 LIVE CHECK

Paste the link a "buyer" sent you here to check it

Got a payment or "confirm to receive money" link from someone on Allegro Lokalnie? Paste it below. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis → · No URL is logged to your identity.

Variant two: the fake-invoice PDF, the one CERT Polska warned about

The second variant is quieter and, for that reason, more dangerous. CERT Polska, Poland's national Computer Emergency Response Team, publicly warned about it from October 2024 onward, and the campaign has continued into 2026. Polish outlets including dobreprogramy.pl and telepolis.pl covered it too.

Here the scammer does not send a raw link. Instead they use Allegro Lokalnie's own contact form to send the seller a PDF document styled as a "sales invoice", a faktura. The PDF carries Allegro branding and a button labelled something like "Confirm order" or "Potwierdz". The clever part is that the PDF file itself is not infected. There is no malware to scan, no obvious payload, which is why it slips past suspicion and past basic attachment filters.

The danger is the button. Tapping "Potwierdz" inside the PDF opens the same kind of fake Allegro page as variant one, asking for your card details or your e-banking login "to receive the payment for your sale". Same destination, gentler delivery. The official-looking invoice is just a longer runway to the same phishing page.

One rule defuses both variants at once, so it is worth repeating: you never enter card details or a bank login to receive money. A real incoming payment needs nothing from you but a place to land, and your bank already has that.

The red flags that give it away every time

You do not need to know Allegro's internal processes to catch this. The tells are structural, and any one of them is enough to stop.

You are the seller and you are being asked to enter card or bank details. Sellers receive money. Receiving is passive. The instant a "buyer" needs your card number, CVV, or banking login to pay you, it is a scam. Full stop.
The buyer pushes a specific off-platform "delivery" or "courier" flow. Genuine Allegro delivery is arranged inside Allegro, not through a link a stranger pastes into chat.
There is a link to "confirm" or "collect" a payment. Real incoming money is not something you confirm on an external page. The link is the attack.
The domain is not Allegro. Every legitimate Allegro address sits on allegro.pl, allegrolokalnie.pl, or help.allegro.com. Anything like allegrolokalnie-anything.shop, .cfd, .me, or .net is fake, no matter what words it contains.
Pressure and a too-smooth story. The buyer "already paid", needs you to act now, cannot meet in person, and keeps steering you to the link. Urgency plus a courier-only insistence is the signature.
A PDF "invoice" with a Confirm button. CERT Polska documented this exact dressing. A clean PDF is not proof of safety, it is the runway. The button is what bites.
Polish-language page on a foreign or random TLD. A perfectly translated Allegro Lokalnie clone served from a .cfd or a free-hosting subdomain is a textbook brand-impersonation profile.

What a real Allegro payment looks like, so you can tell the difference

On the full Allegro marketplace, buyers pay through Allegro's own checkout and you, the seller, simply get paid out. You are never asked to "confirm" an incoming payment by typing your card into an external page. On Allegro Lokalnie, where there is no built-in payment at all, money moves the old-fashioned way the two of you agree on, in person at handover, or by a normal bank transfer into your account using only details you already control. In none of these does a real flow require you to enter a card number and CVV, or your online-banking password, to receive funds. If a process is asking for that, the process is not Allegro.

What SafeBrowz sees on the network

When the SafeBrowz engine looks at one of these fake Allegro Lokalnie pages, the attack reads the same way across all three detection layers.

First, the brand is impersonated off its home turf. The page carries "allegro" or "allegrolokalnie" in the domain or content, but the registrable domain is something like ioferta.shop or a random .cfd. A known brand name on a non-official domain is one of the strongest content-free signals there is, and it fires before the page even finishes loading.

Second, the destinations are cheap and disposable. Throwaway TLDs (.shop, .cfd, .me, .top, .icu) and free-hosting subdomains (such as a Vercel app) are where these clones live, because they cost nothing and can be spun up by the hundred. No legitimate Allegro property is hosted that way.

