Phishing attacks have become increasingly clever, blending AI technology with subtle psychological tricks to deceive even the most vigilant. Recently, I found myself at the receiving end of one such attempt—an elaborate social engineering ploy that nearly caught me off guard.
In this article, I’ll explain exactly how the attack worked, the underlying simple yet convincing tech, and, most importantly, practical tips to help you recognize and avoid falling for these traps.
Table of Contents
Social Engineering and Phishing
According to CyberArk, my workplace and a leading Cyber security company, social engineering is:
a manipulation technique aimed at tricking individuals into revealing sensitive information, carrying out actions they wouldn’t normally perform, or making decisions contrary to their usual behavior. Social engineering attacks are strategies used by malicious individuals to take advantage of human psychology and persuade people to compromise their security or privacy.
This is precisely what happened to me. The attacker did his best to gain my trust and trick me into visiting a fake website where I'd enter my bank credentials. In other words, a standard phishing attack. A 2021 Ponemon Institute report revealed that large U.S. companies lose an average of $14.8 million a year to phishing.
A phishing attack is a social engineering tactic commonly used to steal confidential data or deliver ransomware or some other form of malware. The term is a play on the word fishing, meaning the attacker throws out a baited hook and waits for the victim to bite.
You usually hear about phishing attacks when it comes to big "whales" and companies.
However, apparently, bad people lurk around the corners of Facebook Marketplace, hunting down average "joes" such as myself.
Let me tell you the story about that one time I wanted to make a few dollars on Facebook Marketplace.
Nowhere Online is Safe, Not Even Facebook Marketplace
It all started with my Apple Magic trackpad sale attempt on Facebook...
I wanted to sell an older lightning connector version, so I placed an ad on Facebook Marketplace. In Israel, Facebook Marketplace is a hit. Most people use it to sell all sorts of things, and the attackers knew it, too.
I placed the ad and anxiously waited. An hour later, a profile with the Hebrew female name Zimra Jacobson approached me.
Her Facebook image? A serene sunset—perhaps the symbolic sunset of my better judgment. Her profile was locked, but she had 1400 friends. The skeptic in me began to stir, yet I answered her request anyway, unable to shake off the nagging thought that this might just be legitimate.
She didn't haggle over the price, which immediately felt off—haggling is practically a national pastime here in Israel. Then she asked if sending a "PostIL" courier to pick up the trackpad was okay. In hindsight, the phrase struck me as odd; we call it "the post." Also, being a small country like Israel, it's not a common request; we usually get by without it.
Curious, I asked where she was from. She replied, "Avigdor, Ashkelon." That answer raised a red flag. I'd never heard of Avigdor, but a quick search revealed it's a tiny village of about 800 people, 21 kilometers from Ashkelon. Google Maps showcases the place with images of cows and orchards, not a simple paved road (no wonder she needs a courier service, I thought). However, the critical fact was that she was far enough from my location (which was mentioned in the ad) to justify a courier service.
But then I noticed something else.
I noticed she was answering like a man. For those unfamiliar with Hebrew, verbs and pronouns are gendered, and it's easy to tell if someone speaks as male or female. While I addressed her as a woman due to her feminine name, her responses were grammatically masculine, and she didn't bother to correct me. Now, maybe it was nothing—it's 2025 - I didn't want to assume anything, and perhaps she was new to Hebrew and wasn't a native speaker. Still, my spidey senses told me something wasn't right.
I turned to my wife for a second opinion. "Do you think this is a scam? She seems... off." My wife brushed it off with a laugh. "You're being paranoid. It's fine." Wanting to trust her judgment—and be a good husband—I let my doubts simmer down.
At this point, "Zimra" wanted to finalize the deal. She asked for my email address, explaining that I'd get an email from the post office to enter the final details. She claimed the payment would be sent directly to my bank account through the post office. Importantly, she didn't ask for my bank details, so I figured, worst case, she'd have one of my email addresses—hardly a big deal.
But then something odd happened yet again. The email she promised took twenty minutes to arrive. Normally, in Israel, these systems are automated, and emails come through in seconds.
Let's Scam Me!
The long awaited mail has arrived.
In case you are wondering, it says that one of the post office users sent me a request to send me "stuff and that they need my consent and approval. Please click on the button.
The Hebrew text in the email is okay but imperfect. However, given our postal services' reputation here, I assumed it was just regular old government work.
The visuals, the logo, the colors—everything looks just like the real deal. It even says IsraelPost in the subject. Again, nothing about a bank account or money, teasing me into clicking. Nice work, scammers.
But I missed the sender's address in a big way. It's obviously a fake, but Gmail missed it and didn't mark it as spam, and I missed it, too.
Onto clicking then. I'm getting scammed and happily clicking away.
I was greeted by this website:
It's an order tracking page with the complete and correct order information. The item name at the top is exactly what I wrote in the marketplace ad. The price is what we agreed to. Then, you have Zimra's name and address (without a street address though). By the way, they got the zip code right, too. Nice job, guys!
The button in red reads "Get payment." -> Let's click it and get $$$!
To the unsuspecting eye, it looks okay. I was intrigued at this point. Maybe they would just ask for my account number so they can send the money and schedule the order. That's okay, right?
Also, Looking at the whole page, all the links point to the actual post office site and are 100% accurate. Somebody took the actual HTML and CSS and played with them to make it look real.
Let's get paid then, yes?
To my dismay, they showed a list of icons of Israeli banks on the next page. I knew it wasn't right, but I clicked one of them anyway, and the page moved to another page that looked similar to the bank's login page, where you were asked to insert your username and password. At this point, I was like, "Oh, hell no! " Why would the post office require me to log in to the bank?
Knowing now this was a scam, I looked at the domain section in Chrome and saw this:
Notice how the actual domain is "sliperfile.com" and not israelpost? It's not even in under the Israeli domain suffix ".co.il".
I wanted to be 100% sure and checked out the domain details:
Not only is it not a post office domain, but there are no owner details, and it was registered just TWO HOURS before Zimra's message. I could have been their first victim!
That's it; the curtain has been lifted, and the scam has been confirmed.
I closed the browser tab, blocked Zimra on Facebook, and reported her (although I doubt it matters).
Man, I couldn't believe what had just happened!
Summary - What did I Learn
Reflecting on this experience from a technical perspective (putting my engineer hat on here for a second), I see that these scammers are not tech-savvy and haven't implemented proper automation. For example, I can think of a few Serverless architectures that could dynamically generate a web page on demand and send an email within a few seconds.
Other than that, I did learn a few lessons. Evil people are lurking around closer than I'd thought. This was a wake-up call. Here are my takeaways:
Always listen to your InfoSec and IT people—they know best! Also, always look at email sender addresses and complete domains of websites, especially when money is on the line.
Evil people don't just go after big "whales;" we are all potential targets.
Always be skeptical when dealing with people online. With GenAI, it's becoming harder to understand what is real and what is fake. I probably spoke to a GenAI bot. Bad people got smarter; we must also step up our game.
Websites will not require you to log in to your bank account directly, so don't ever provide your credentials through an intermediary.
Stop clicking on links when you doubt the integrity of the website. Always inspect links you're about to click and URLs of the websites you open in your browser. Curiosity isn't worth it, even though I got a blog post out of it.
This is universally true - always listen to your wife - at all costs!
Stay safe out there!
P.S - in case you are wondering, I *did* manage to sell the trackpad on Facebook Marketplace to a real person a week later.
Thank you Anton Aleksandrov and Bill Tarr for the review and feedback!