What is the Fake Overpayment Scam targeting online sellers?

The Fake Overpayment Scam (also known as Payment Hold Scam) is an active fraud targeting sellers on online marketplaces like Craigslist, Facebook Marketplace, and eBay. The scam aims to steal personal data, money via 'fee payments,' and payment card information using sophisticated banking impersonation and cryptocurrency collection methods.

How does the fake overpayment scam typically work?

The scammer poses as a motivated buyer, agrees to the asking price without negotiation, requests personal information and bank details for 'payment,' then sends fake bank emails claiming payment is received but held for transport fees. They pressure the victim to pay fees via cryptocurrency, often using threats and tight deadlines.

What are the red flags of fake banking emails in this scam?

Red flags include emails from suspicious domains (like citibank@intle-payment.com instead of citi.com), newly registered domains (the example domain was only 66 days old), banks directing users to random cryptocurrency websites instead of their own platforms, and threats with artificial deadlines for fee payments.

Why do scammers use cryptocurrency in these schemes?

Scammers prefer cryptocurrency because money transfers are much faster and more difficult to trace compared to traditional banking methods. This makes it harder for victims to recover their money and for law enforcement to track the fraudsters.

What pressure tactics do scammers use in overpayment fraud?

Scammers create artificial urgency with tight deadlines (like 12 hours), threaten legal action, make persistent phone calls demanding immediate payment, and claim the victim will lose the sale if fees aren't paid quickly. These tactics are designed to prevent victims from thinking critically about the situation.

What are some variants of the fake overpayment scam?

Variants include fake cashier's checks requiring processing fees, fake PayPal/Zelle/Venmo payment frozen notifications, buyer protection fee requirements, eBay payment processor compliance holds, international customs fees, and overseas buyer overpayments where victims are asked to send back the 'difference.'

How can you identify suspicious banking processes in these scams?

Legitimate banks deduct international SWIFT payment fees from the transfer amount rather than requiring separate payments, rarely use cryptocurrency as a payment method, never hold transfers for external transport charges, and always direct users to their own branded websites, not random internet sites.

What should you do if contacted by a suspicious buyer?

Don't rush into any payment arrangements, be suspicious of international offers for local items, be wary of immediate price acceptance without negotiation, never trust overpayments or complex payment processes, avoid payment mechanisms you're not comfortable with, and consult with someone else before proceeding.

Why are these scams becoming more sophisticated?

AI technology is being used to generate fake documents, communicate in any language, and create voice calls in different languages to pressure victims. Combined with cryptocurrency payment methods, these tools make the scams more convincing and harder to trace.

What information do scammers typically request from victims?

Scammers request personal information, documents, and bank details under the guise of 'providing payment.' This personal data can later be used for identity theft, sold for profit, or used in other scams targeting the same victim.

How can you verify if a payment notification is legitimate?

Always verify payment notifications by logging into your bank account directly (not through email links), contact your bank through official channels to confirm any holds or fees, check that email domains match the official bank domain, and be suspicious of any requests for additional payments to 'release' funds.

What should you do if you've been targeted by this scam?

Stop all communication with the scammer immediately, don't make any payments, report the incident to the marketplace where you were selling, contact your bank if you've shared financial information, report the scam to local authorities and the FTC, and warn others about the specific tactics used.

Scam/Phishing

Online marketplace fake overpayment (payment hold) scam

published: June 18, 2025

Take action: Never pay any "fees" or "processing charges" to receive money from a buyer - legitimate payments don't work that way. If a buyer creates complex payment scenarios, overpays, or pressures you with deadlines, walk away immediately. Also, be very suspicious of foreign buyers for simple products that are available everywhere.

Learn More

An active Fake Overpayment Scam (a.k.a Payment Hold Scam) is detected targeting sellers on multiple online marketplaces - both local and global like Craigslist, Facebook Marketplace, eBay, and other platforms.

The attack aims to steal personal data, to steal money via "fee payment" and even to steal payment card information.

This specific variant uses sophisticated banking impersonation and cryptocurrency collection methods.

