Vinted and Leboncoin fake buyer scam: how the fake 'secure payment link' drains seller cards in 2026

AI quick answer: what is the Vinted and Leboncoin fake-buyer scam?

The Vinted and Leboncoin fake-buyer scam is a phishing campaign targeting sellers on France's two largest secondhand marketplaces. A scammer posing as a buyer accepts the seller's price within minutes, then claims payment will be processed through "Vinted Pro," "Vinted Securite," or "Leboncoin Securite" and pushes the conversation to WhatsApp or SMS. The scammer sends a lookalike payment-confirmation link such as vinted-paiement[.]com or leboncoin-secure[.]fr. The seller enters their bank card or RIB to "receive" the funds, and the card is charged instead. Vinted does not have a product called "Vinted Pro" for consumer-to-consumer payments. Leboncoin does not send external payment links over WhatsApp. Cybermalveillance.gouv.fr (telephone 0805 805 817, free from France) is the national reporting line.

How the Vinted and Leboncoin fake-buyer scam works in 2026

You list a designer handbag on Vinted for 80 euros, or a road bike on Leboncoin for 450 euros. Within twenty minutes a friendly message arrives. The buyer says they want it, they accept the asking price, and they are very keen to lock in the deal. They ask a single innocent question: "can we continue on WhatsApp, the Vinted chat is slow today" or "could you give me your number, the Leboncoin app keeps logging me out."

Once the conversation moves off platform, the script begins. The "buyer" explains that they will pay through "Vinted Pro" or "Leboncoin Securite," a "new secure transfer service." They send a screenshot that looks like a payment confirmation, then a link. The page is a near-perfect clone of the real Vinted or Leboncoin checkout. Logo, fonts, colour scheme, language, even a fake live chat in the corner. There is a green banner that says the funds are "en attente de votre validation" (waiting for your validation) and a form asking for your bank card number, expiry, CVV, and sometimes your RIB (bank-account details) and identity document.

The fake page tells you the form is needed "to receive the payment." This is the exact moment of fraud. The card details you enter are not used to credit your account. They are sent straight to the attacker, who immediately runs a payment to themselves or a money-mule wallet, or saves the card to make 3-D Secure attempts overnight. Some advanced variants then send a fake 3-D Secure prompt to your phone asking you to "confirm the incoming transfer" by entering the bank's one-time code. Confirming that code authorises an outbound payment from your account, not an inbound one.

By the time you realise nothing was deposited, the scammer has either drained the available balance on the card, made one or two large purchases at electronic resellers, or sold the card details on a carding market. The buyer profile disappears, the WhatsApp number stops responding, and your card statement shows charges that look like nothing you authorised.

The three most common templates in 2026

The script rotates across a small set of variants. Every French marketplace seller should know all three.

Template 1: the fake "Vinted Pro" product

The buyer says they want to pay through "Vinted Pro" because "the normal Vinted fee is too high" or because "I am a professional reseller and I have Vinted Pro." This is the most successful template because Vinted does run real B2B services in some markets, so the brand name sounds plausible. Vinted does not offer a consumer-to-consumer payment redirect called "Vinted Pro" or "Vinted Securite." All legitimate Vinted payments go through the in-app checkout, the integrated buyer-protection fee is paid by the buyer, and the seller receives funds directly into the Vinted wallet without ever clicking an external link. If a "buyer" mentions Vinted Pro, the deal is a scam.

Template 2: the Leboncoin Securite shield

The buyer says they will pay through "Leboncoin Securite" or "Paiement Securise Leboncoin," sometimes accompanied by a screenshot of a green shield icon with the Leboncoin logo. Leboncoin does offer a real secure payment-and-shipping product called Paiement Securise, which is run entirely inside the Leboncoin app or website. It never requires the seller to enter card or banking details to "receive" money. The seller is paid into their Leboncoin balance and can request a transfer to their bank using only a RIB pre-saved in the account, not by clicking a link in an SMS or email. Any payment-confirmation link sent outside the Leboncoin app is a phishing page.

Template 3: the "I am abroad, I will send DPD" variant

The buyer claims to be travelling or living in another country, often Belgium, Spain, Portugal, or French overseas territories. They cannot collect the item in person and offer to "send a DPD courier" or "arrange Chronopost pickup" at their expense, but only if you accept payment through their "preferred secure transfer service." A link follows. This variant adds two psychological levers: pity for the inconvenient logistics and gratitude that the buyer is covering shipping costs. The seller is more inclined to forgive small inconsistencies because the buyer seems generous. The link is still a phishing page. Real Vinted shipping is handled inside the app with prepaid labels from Mondial Relay, Colissimo, or Inpost. Real Leboncoin Paiement Securise generates a Mondial Relay label inside the app. A buyer "arranging" their own courier is a red flag on both platforms.

Why sellers are the perfect target

Most phishing copy tells you to be suspicious of unexpected messages claiming you owe money. Vinted and Leboncoin sellers are in the opposite frame of mind. They listed something. They want to sell it. When a buyer appears, the natural emotion is relief and a small dose of excitement. The seller is not on guard, they are happy.

Both platforms have also built strong consumer reputations around buyer protection. Vinted's whole brand is buyer-side safety. Leboncoin's Paiement Securise is heavily advertised. Sellers feel covered by association even though almost all real protections sit on the buyer side. When the "buyer" mentions a "secure payment service" with the platform's name attached, it slots straight into the seller's existing trust model.

The script also exploits the language asymmetry around technical banking terms. Many French sellers, especially on Vinted, are first-time online sellers, students, or casual users clearing out a closet. Terms like "3-D Secure," "RIB validation," "IBAN authentication," and "verification du beneficiaire" sound like real banking processes because banks do send messages with similar wording. When the fake page asks for a CVV "for security," it feels procedural rather than predatory.

Finally, the messaging move from in-app chat to WhatsApp is so common in French e-commerce now that it does not register as suspicious. Buyers do legitimately ask for WhatsApp on Leboncoin for local pickup logistics. The scammer is hiding inside a normal pattern.

Lookalike Vinted and Leboncoin domains in active rotation in 2026

The phishing kits behind the scam rotate domains roughly weekly because Cloudflare, OVH abuse desks, and AFNIC takedowns are reasonably responsive. The pattern is consistent. Below is a non-exhaustive sample of domain families observed in active campaigns in early 2026.

• vinted-paiement[.]com
• vinted-securite[.]com
• vinted-pro[.]online
• vinted-pro[.]fr (typosquat, not owned by Vinted)
• vinted-validation[.]com
• vinted-livraison[.]net
• my-vinted[.]com
• vinted-paiement-securise[.]fr
• leboncoin-secure[.]fr
• leboncoin-securite[.]com
• leboncoin-paiement[.]com
• leboncoin-validation[.]net
• leboncoin-pro[.]online
• paiement-leboncoin[.]com
• boncoin-secure[.]fr
• leboncoin-livraison[.]com

The real Vinted domain is vinted.fr (and country variants such as vinted.com, vinted.de, vinted.es). The real Leboncoin domain is leboncoin.fr. Anything else with the brand name plus a hyphen plus a banking word is a scam. The same kits also use Punycode tricks (Cyrillic 'a' looking like Latin 'a'), so visually identical domains may resolve to malicious infrastructure. A browser-layer scanner that compares the rendered domain against the brand database catches both the hyphenated lookalikes and the Punycode visual tricks before the page loads.

How to verify a legitimate Vinted or Leboncoin transaction

The verification rules are simple and absolute. If a buyer asks you to step outside these rules, the deal is fraudulent.

• Vinted payments only happen inside the Vinted app or on vinted.fr. You will never click an external link to receive money. Funds appear in your Vinted wallet automatically when the buyer pays. You request a transfer to your bank from inside the wallet by entering an IBAN once, on Vinted's own pages, behind your normal Vinted login.
• Leboncoin Paiement Securise lives only inside the Leboncoin app or website. You confirm the sale, generate a Mondial Relay label, drop the parcel, and the funds release to your Leboncoin balance after delivery. You will never enter card or banking details on an external page to "validate a payment."
• Vinted does not have a product called Vinted Pro for consumer-to-consumer payments. Anyone using that phrase is running a script.
• Both platforms refuse to communicate payment instructions over WhatsApp or SMS. All payment messaging stays inside the in-app messaging system.
• Neither platform sends links by email asking the seller to enter card details to receive money. Seller payouts are pull-based: you initiate a withdrawal to a pre-saved bank account.
• Real Vinted help is at vinted.fr/help and the in-app support chat. Real Leboncoin help is at leboncoin.fr/aide and the in-app contact form. Anything else claiming to be official customer support is impersonation.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns and 550+ brand-specific signatures, including Vinted and Leboncoin, plus Cyrillic and Punycode homograph variants and community whitelist/blacklist, all running directly in the extension before the page renders. Catches the brand-plus-hyphen-plus-banking-keyword pattern (vinted-paiement, leboncoin-secure, vinted-pro typosquats) instantly, with no network call needed for known domain families.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, and URLhaus for known malicious domains. Many of the rotating Vinted and Leboncoin lookalike domains are reported within hours of going live, and SafeBrowz picks them up through these feeds.
• Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel variants in seconds, including French-language phishing pages that copy the Vinted or Leboncoin checkout layout pixel-for-pixel. The AI reads the page content and recognises that a Vinted-branded payment page is hosted on a non-Vinted domain, triggering a DANGER verdict before any form input is sent.

Detection signatures come from threat-intelligence research and our brand database, not from user browsing data. SafeBrowz does not store per-user URL history.

What to do if you have already entered your card details

If you have already typed your card number, CVV, or RIB into a fake Vinted or Leboncoin page, treat the next sixty minutes as critical. The longer the card stays active, the more transactions the attacker can attempt before fraud detection at your bank catches up.

1. Block the card immediately. Use your bank app's instant card-blocking feature (almost every French retail bank supports this: BNP Paribas, Societe Generale, Credit Agricole, La Banque Postale, Boursorama, Revolut, N26, all have one-tap freeze). Do not wait to call. The app is faster than the phone line.
2. Then call your bank's 24-hour fraud line using the number printed on the back of your card. Open a dispute (faire opposition) and request a full chargeback under the European Payment Services Directive (DSP2/PSD2) on the basis of unauthorised payment following phishing. Ask the agent to write "phishing" in the dispute notes; this is the keyword that activates the unauthorised-payment chargeback flow.
3. If you confirmed a 3-D Secure code, tell the bank explicitly. Many banks initially reject chargebacks where 3-D Secure was confirmed, but the European Banking Authority's 2024 guidance on PSD2 strong customer authentication confirms that strong-authentication confirmation under social-engineering manipulation does not eliminate the bank's liability when phishing is documented. Insist and reference this.
4. Report to Cybermalveillance.gouv.fr. Use the online portal at cybermalveillance.gouv.fr or call 0805 805 817 (free from France, weekdays 9h to 18h30, Saturdays 9h to 12h). The platform will document the case and route it to the right authorities. It also provides certified service providers for follow-up technical assistance.
5. File a complaint at Pharos (internet-signalement.gouv.fr), the national online-content reporting platform run by the French Ministry of the Interior. Pharos is the right channel for reporting the phishing URL itself, the WhatsApp number, and the fake buyer's marketplace profile.
6. Report the email or SMS at Signal-Spam.fr if the lure arrived by mail or text. Signal-Spam routes the report to French ISPs and email providers, helping shut down the sending infrastructure.
7. Notify DGCCRF (Direction Generale de la Concurrence, de la Consommation et de la Repression des Fraudes) via the SignalConso platform at signal.conso.gouv.fr. DGCCRF tracks consumer-fraud trends and can pursue platforms that fail to take down repeat-offender accounts.
8. Report inside Vinted or Leboncoin. On Vinted, use Help Centre then Report a Problem, and flag the buyer profile. On Leboncoin, use leboncoin.fr/aide/securite to report the suspicious account and message thread. Both platforms remove offending accounts within 24 to 72 hours when reports are clear.
9. File a police report (plainte) at your local commissariat or gendarmerie if losses exceed roughly 100 to 200 euros. You can also pre-file online through the pre-plainte-en-ligne.gouv.fr portal and complete the deposition in person. The receipt number you get from this step is required by some banks as supporting evidence for chargebacks.
10. Change any passwords that share themes with information you entered on the fake page. If you typed your date of birth, full address, or identity-card number, treat those as exposed for identity-fraud monitoring purposes. Subscribe to the French CERT-FR alerts for follow-up phishing campaigns that may target you using leaked data.

The seller's protection checklist before responding to any buyer

1. Keep all messages inside the Vinted or Leboncoin app. The moment a buyer suggests WhatsApp, SMS, or email, treat that as the first red flag. Refuse and continue in-app.
2. Do not click any payment link a buyer sends you. Legitimate payouts on both platforms never start with a seller clicking a link. They start with you initiating a withdrawal from your wallet.
3. Do not enter card details to "receive" money. Receiving money never requires a card number, CVV, or 3-D Secure code. Those are outbound-payment fields.
4. Be suspicious of any buyer who agrees to the asking price within minutes without negotiation. Normal buyers haggle. Scammers want to lock in the script and move you off platform fast.
5. Check the profile age. Both Vinted and Leboncoin show account creation date. A days-old profile with no listings and no rating is high-risk.
6. Reject all "I will arrange my own courier" offers. Real Vinted shipping is prepaid through the app. Real Leboncoin Paiement Securise generates the label inside the app. A buyer arranging an external DPD or Chronopost pickup is running the abroad-buyer template.
7. If the buyer says Vinted Pro, the deal is a scam. Vinted does not run a Vinted Pro product for consumer-to-consumer purchases. Block the user and report.
8. Install a browser-layer scanner that blocks lookalike Vinted and Leboncoin domains before the page renders, so even if the script almost succeeds, the final phishing URL does not load. SafeBrowz is free for Chrome, Firefox, and Edge.

What Vinted and Leboncoin officially say

Vinted's help centre (vinted.fr/help) explicitly warns that all payments and conversations must stay inside the Vinted app, and that any external link claiming to be Vinted is a scam. Vinted's safety pages list "fake payment confirmations" and "buyers asking for personal information" as the top two seller-facing fraud patterns and recommend reporting through the in-app Help Centre.

Leboncoin's security page at leboncoin.fr/aide/securite states that Paiement Securise runs only inside Leboncoin and that the platform will never ask the seller to confirm card or banking details outside the app. Leboncoin recommends reporting suspicious activity directly through the contact form on the help centre and forwarding suspicious emails or SMS to cybermalveillance.gouv.fr.

Cybermalveillance.gouv.fr's 2024 annual report ranked secondhand-marketplace impersonation as the most-reported consumer-assistance category on the national platform. The agency's recommended response remains: block the card, file with the bank, report on cybermalveillance.gouv.fr, file at Pharos, and lodge a police complaint for losses above a few hundred euros.

Why this scam succeeds even against experienced sellers

• Frame mismatch. The seller's brain is in "I have an incoming payment" mode, not in "I am about to lose money" mode. Phishing-awareness training is almost always written from the victim-of-an-outflow frame.
• Brand trust transfer. Both Vinted and Leboncoin have invested heavily in advertising their own safety features. Sellers carry that trust into the fake page even though the page is not hosted on the platform.
• Plausible French banking ritual. French retail banks routinely send messages that involve confirming a code, validating a beneficiary, or authenticating a transfer. The fake flow mirrors this ritual perfectly.
• Friendly opening. The buyer is polite, eager, and pays the asking price. There is no aggression, no urgency, no obvious red flag in the message tone.
• Visual fidelity of the lookalike pages. Modern phishing kits clone the entire Vinted or Leboncoin checkout, including animation timings and fake live-chat widgets. Without a domain check the page is indistinguishable from the real one.
• 3-D Secure inversion. The most painful variant uses real bank 3-D Secure prompts, manipulated by the attacker pushing a fake "incoming-transfer" framing. The seller authorises an outbound payment thinking they are confirming an inbound one.

Frequently asked questions

Is Vinted Pro a real product?

Not for consumer-to-consumer payments. Vinted has tested some B2B and merchant-facing services in certain markets, but it does not offer a "Vinted Pro" payment redirect that buyers use to pay sellers and that requires the seller to enter card details on an external page. If a "buyer" mentions Vinted Pro in a private message, treat it as a scam, block the user, and report through the Vinted Help Centre.

