Antiphishing.biz

The Scotiabank phishing campaign observed in early 2026 utilizes fake account verification alerts, leveraging fraudulent emails or SMS to direct users to a professionally designed, deceptive login page. Attackers aim to capture ScotiaCard numbers, passwords, and secondary verification data to gain unauthorized access to accounts.

Target: ING Bank Customers (Europe/Romania/Poland)
Threat Level: Critical (Session Hijacking)
Phishing Method Description
This method focuses on Device Authorization Theft. The phishing page mimics the ING “HomeBank” interface, often using a “Synchronize your security device” or “Update HomeBank app” pretext.
The attacker’s goal is not just your password, but the Authorization Code (token) generated by your mobile app. By entering this code into the fake site, you are actually authorizing the hacker’s device to access your bank account.
⚠️ Red Flags to Watch For
Suspicious Domain: The URL might look like ing-homebank-update.com or authorization-ing.net. ING only uses its official national domains (e.g., ing.ro, ing.pl, ing.com).
Unusual Requests: Banks will never ask you to “synchronize” or “re-verify” your device through a link sent via SMS or Email.
Language Errors: Often, these pages contain subtle grammatical mistakes or incorrect font rendering that differs from the official app.
🛡️ How to Protect Yourself
App Notifications: Trust only the notifications that appear inside your official ING mobile app.
Never Share Codes: Never enter a 2FA or authorization code on a website you reached via a link. Codes should only be entered in the official app or the bank’s main website that you opened yourself.
Enable Push-Alerts: Set up instant notifications for any login or transaction so you can react immediately if your account is compromised.

A sophisticated phishing campaign targeting Banco de Bogotá in Colombia uses deceptive “security update” messages to steal user credentials, including identification numbers and full credit card details. This fraudulent site imitates the official banking portal to bypass security checks and solicit sensitive information through high-pressure tactics.

Target: Customers of Banco de Bogotá (Colombia)
Threat Level: High (Credit Card & Identity Theft)
Phishing Method Description
This attack uses Visual Impersonation to mimic the “Banca Virtual” (Virtual Banking) portal of Banco de Bogotá. Scammers typically distribute these links via SMS (Smishing) or Email, claiming that the user’s digital key has expired or that an “unusual transaction” requires immediate verification.
The fake site is designed to harvest:
Customer ID / Username (Documento de Identidad)
Online Banking Password
Token / OTP Codes (One-Time Passwords)
Full Debit/Credit Card Details (Number, Expiration Date, and CVV)
⚠️ Red Flags to Watch For
The URL Trap: The official domain is bancodebogota.com. Phishing links often use strange subdomains or lookalike addresses like bancodebogota-seguro.com, validar-bogota.net, or free hosting platforms.
Requesting the CVV: Real banking login pages never ask for your 3-digit CVV code (on the back of your card) just to log into your account. This is a clear sign of a credit card “skimmer.”
Mixed Languages/Broken Links: Often, the “Help” or “Contact Us” buttons on these fake pages lead nowhere or return a 404 error, as only the login form is functional.
🛡️ How to Protect Yourself
Type, Don’t Click: Always manually type ://bancodebogota.com into your browser address bar. Never click on links in SMS messages.
Verify the SMS Sender: Banco de Bogotá sends alerts from official short codes. If you receive a security alert from a regular 10-digit mobile number, it is 100% a scam.
Use the Official App: Perform all sensitive operations and balance checks through the official “Banca Móvil” app downloaded from the App Store or Google Play.
Identify Verification: If the site asks you to enter multiple codes from your Token one after another, close the page immediately. Scammers do this to perform unauthorized transfers in real-time.

A phishing campaign targeting Lead Bank business customers uses fraudulent “unauthorized login” alerts to drive victims to a spoofed portal designed to steal credentials, personal information, and 2FA codes. The attack creates a sense of urgency to trick users into entering sensitive data on a site with a misleading domain. To protect against this threat, users should only navigate to the official Lead Bank site via secure, known channels and never enter MFA codes on suspicious sites.

