Free transport, stolen data: the scammers travel first class
It is yet another Facebook scam, but one that works far too well. For several weeks now, hundreds of French people have been falling for a tempting promise: a free or heavily discounted pass for public transport. And the catch?

As the holidays approach, between fake Christmas deals and a Black Friday that now stretches into a full cyber-month, a well-honed scam is gaining ground on social media: the promise of a free, or nearly free, pass for public transport.
A gift from heaven? No. A well-oiled trap.
For several weeks now, hundreds of French people have been taken in by fake Facebook pages impersonating local transport operators: STGA in Angoulême, TAN in Nantes, RTM in Marseille, RATP in Paris, and so on.
The scam is simple, but diabolically effective:
🎁 "Get your free pass for 2025 - Limited offer!"
✅ "Head over to our platform to validate your entitlement!"
One click later, you land on a page that imitates an official site perfectly. The logo, the colors, the administrative tone... It is all there. And you are asked for:
- your name,
- your address,
- your phone number,
- and your bank card details, "to validate the offer".
And that is it, game over.
Your data is gone. Either resold to other cybercriminal groups, or used directly to charge you amounts ranging from 1 euro to several hundred, often delayed, to avoid triggering your bank's alerts.
Why it works (too) well
Because the scammers have figured out the weak point: local trust.
When an ad appears on Facebook with your operator's logo, administrative language and the promise of a discount, you let your guard down. Especially in a time of crisis, when every bit of saving counts. And especially when:
- the page is recent, but sponsored (and therefore perceived as "reliable");
- the comments under the post are themselves fake ("thanks STGA, just signed up!");
- and nobody takes the time to check whether the offer actually exists.
This is what I call, in my book Être en cybersécurité, the illusion of legitimacy through familiarity: the more an attack resembles something familiar, the more dangerous it is.
The "too good to be fake" trap
Many people tell themselves "but you can tell it's fake". Maybe. But you can mostly tell after the fact.
And that is exactly the problem. The emotion, the thrill of a good deal, short-circuits common sense. Yet in cybersecurity, what matters is not what you know, but what you do under pressure, in the moment.
I go into this at length in my book, with a simple rule:
👉 The more generous an offer looks, the more it deserves to be checked.

How to protect yourself
Here are a few simple tips, drawn straight from Être en cybersécurité, to avoid falling for this kind of scam:
1. Never take a Facebook link at face value.
Type the site's URL yourself or go through Google. RATP, STGA and TAN do not need paid ads to give you gifts. If an offer is real, it is displayed prominently on their official site.
2. No operator will ever ask for your bank card for a "free" pass.
That is an immediate red flag. If you have to validate an entitlement, it will be through a secure portal, often with your user ID, not with your card.
3. Check the official pages.
A real RATP or STGA page has thousands of followers, years of history, sometimes a "verified blue" badge, and above all, no mistakes in the graphics.
4. Use a virtual card or a secondary account for online purchases.
Even if you fall into a trap, you limit the damage. It is one of the pillars of a smart defense strategy. I detail this method in Être en cybersécurité, in the chapter "Online financial hygiene".
5. Report the fake pages.
To Facebook. To the transport operator. To consumer associations. Every report counts toward getting these pages shut down quickly.
A problem wider than it looks
This scam is not an isolated case. It is part of a heavy trend: localized phishing, which rests on the impersonation of institutional identities. We have already seen the same mechanism with:
- fake CAF emails;
- fake CPAM or Pôle Emploi campaigns;
- bogus préfecture "fines"...
By playing on the authority of a public service, cybercriminals switch off your natural defenses. This is no longer a dodgy email from a Nigerian prince. It is a well-presented message, in your language, with the name of your city.
Knowing is not enough, you have to act
Digital security is not a diploma. It is a discipline.
And faced with these increasingly targeted attacks, it is the least vigilant users who become the point of entry. Do not be that weak link.
👉 Take the time to train yourself, to equip yourself, to understand.
That is exactly why I wrote Être en cybersécurité: to give you simple reflexes, concrete scenarios, and the tools to stop being at the mercy of the next trap.
The book is available online, in all good bookshops and on etrecyber.fr.
In this holiday season, the best gift you can give yourself is perhaps that of vigilance.
And of clear-sightedness.
Questions fréquentes
How do you spot this fake transport pass offer?
It spreads through Facebook pages that are recent but sponsored, imitating the logo and tone of a local operator, and redirects to a page asking for your personal and bank details. A genuine offer would be posted on the official website, without paid advertising.
Can a transport operator ask for my bank card for a free pass?
No. No operator asks for a bank card for a pass presented as free. Any request for card details in this context is an immediate red flag.
What is the risk of entering your information on these pages?
Your data can be resold to other cybercriminal groups or used to make charges, often delayed and ranging from 1 euro to several hundred euros, to avoid triggering your bank's alerts.
How do you protect yourself from this kind of scam?
Type the official URL yourself or go through a search engine, never use your real card on these pages (prefer a virtual card or a secondary account), check how old and how authentic the pages are, and report the fake ones to Facebook, to the operator and to consumer associations.
Why do we talk about localized phishing?
Because the attack relies on impersonating institutional identities the victim knows (local transport operator, CAF, CPAM, préfecture). By playing on the authority of a public service and on familiarity, it switches off your natural defenses.

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