The target that reported this attack had published an item for sale (a violin) on an online marketplace. They were approached by an scammer identity that acted as a motivated buyer. They built trust by agreeing to asking price without negotiation. The initial process created expectation of easy, profitable sale for the target.

The scammer asked the target for personal information, documents and bank details to "provide payment". This is the initial theft of personal data, which can later be abused for this or other scams, identity thef or sold for profit.

The scammer informed the target that they have paid and that they will also cover all transport fees.

The target received a series of three emails in quick succession from citibank@intle-payment.com. Naturally, Citibank will not send an email from such an account. Even more, the domain intle-payment.com is just 66 days old. A bank that's over 200 years old will not be using a fresh 2 months old domain for email notifications for financial payments.

First one impersonating Citibank with a fabricated transaction notification indicating that the money is "received by the bank" and will be released as soon as some transport fees are paid.

Immediately after this email two more emails followed, one providing "payment instructions" for the target to pay 50 euro via cryptocurrency and another threatening one implying that the target had only 12 hours to pay and mentioning "legal action".

The intention is to scare the victim into rushing a payment without thinking too much, especially since they received a "proof" from the "bank" that the same money will be refunded.

The link "Citi-Bank Transfer" leads to https://buy.chainbits.com which may be a valid crypto purchasing platform, but may be another scam to collect the payment card data. We can't confirm either way, but stealing payment card data is a logical extra step in this scam. But even if a bank works with cryptocurrency, they will direct the user to THEIR OWN branded platform, not a random website.

After these emails were sent, the target got multiple calls and messages from a phone number +18597561701 demanding that the "processing fee" be paid immediately. This additional pressure is designed to push forward the target that's already concerned by the 12 hour deadline and threat of legal action in the emails.

Red flags and inconsistencies

Banking process

International SWIFT payment fees are deducted from transfer amount, not paid separately
Banks rarely use cryptocurrency - if at all, and is not their preferred payment instrument since it's much more volatile than fiat currency.
Real banks never hold transfers for external "transport charges"
Buying cryptocurrency via a bank link will lead to a bank website, not a random site on the internet.

Domains and emails

Sent from a domain that has nothing to do with Citibank (whose primary domain is citi.com).
Pressure tactics and threats - banks don't have deadlines for payments (unless you owe them money specifically)

Process

If the buyer wanted to buy something and pay for logistics, they are fully able to pay the logistics company
Persistent calling and pressure
Phone number appears to be US based, but the fake Payment report mentions the "buyer" is from Switzerland

There are several variants of this scam, for everyone to be aware of:

"Cashier's check sent but needs processing fee" - they send a check that's fake and will not be processed by a bank, but verification and rejection of a check takes multiple days, and the scammers pressure the target into paying "fees" immediately.
Fake PayPal/Zelle/Venmo "payment frozen" notifications - very similar to this scenario, but with other payment platforms.
"Buyer protection fee" requirements - very similar to this scenario, but instead of transport fees, there are other fees to explain the need for payment by the target.
eBay "Payment processor compliance holds" or "International customs fee" - similar to this scenario, but instead of transport fees, there are other reasons to explain the need for payment by the target.
"Overseas buyer" overpayments - Send difference back after keeping extra - the scammer creates a fake huge payment, and messages the target to just send back the difference since it's quicker than to cancel the overpayment.

The attack is becoming very efficient, because with bitcoin/crypto money transfers are much faster and difficult to trace. AI is used to generate fake documents and communicate in any language. AI also helps to create voice calls in any language to exert pressure on the target.

How to stay safe

Don't rush - any deadlines and pressure to do something immediately is a red flag.
International or overseas offers for local items make little sense. Unless you are selling something unique, nobody cares to buy it globally.
If it's too good to be true, it's false - be very careful of immediate price acceptance without negotiation
Never trust overpayments or complex payment processes
Never trust payment mechanisms you are not comfortable with.
Consult with someone else

Online marketplace fake overpayment (payment hold) scam

Read More
DocuSign impersonation phishing with stolen email thread and …
State-sponsored attackers conduct complex Social Engineering campaign targeting …
Phishing attack impersonating Coinbase
Threat group Educated Manticore targets academia and cybersecurity …
Scam SMS messages offering Scam Recovery sent globally