Target: Business Clients and Fintech Partners of Lead Bank (USA)
Threat Level: High (Corporate & Business Email Compromise)
Phishing Method Description
This attack targets corporate users of Lead Bank, a Kansas City-based institution known for its focus on business banking and financial technology. Scammers use a Clean Page Design strategy, creating a minimalist and professional-looking imitation of the bank’s corporate login portal.
Victims are typically reached via Spear Phishing (targeted emails) or LinkedIn messages claiming that a “Corporate Account Statement” is ready or that a “Secure Message” is waiting to be read.
The malicious page is specifically designed to harvest:
Corporate Email / Username
Business Banking Passwords
MFA / 2FA Tokens (Multi-Factor Authentication)
⚠️ Red Flags to Watch For
Subtle URL Alterations: The official domain is lead.bank. Phishing sites often use common extensions like leadbank-login.com, leadbank.net, or secure-leadbank.org.
Generic Salutations: Official business banks usually address clients by their full name or company name. Phishing emails often use “Dear Client” or “Valued Business Partner.”
Inconsistent Branding: Look closely at the logo and fonts. Scammers often use low-resolution images or slightly different font weights that deviate from Lead Bank’s official corporate identity.
🛡️ How to Protect Yourself
Verify the Domain Extension: Remember that Lead Bank uses the unique .bank top-level domain. This extension is restricted only to verified financial institutions. If the site ends in .com, .net, or anything else, it is a fraud.
Use Hardware Keys: For business banking, hardware security keys (like Yubikey) are much safer than SMS-based codes, as they cannot be easily phished by fake websites.
The “Slow Down” Rule: Corporate phishing often relies on a “Friday afternoon” rush. Always double-check the sender’s email address and the website URL before entering corporate credentials.
IT Reporting: If you encounter a suspicious Lead Bank login page, immediately report it to your company’s IT security department to prevent a broader Business Email Compromise (BEC) attack.

A phishing campaign targeting National Bank of Canada (Banque Nationale) clients uses fake “Interac e-Transfer” notifications to steal login credentials, security questions, and OTPs. The fraudulent pages, often mimicking the official BNC portal, are designed to capture data from users in Canada and Quebec. To protect against this threat, users are advised to enable Interac Autodeposit and verify the URL for signs of a scam.

Target: Customers of National Bank of Canada (Banque Nationale du Canada)
Threat Level: Critical (Banking Access & Funds Theft)
Phishing Method Description
This attack leverages the popularity of Interac e-Transfer in Canada. Scammers send a text message (SMS) or email stating that a “Refund,” “Government Rebate,” or “Payment” is waiting to be deposited.
The link leads to a sophisticated Brand Impersonation page that mimics the National Bank’s “Telnat” or “EasyPay” login interface. The fake site is designed to capture:
Access ID / Username
Password / Secret Question Answers
Direct Deposit Information
Card Number and Expiration Date
⚠️ Red Flags to Watch For
Lookalike URL: The official domain is nbc.ca (or bnc.ca). Phishing sites use deceptive addresses like nbc-verification-login.com, nbc-interac.online, or client-bnc.net.
Unexpected Money: Be suspicious of any notification for an e-transfer you weren’t expecting. If you didn’t sell anything or aren’t expecting a specific rebate, it’s likely a scam.
The “Deposit” Trap: Real Interac e-Transfers allow you to choose your bank from a list. Phishing pages often take you directly to a pre-selected fake login page for one specific bank.
🛡️ How to Protect Yourself
Set Up Autodeposit: This is the best defense. If you have Interac Autodeposit enabled, any legitimate transfer will go straight into your account without you needing to click any links or answer security questions.
The SMS Sender Check: Official alerts from National Bank usually come from short codes, not standard 10-digit mobile numbers. If the sender looks like a personal cell phone, delete the message.
Access via Official App: If you receive a notification, don’t click the link. Open your official National Bank (BNC) mobile app directly to check for any pending transfers or messages.
Report Phishing: You can forward suspicious SMS messages to the short code 7726 (SPAM) to help carriers block the sender.

A sophisticated Bank of America phishing campaign is active, using fake “account lock” alerts to steal online credentials, Social Security numbers, and OTP codes. The attack utilizes pixel-perfect clones of the Bank of America portal, often combined with telephone spoofing, to harvest full financial access. Users should avoid clicking links in alerts and instead navigate directly to bankofamerica.com to verify account status.