Third, the page asks a seller for card-plus-CVV or banking credentials under a "receive your payment" headline. That combination, credential and card harvesting framed as collecting money, is a credential-phishing profile the AI layer recognises even on a brand-new lookalike that no blocklist has seen yet.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

Layer 1 - Local detection: 60+ URL patterns plus 550+ brand-specific signatures (including Allegro and Allegro Lokalnie) plus a community whitelist/blacklist, all running directly in the extension before the page renders. It catches the brand name on a non-official domain, cheap-TLD abuse, and free-host lookalikes instantly.
Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, and ScamAdviser, plus domain-age lookup (most of these clone domains are only days or weeks old) and 30+ scam TLDs.
Layer 3 - AI deep scan: content-aware brand-impersonation analysis in 100+ languages, including Polish, catches a fresh "receive your payment" clone that no blocklist has yet, and reads the fake-invoice page behind the PDF button.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

If you would rather not install anything, the same engine powers the free public URL checker. Paste any link a "buyer" sent you and get a verdict in seconds.

What to do right now

If a buyer just sent you a payment link or a PDF invoice, here is the whole correct response.

Do not enter anything. Not your card, not your CVV, not your bank login. Receiving money never requires them. The link is the entire attack surface.
Stop the conversation and keep everything on Allegro. Real buyers will handle the sale inside Allegro Lokalnie. A buyer who insists on an external "courier payment" page is the scam.
Check the link if you are unsure. Paste it into the checker above or at safebrowz.com. If it is not on allegro.pl, allegrolokalnie.pl, or help.allegro.com, it is not Allegro.
Report it. Report the scam through Allegro's in-app fraud reporting, and report the phishing to CERT Polska at incydent.cert.pl. If the lure arrived by SMS, forward the message to 8080, the Polish shortcode for reporting suspicious texts.
Then block the user and delete the message.

If you already entered card details, call your bank using the number on the back of your card, freeze or lock the card in your banking app right away, and watch your statements. If you entered your online-banking login, contact your bank immediately, change the password, and ask them to flag the account. Our full "I got scammed, what do I do now" walkthrough covers the first-hour recovery steps in detail, and if you want to harden your instinct for fakes in general, our guide on how to tell if a website is a scam walks through the checks.

Frequently asked questions

Is the Allegro Lokalnie courier payment link a scam?

Yes. If a buyer wants to pay through "Allegro courier" or "delivery" and sends you a link to enter card details or your bank login to receive the money, it is phishing. Receiving a payment is passive and never requires your card number, CVV, or banking password. Real Allegro payment and delivery happen only inside the app or on the official site.

What are the official Allegro domains?

The legitimate addresses are allegro.pl, allegrolokalnie.pl, and help.allegro.com. Any other domain that contains "allegrolokalnie" or "allegro", such as allegrolokalnie.me, allegrolokalnie.net, or allegrolokalnie.anything.shop or .cfd, is fake, even if the page looks identical to the real one.

The buyer sent a PDF invoice, not a link. Is that safer?

No. CERT Polska warned about exactly this variant. The PDF "faktura" itself is usually not infected, which is why it slips past suspicion, but it contains a "Confirm" or "Potwierdz" button that leads to the same fake Allegro page asking for your card or e-banking login. A clean PDF is not proof of safety. Never tap a button inside an invoice sent by a buyer.

Why do I have to enter my card to "receive" the payment?

You do not, and that is the giveaway. No legitimate system makes a seller enter a card number and CVV or a banking login to collect money. Receiving funds needs only an account, which you already have. Any page that asks for those details to pay you is harvesting them to drain you.

How do I report an Allegro Lokalnie scammer in Poland?

Use Allegro's in-app fraud reporting to flag the user, and report the phishing link or page to CERT Polska at incydent.cert.pl. If the lure came by SMS, forward the text to 8080. Block the user and keep a screenshot of the conversation and the link.

I entered my card or bank login. What now?

Act immediately. For a card, call your bank using the number on the back of the card and freeze or lock it in your banking app, then watch your statements. For online-banking credentials, contact your bank at once, change your password, and ask them to flag the account for fraud. Then report the incident to CERT Polska at incydent.cert.pl.

Is this the same as the OLX or Vinted fake-buyer scam?

Yes, it is the Polish sibling of the same scam family seen on OLX, Vinted, and Wallapop across Europe. A fake buyer steers a seller to an external "payment" page that steals card or banking details. The brand on the page changes from country to country, but the mechanic is identical: you are made to "confirm" an incoming payment that does not exist.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge