Trendyol & Hepsiburada Phishing: How to Spot Fake Shopping Scams in Turkey
Protect yourself from phishing attacks targeting Trendyol and Hepsiburada shoppers. Learn to identify fake delivery SMS, counterfeit checkout pages, and fake customer service scams.
Trendyol & Hepsiburada Phishing: How to Spot Fake Shopping Scams in Turkey
Turkey's e-commerce market has exploded in recent years, with Trendyol and Hepsiburada processing millions of orders daily. This massive transaction volume has created a fertile hunting ground for phishing scammers who impersonate these platforms to steal payment information, credentials, and personal data.
If you shop online in Turkey, you are a target. Here is how these scams work and how to protect yourself.
The Top E-Commerce Phishing Tactics
1. Fake Delivery SMS (Sahte Kargo SMS)
The most common attack vector. You receive an SMS like: "Trendyol siparisininiz kargoya verildi. Takip icin tiklayin: [malicious-link]." The link leads to a fake tracking page that asks for your credit card details to pay a "customs fee" or "delivery surcharge."
These messages spike during major shopping events like 11.11 (Singles' Day), Black Friday, and Efsane Cuma promotions.
2. Counterfeit Checkout Pages
Scammers create pixel-perfect replicas of Trendyol and Hepsiburada checkout pages. Victims reach these pages through:
- Social media ads offering deals "too good to be true"
- Google Ads that appear above legitimate search results
- Phishing emails with "order confirmation" links
3. Fake Customer Service Accounts
When shoppers post complaints on social media, scammers respond from accounts mimicking official support. They offer to "resolve" the issue by requesting order numbers, personal details, and even card information.
4. Fake Seller Storefronts
On marketplace platforms, scammers create stores with stolen product images and rock-bottom prices. Once you pay, the "seller" disappears. Some even send empty boxes or random items to generate a valid tracking number.
How to Identify Legitimate vs. Fake URLs
This is the single most important skill for avoiding e-commerce phishing:
| Check | Legitimate | Suspicious |
|---|---|---|
| Domain | trendyol.com, hepsiburada.com | trendyol-siparis.com, hepsiburada-kargo.net |
| Protocol | Always HTTPS | May lack HTTPS or have certificate warnings |
| URL path | Clean paths like /orders/detail | Random strings, excessive parameters |
| Redirects | Direct navigation | Multiple redirects before landing |
| Certificate | Valid, issued to the company | Self-signed or issued to unknown entity |
Quick URL Verification Steps
- Do not click links in SMS or email. Open the Trendyol or Hepsiburada app directly.
- Check the domain carefully. Scammers use tricks like trendyo1.com (number "1" instead of letter "l") or hepsiiburada.com (double "i").
- Look for Turkish characters. Some fake domains use characters like "ı" or "ö" in ways that look similar to the real domain in a browser bar.
- Use the official app. If you receive a notification about an order, verify it through the official app, not through any link.
Anatomy of a Phishing Attack
Here is a step-by-step breakdown of how a typical Trendyol phishing attack unfolds:
- Bait: Victim receives SMS about a "failed delivery" during a period when they actually have pending orders
- Click: The link opens a convincing Trendyol-branded page
- Harvest: The page asks for login credentials to "check order status"
- Escalate: After login, it requests credit card details for a "redelivery fee" of 9.99 TL
- Drain: Scammers use the stolen credentials and card info to make purchases or sell the data
Seasonal Scam Calendar
Phishing attempts follow Turkey's shopping calendar:
| Period | Event | Common Scam Type |
|---|---|---|
| January | Winter sales (Kis Indirimleri) | Fake discount links |
| March | Women's Day campaigns | Fake gift card offers |
| June-July | Summer sale (Yaz Indirimleri) | Counterfeit checkout pages |
| August | Back to school | Fake delivery notifications |
| November | Black Friday / Efsane Cuma | All types intensify 3-5x |
| December | New Year shopping | Fake order confirmations |
Protecting Your Account and Payment Info
Enable All Security Features
- Trendyol: Enable two-factor authentication, set up login alerts, use the in-app wallet for payments
- Hepsiburada: Activate Premium security features, use Hepsiburada's own payment system (HepsiPay), enable notification preferences
Use Virtual Credit Cards
Many Turkish banks (Garanti BBVA, Isbank, Yapi Kredi) offer virtual credit card services. Generate a temporary card number with a spending limit for online purchases. Even if the number is stolen, the damage is limited.
Review Your Saved Payment Methods
Periodically check and remove unused payment methods from your e-commerce accounts. The fewer cards stored, the smaller the attack surface.
What to Do If You Clicked a Phishing Link
If you suspect you have entered your credentials on a fake site:
- Change your password immediately on the real Trendyol/Hepsiburada site
- Contact your bank to block your credit card if you entered payment details
- Enable 2FA if you have not already
- Check your order history for unauthorized purchases
- Report the phishing URL to Trendyol/Hepsiburada support and to USOM (National Cyber Incident Response Center)
- File a police report (e-Devlet or local police station)
Sharing Order and Payment Information Safely
Many Turkish users share order details, tracking numbers, and payment confirmations through WhatsApp or SMS when coordinating purchases for friends or family. This creates a trail of sensitive information that can be exploited.
When you need to share order credentials, tracking details, or payment confirmations, use LOCK.PUB to create a password-protected memo. The recipient enters the password to view the information, and you can set it to automatically expire after they have seen it. No sensitive data lingers in chat histories.
Building a Scam-Resistant Shopping Habit
The best defense is a consistent routine:
- Bookmark the real Trendyol and Hepsiburada URLs and always navigate from bookmarks
- Install the official apps only from Google Play Store or Apple App Store
- Never enter payment information on a page you reached via a link in an SMS or email
- Verify all deals through the official app before acting on any promotional message
- Use password-protected sharing tools like LOCK.PUB instead of plain text when sending sensitive information to others
Phishing scammers count on you being in a hurry. Slow down, verify, and protect your digital shopping life.
Shop smart, stay safe. When in doubt about a link, do not click — go directly to the app instead.
Keywords
You might also like
How to Spot Fake Amazon Phishing Emails and Texts in 2026
Learn to identify Amazon phishing scams, fake delivery notifications, and fraudulent order confirmations with our complete detection guide.
Pinterest Fake Shop Scams — How to Spot Fraudulent Shopping Pins in 2026
Learn how to identify fake shopping pins on Pinterest, avoid fraudulent online stores, and protect your payment information from scam sellers.
Amazon & E-Commerce Phishing Scams — How to Spot Fake Shopping Platform Emails
Learn to identify phishing emails and texts from fake Amazon, eBay, and Walmart notifications, and protect your online shopping accounts.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free