Target: Customers of Bank of America (USA)
Threat Level: Critical (Full Account & Identity Takeover)
Phishing Method Description
In this attack, scammers use Advanced Credential Harvesting. The victim typically receives an urgent SMS or email stating that their account has been “locked due to suspicious activity.”
The link leads to a pixel-perfect clone of the Bank of America Online Banking login page. This multi-step phishing kit is designed to steal:
Online ID and Passcode
Social Security Number (SSN) (last 4 digits or full)
Email Address and Email Password (Claiming it’s for “identity verification”)
One-Time Passwords (OTP) intercepted in real-time.
⚠️ Red Flags to Watch For
The Lookalike URL: The official domain is bankofamerica.com. Phishing sites often use deceptive addresses like bofa-online-security.com, bankofamerica-verification.net, or short links like bit.ly or t.co in the initial message.
Requesting Email Credentials: A legitimate bank will never ask for the password to your personal email account (Gmail, Yahoo, Outlook) to “verify” your identity.
Sensitive Personal Info: While banks may ask for a part of your SSN on their official site, a sudden request for your full SSN and card PIN on a page you reached via a link is a major red flag.
🛡️ How to Protect Yourself
Use the Mobile App: Always use the official Bank of America Mobile Banking app for any alerts. If there is a real issue, you will see a notification inside the secure app environment.
“Sign-In ID” Check: Bank of America uses a “SiteKey” or persistent recognition features. If the login page looks “generic” and doesn’t recognize your browser/device as it usually does, close it immediately.
Protect Your Email: Enable Two-Factor Authentication (2FA) on your email account. Even if scammers steal your bank password, they won’t be able to access your email to reset it if your email is properly secured.
Reporting: You can report Bank of America phishing directly by forwarding suspicious emails to [email protected].

A phishing campaign targeting First Investment Bank (Fibank) in Bulgaria uses a fake “digital certificate update” to steal user credentials and one-time passwords (OTP). Scammers employ a “security scare” tactic, directing victims to a lookalike login portal that harvests login IDs, passwords, and OTPs for real-time account takeover.

Target: Customers of First Investment Bank (Fibank / ПИБ) in Bulgaria
Threat Level: High (Online Banking & SMS OTP Theft)
Phishing Method Description
This attack targets users of the “My Fibank” online portal. Scammers distribute links via Phishing Emails or SMS (Smishing) that look like official bank alerts. Common pretexts include “Security Update Required,” “Mandatory Account Synchronization,” or “Your Digital Certificate is Expiring.”
The fraudulent page is a pixel-perfect copy of the Bulgarian/English login interface. It is designed to capture:
Customer ID / Username (Потребителско име)
Login Password (Парола)
Mobile Phone Number
One-Time Password (OTP): The fake site often asks for the SMS code in real-time, allowing hackers to authorize a fraudulent transaction immediately.
⚠️ Red Flags to Watch For
The URL Discrepancy: The official domain is my.fibank.bg. Phishing sites often use deceptive addresses like fibank-bg.online, pib-login.net, or free hosting subdomains like my-fibank.github.io.
Requests for SMS Codes during Login: While some banks use SMS for login, be extremely wary if the site asks for multiple codes or a “Confirmation Code” just to view your balance.
SSL Certificate Check: Even if the site has a “lock” icon (HTTPS), clicking on it will often reveal a generic certificate or one issued to an unrelated entity, rather than “First Investment Bank AD.”
🛡️ How to Protect Yourself
Use the Token/App: Fibank’s official Token or the My Fibank Mobile App are much more secure than SMS-based authorization. Always prefer biometric (FaceID/Fingerprint) login through the official app.
Check the Language: Many phishing kits for Bulgaria contain subtle translation errors or use Russian/English characters where Bulgarian (Cyrillic) should be.
Bookmark the Login: Save the official https://fibank.bg as a bookmark and only use that link to access your finances.
Suspicious Sender: If you receive a banking alert from a standard mobile number (+359 8…) instead of the “Fibank” sender ID, delete it immediately.

TymeBank phishing campaigns target South African customers through SMS and email alerts claiming account suspension, directing victims to a fake portal designed to steal ID numbers, PINs, and real-time OTPs. These attacks exploit the bank’s digital-only model, urging users to use official applications and ignore suspicious links.

