// Guides
Kleinanzeigen phishing: a real-world case — detect, analyse, report
An email in the name of “Kleinanzeigen” threatened account suspension and demanded “profile verification”. The link led via a legitimate-looking Google redirector (share.google) to a fake page — a deliberate technique to bypass spam and reputation filters. Using this real case we show how such an attack is built, how it is analysed safely, and what to do if you are hit.
Updated: 2026-07-11
Immediate steps
- 1Inspect the email instead of clicking: sender address, display name and technical headers (incl. DKIM/SPF) expose the brand abuse — here a free webmail account instead of a real Kleinanzeigen address.
- 2Do not open the link in your everyday browser: first only the destination is examined — the path ran via share.google (Google redirector) to a foreign domain.
- 3Analyse the page in isolation: in a sealed environment, never via your own device or IP, so no data is exposed.
- 4Recognise cloaking: the page showed analysis systems a harmless decoy and only real mobile victims in Germany the fake login form.
- 5Attribute the infrastructure: registration date, registrar, hosting fronting and TLS certificates proved a few-weeks-old throwaway domain with a single purpose.
- 6Trigger reporting chains: notify the hosting/proxy provider, registrar, browser protection (Safe Browsing) and reporting networks (incl. consumer phishing radars, APWG).
- 7Secure your own mailbox: block the sender and phishing domain at the mail gateway and document the incident.
What not to do
- Do not click links in suspension or “verification” emails — reputable providers do not threaten immediate deletion.
- Do not enter credentials on a page you reached via an email link.
- Do not be fooled by a known brand in the display name — the real sender address is what counts.
- Do not blindly trust shortened or redirector links (even seemingly from major providers).
- Do not simply delete suspicious emails — the full headers are valuable for a report.
When professional help makes sense
SKOPION verifies suspicious messages, analyses phishing infrastructure in isolation and without risk to your devices, attributes the attacker infrastructure and triggers the appropriate reporting chains for takedown — documented and traceable. We work exclusively passively and from externally accessible sources; we do not scan or alter your systems.
Get in touchCommon questions
- How do I spot a fake Kleinanzeigen email?
- By the real sender address (often a free webmail account instead of an @kleinanzeigen.de address), by threat and time pressure, and by links that lead via redirectors to foreign domains.
- Why does the link look like it is from Google?
- Attackers abuse redirectors of major providers (here share.google) so the link looks trustworthy and passes filters. The destination is still a foreign phishing domain.
- What does “cloaking” mean?
- The phishing page shows analysis systems a harmless decoy and only the real targets the fraudulent login form — which hampers detection and prolongs the page's lifetime.
- I clicked — what now?
- Do not enter anything and close the page. If you did enter credentials: immediately change the affected password from a clean device and enable two-factor authentication. Document the incident.