I entered my card number and CVV on a fake Vinted page but nothing has been charged yet. Am I still at risk?

Yes. Attackers often stockpile card details and run authorisations hours or days later, sometimes overnight when fraud-monitoring teams are at reduced staffing. Block the card now through your bank app, even if no transactions have appeared. Replacing a card is a few minutes of inconvenience compared with the recovery work after fraudulent transactions clear.

I confirmed a 3-D Secure code thinking it was for the buyer's incoming transfer. Will my bank refund me?

Push for the chargeback. Document the phishing context with screenshots of the buyer's messages, the WhatsApp number, and the fake URL. Reference PSD2 and the European Banking Authority's 2024 guidance, which clarifies that strong-customer-authentication confirmation under documented social-engineering manipulation does not extinguish the bank's liability. File a Cybermalveillance.gouv.fr case and a Pharos report, and bring those reference numbers to the bank dispute. Outcomes vary by bank, but several major French banks have refunded in similar cases when documentation is thorough.

How can I tell a real Vinted or Leboncoin payment-confirmation page from a fake one?

The simplest rule: real Vinted and Leboncoin payment pages live only inside the Vinted or Leboncoin app, or on vinted.fr and leboncoin.fr accessed through your normal login. They never arrive as an external link in a WhatsApp message or SMS. Check the domain in the address bar character by character. Anything that contains "vinted-" or "leboncoin-" with a hyphen and a banking keyword (paiement, securite, secure, validation, livraison, pro) is a phishing site.

Can I report the scammer's WhatsApp number?

Yes. Inside WhatsApp open the chat, tap the contact name, scroll down, and use Report Contact. Then file at Pharos (internet-signalement.gouv.fr) including the number and screenshots. WhatsApp acts on patterns of reports; one report has little effect, but the same number reported by multiple victims often gets banned within days.

I am an expat living in France using Vinted or Leboncoin in English. Am I more vulnerable?

Slightly. Many scam messages are written in French and rely on French banking-ritual phrases that an expat may not immediately recognise as suspect or as oddly worded. The same rules still apply: never click an external payment link, never enter card details to "receive" money, and keep all communication inside the app. If the in-app language is set to English, the official help links you should bookmark are vinted.fr/help and leboncoin.fr/aide.

Does Cybermalveillance.gouv.fr actually do anything when I report?

Yes. Cybermalveillance.gouv.fr is the official French national platform for cybercrime assistance, coordinated across several ministries. Reporting builds the case file that feeds takedowns, AFNIC abuse complaints, and law-enforcement action against repeat-offender networks. It also matches you with certified local service providers if you need technical follow-up. The phone line is 0805 805 817, free from France.

Does SafeBrowz work on French marketplace scams?

Yes. SafeBrowz's brand database covers Vinted and Leboncoin and flags hyphenated lookalikes such as vinted-paiement, leboncoin-secure, and vinted-pro typosquats before the phishing page loads. The Premium AI deep scan reads French-language page content and detects when a Vinted-branded or Leboncoin-branded checkout is hosted on a non-official domain, triggering a DANGER verdict instantly. Install free at safebrowz.com for Chrome, Firefox, and Edge.

Related reading

• eBay and Marketplace Zelle scam, the US-side marketplace fake-buyer template
• Cash App $750 free scam, payment-app social-engineering aimed at Gen Z
• Impots.gouv tax-refund scam in France, lookalike government domains targeting French taxpayers
• Ameli health-insurance scam in France, fake Carte Vitale and Ameli pages harvesting personal data

Bottom line: Vinted does not have a "Vinted Pro" payment product for consumer-to-consumer sales. Leboncoin Paiement Securise never sends external links to sellers. Receiving money never requires a CVV or a 3-D Secure confirmation. Any buyer who moves the conversation to WhatsApp and sends a payment link is running France's most-reported consumer fraud of 2026. Block, report at Cybermalveillance.gouv.fr (0805 805 817) and Pharos, and add a browser-layer scanner like SafeBrowz so the fake checkout never loads.