Target: Customers of TymeBank (South Africa)
Threat Level: High (Digital Banking Access & Identity Theft)
Phishing Method Description
This attack targets users of TymeBank, a leading digital-only bank in South Africa. Scammers exploit the bank’s paperless nature by sending SMS (Smishing) or emails claiming that the user’s “Smart ID” verification has failed or that their “Everyday Account” requires an urgent security update.
The fraudulent page is a sophisticated clone of the TymeBank web login. It is specifically designed to harvest:
South African ID Number
Mobile Phone Number (linked to the account)
Internet Banking Password / PIN
OTP (One-Time PIN): The fake site intercepts the SMS code in real-time to authorize fraudulent transfers or link a new device to the account.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is tymebank.co.za. Phishing sites often use variations like tymebank-login.com, secure-tyme.net, or free hosting URLs like tyme-portal.web.app.
Unexpected OTP Prompts: If the website asks for an OTP (One-Time PIN) immediately after you enter your password — without you performing a transaction — it is a sign that a hacker is trying to log in simultaneously.
Insecure Connection: While many phishing sites use HTTPS, always check if the certificate is actually issued to “Tyme Bank Limited.” If it’s a generic “Let’s Encrypt” certificate for a random domain, it’s a scam.
🛡️ How to Protect Yourself
Use the TymeBank App: Always perform banking through the official TymeBank App from the Google Play Store, Huawei AppGallery, or Apple App Store. The app uses secure device binding which is much harder to phish.
Never Share Your PIN: TymeBank will never ask for your secret PIN or OTP over the phone, via SMS, or through a link in an email.
The “Official Channel” Rule: If you receive a suspicious alert, log out and call the official TymeBank support line at 0860 TymeBank (896 3226) to verify the status of your account.
Public Kiosks: Be extra cautious if you recently used a TymeBank kiosk in a retail store (like Pick n Pay or Boxer). Scammers sometimes time their attacks to coincide with physical interactions.

A phishing campaign targeting Intesa Sanpaolo users employs fraudulent pages mimicking the “MyKey” security system to steal user codes, PINs, and real-time OTPs. These phishing sites, often distributed via SMS or email, impersonate the bank to authorize fraudulent SEPA transfers.

Target: Customers of Intesa Sanpaolo (Italy)
Threat Level: Critical (Mobile Banking & O-Key Smart Theft)
Phishing Method Description
This attack targets users of the “MyKey” security system used by Intesa Sanpaolo. Scammers distribute fraudulent links via Smishing (SMS) or Phishing Emails, often using an alarming tone: “Your account has been restricted for security reasons” or “An unauthorized login was detected from a new device.”
The link leads to a high-fidelity clone of the Italian login portal. The phishing kit is specifically designed to harvest:
Codice Titolare (Owner Code)
PIN Code
Mobile Phone Number
O-Key Smart / SMS OTP: The fake page intercepts the security code in real-time, allowing the attacker to authorize a fraudulent transfer or change the associated phone number.
⚠️ Red Flags to Watch For
The Deceptive URL: The official domain is intesasanpaolo.com. Phishing sites often use lookalike addresses such as secure-intesasanpaolo.com, mykey-is.net, is-assistenza.online, or free subdomains like intesa-login.web.app.
Urgent Call-to-Action: Messages like “Action Required within 24 hours” or “Click here to avoid permanent block” are designed to bypass your critical thinking.
Direct Link to Login: Intesa Sanpaolo officially states they will never include a direct link to the login page in an SMS or email.
🛡️ How to Protect Yourself
Use the “O-Key Smart” App: Always authorize transactions and logins directly through the official Intesa Sanpaolo Mobile app. Never enter the generated codes on a website you reached via a link.
Type the Address: If you receive an alert, ignore the link. Manually type ://intesasanpaolo.com into your browser or use the official app to check your notifications.
Check the Language: While the phishing pages are often well-translated, look for subtle errors in the Italian text or fonts that look different from the official corporate style.
Reporting: You can report suspicious activity directly to the bank at [email protected] or call the official toll-free number 800.303.303 (from Italy).