Quote Originally Posted by Takamorisan View Post
Like the mirror is the same as the forum UI, it show as you didn't log in yet to the forums and had that upper button in the top right telling you to log in, I didn't click it because I just had logged in the official forums, then I paid attention to the URL and I was like oh a f* scammer. I was really distracted, could had prevented by just not entering the link at all at least wasnt scammed, but still had to run Anti Virus, Spybot check registry alterations and so on. Changed my password and setup my one pass app finally...
What Avatre means is that the scam pages put the login/password and OTP fields on the same page; the web real login flow has the login/password (which is validated) and then put the OTP entry on a second page after that login, and only do so if you have a security token registered to the account.

Since the scam pages can't do that first part of the login and present the OTP conditionally, they do it all on one page; when the user/password/OTP is entered, they can automatically log you in on game (thus booting you as a 'dead connection', like when you get disconnected and try to immediately reconnect) via what's basically a highway robbery bot. Since you can log back in quickly (and the OTP will expire so they can't get back into your account a second time without phishing the OTP from you again) they have to work very quickly to strip you of what resources they can in a seemingly wholly-automated manner. (As in, your gil can potentially be gone in under 20 seconds, sometimes even less.)

As a side note, this is an excellent reason to use password managers. Yes, you probably know your FFXIV login/password by heart from entering it in the launcher, but if you hit 'fill from password manager' when you go to the forum login page... on the real site, it'll fill the username/password. On a phishing site... well, the password manager just sees that it's a domain you don't have a password saved for, and will go "Nope, don't have a password for here." Which can be enough to make you look at the address bar more closely and see that oh, you aren't on the real site.