The collection code phishing scam
Fraudsters send fake "Facebook Marketplace verification codes" to steal your login or banking credentials. Facebook has no such system — any collection code link is a phishing page.
Free download. iOS & Android. UK-first.
The collection code phishing scam sends you a link claiming to be a required “Facebook Marketplace collection verification” before you can complete a pickup. The page harvests your Facebook login, bank credentials, or one-time codes. Facebook Marketplace has no such collection code system. Delete any such message and report the profile. Use SilentID PIN Pickup — verification happens inside the app, face-to-face, with no external links.
What is the collection code phishing scam?
The collection code phishing scam exploits the fact that many buyers and sellers on Facebook Marketplace are unfamiliar with exactly what features the platform does and does not have. A fraudster — who may be posing as either the buyer or the seller — sends a message explaining that a “Facebook Marketplace collection verification code” is required to complete the in-person handover. They provide a link to what appears to be an official Facebook page, which in reality is a phishing site designed to capture your login credentials, one-time authentication codes, or banking details.
Facebook Marketplace does not have a verification code or collection code system for in-person transactions. This is a purely fabricated process, designed entirely to provide a plausible-sounding reason to hand over credentials.
How does the collection code phishing scam work?
- 01
A transaction is arranged via Messenger
Price is agreed, a meeting location is set. Everything proceeds normally up to this point.
- 02
"Verification" link is introduced
Shortly before the meet — often via WhatsApp after the conversation has moved off Facebook — the other party sends a link. "Facebook now requires a collection code to protect both sides. Just click and verify."
- 03
Link goes to a phishing page
The page is a convincing replica of Facebook’s login screen, or occasionally a fake bank verification page. The URL is not facebook.com.
- 04
Credentials are harvested
You enter your Facebook username and password, or a one-time code sent by your bank. The credentials are captured in real time by the fraudster.
- 05
Account or bank takeover follows
Using your credentials, the fraudster can take over your Facebook account (to run further scams from), initiate a payment via your banking app, or sell the credentials on fraud forums.
What should you do if you have been targeted by collection code phishing?
- Do not click the link. Delete the message and report the profile on Facebook or WhatsApp.
- If you clicked but did not enter anything, change your Facebook password immediately and enable two-factor authentication.
- If you entered your Facebook credentials, change your password immediately, log out all other sessions (Settings → Security and Login), and report to Facebook.
- If you entered bank details or a one-time code, call your bank’s fraud team immediately (number on the back of your card) and ask them to freeze your account.
- Forward the phishing link to report@phishing.gov.uk — this is the NCSC Suspicious Email Reporting Service (SERS) and helps take down phishing infrastructure quickly.
- Report to Action Fraud at 0300 123 2040 to get a crime reference number.
How does SilentID PIN Pickup prevent collection code phishing?
PIN Pickup uses a 6-digit code generated inside the SilentID app and shared verbally or visually at the physical handover — there are no external links, no third-party websites, and no credential entry at any point. Both sides use the app they have already downloaded and verified through. A phishing page has nothing to attach to because the entire verification flow is contained within a secure, authenticated app session.
Related guides
7 warning signs of collection code phishing
This scam works because it mimics a legitimate-sounding verification step. These signals reveal it.
A link arrives claiming to be a "Facebook Marketplace collection code"
Facebook Marketplace does not have a verification code system for in-person collection. Any message containing such a link — regardless of how official it looks — is a phishing attempt.
The link goes to a non-facebook.com domain
Phishing URLs frequently use variations like "facebook-marketplace-verify.com", "fb-collection.co.uk" or similar. Always check the full domain before clicking anything.
The page asks for your Facebook login credentials
Genuine Facebook never asks you to log in again to verify a collection. Any page asking for your password mid-transaction is harvesting credentials.
The page asks for a one-time code from your bank or authenticator app
A common extension of the phishing page is to then present a fake "bank verification" step, harvesting your one-time code to take over your account or initiate a fraudulent payment.
Seller says the buyer "must verify" before they can release the item
The social engineering framing positions the phishing link as a required safety step. Legitimate platforms do not gate in-person handovers behind third-party verification links.
The message arrives via WhatsApp after the conversation was moved off Facebook
Phishing links are more likely to be sent via WhatsApp where Facebook’s link scanning and scam detection does not apply.
Sense of urgency — "the code expires in 10 minutes"
Artificial time limits are a classic phishing technique to stop you pausing to check whether the process is legitimate.
Frequently asked questions
Verify at the handover — inside the app, not via a link
Download SilentID. PIN Pickup confirms both sides at collection with a 6-digit code in the app. No links, no credentials, no phishing surface.
100% passwordless. UK-based. GDPR-native.
·
Reviewed by the SilentID editorial team. We update each guide quarterly with new UK fraud data.