Posti Phishing – Fake “Key Number” Authentication Scam

Below is a description of this phishing campaign targeting Posti (the Finnish postal service) and using a fake bank authentication page to steal avainluku (key number) credentials.

Threat Analysis: Posti Phishing – Fake “Key Number” Authentication Scam (Finnish Bank Credential Theft)

This phishing campaign impersonates Posti, the Finnish postal service. The scam uses a fake “key number list” (avainlukulista) authentication page – a method commonly used by Finnish banks – to steal the victim’s online banking credentials.

How it works:

Step 1 – Fake Key Number Request Page (First Screenshot)


The victim receives a phishing email, SMS, or other message claiming a package is waiting, a delivery fee is required, or a payment needs to be confirmed. The link leads to a page that mimics the Posti website. The page asks the victim to enter a specific key number from their bank’s key number list – in this case, “208. avainluku” (key number 208). This is a direct attempt to capture one of the one‑time codes used to authenticate banking transactions.

Step 2 – Fake “Processing” Waiting Page (Second Screenshot)


After the victim submits the key number, they are taken to a page claiming that their information is being processed and that they should not leave the page. A waiting time of up to 15 minutes is displayed. This page is designed to:

  • Buy time for the attacker to use the stolen key number to log into the victim’s real bank account
  • Reduce suspicion – the victim believes the process is legitimate and ongoing

The goal:
The attacker aims to:

  • Steal a specific key number (one‑time code) from the victim’s bank key number list
  • Use that code, together with other information (possibly captured in earlier steps not shown), to log into the victim’s bank account
  • Transfer funds or commit fraud

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not posti.fi – the official Posti domain.
  • Request for bank key number on a postal service page: Posti does not ask for your bank’s avainluku numbers. This is a clear sign of a phishing page trying to harvest banking credentials.
  • Unsolicited request: Posti does not send links requiring customers to enter bank authentication codes to release a package or confirm a payment.
  • Generic waiting page with a timer: A legitimate postal service does not display such a page after you submit a code. This is a classic stalling tactic used by phishing kits.
  • Copied content: The pages use Posti’s logos, navigation menus, and social media links, but these are stolen from the real site.

What to do if you encounter this:

  • Do not enter any key numbers or other banking codes.
  • If you have already entered a key number, contact your bank immediately – the code may have already been used to authorise a fraudulent transaction.
  • Always access Posti services by typing posti.fi directly into your browser.
  • Never enter bank authentication codes on a site that is not your bank’s official website.

Protective measures:

  • Bookmark the official Posti website and use that bookmark.
  • Never enter your bank’s key numbers (avainluku) on any third‑party site – not even if the site looks like a familiar postal service.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication through your bank’s official mobile app instead of relying solely on key number lists if possible.
  • Be suspicious of any unsolicited message that asks you to log in or enter a key number via a link.

Matkahuolto Phishing – Fake Payment Release Scam detected

Threat Analysis: Matkahuolto Phishing – Fake Payment Release Scam (Finnish Variant)

This phishing campaign impersonates Matkahuolto, a well-known Finnish logistics and transport company. The scam targets sellers on classified or marketplace platforms, creating a fake payment confirmation process. The victim is led to believe that a buyer has already paid for an item, and the seller must “receive” the funds by providing bank card or online banking details.

How it works:
The victim (a seller) receives a message (e.g., via SMS, email, or messaging app) from a supposed buyer claiming that the item has been paid for and the funds are being held by Matkahuolto. The message includes a link to a fake Matkahuolto-branded page.

Step 1 – Fake Payment Confirmation & Recipient Info


The page displays:

A product (e.g., “Riihimäen lasi r”) and a price (e.g., 15.00 EUR)

Fake buyer details (name, address in Turku, Finland)

A message stating the buyer has paid for the item and shipping

Instructions that the seller must confirm the payment to receive the funds to their card or bank account

A button to “Hyväksy maksu” (Approve payment)

The page includes a fake online support chat section to add credibility.

Step 2 – Bank Selection Page


After clicking the approval button, the victim is taken to a page asking them to select their bank from a list of major Finnish banks (Nordea, Handelsbanken, OP Bank, POP Pankki, Aktia, etc.). Fake security badges (3-D Secure, HTTPS, PCI DSS Level 1) are displayed to appear trustworthy.

Step 3 – Fake Processing Page

The victim is being redirected to a fake banking login page.


Then the victim sees a waiting page claiming that their information is being processed and they should not leave the page.

The goal:
The attacker aims to:

Direct the victim to a fake online banking login page for their selected bank

Steal the victim’s online banking credentials (username, password, and possibly 2FA codes)

Alternatively, capture credit/debit card details if the fake flow asks for them directly

There is no actual buyer or payment – the entire transaction is fabricated. The promised funds (e.g., 15 EUR) are used as a lure.

Red flags to watch for:

Suspicious URL: The pages are hosted on domains that are not matkahuolto.fi. Legitimate Matkahuolto services are accessed through their official domain.

Illogical request for payment to receive funds: The seller is asked to “approve” or “confirm” payment to receive money – this is not how legitimate transactions work. Receiving funds does not require the seller to take action on a payment page.

Bank selection page after a shipping company page: Matkahuolto is a logistics company, not a payment intermediary. They do not handle payment processing between buyers and sellers.

Fake security badges and support chat: These are copied from legitimate sites to create false trust.

Urgency and pressure: The pages imply that the seller must act quickly to receive the funds, a common tactic to bypass critical thinking.

No login or tracking number provided: The victim cannot verify the supposed transaction through official Matkahuolto channels.

What to do if you encounter this:

Do not click any buttons or select your bank on these pages.

Do not enter any online banking credentials or card details.

If you are expecting a payment from a buyer, always verify directly through the platform where the item was sold (e.g., Facebook Marketplace, Tori, Huuto.net) – never through external links.

If you have already entered your banking credentials, contact your bank immediately to secure your account.

Report the phishing page to Matkahuolto (e.g., via their official customer service) and to the relevant authorities.

Protective measures:

Never click links in unsolicited messages claiming a buyer has paid through a shipping company.

Always type the official website URL directly into your browser.

Never provide your online banking credentials or card details to “receive” a payment.

Enable two‑factor authentication on your bank accounts.

Be suspicious of any message that creates urgency and asks you to log in to a bank via a link.

Bank Negara Malaysia & Google Credential Harvesting revealed

Below is an analysis of the phishing campaign based on the three screenshots. The attack impersonates Bank Negara Malaysia (the central bank) and then Google, using a fake login flow to steal credentials for both.

Threat Analysis: Multi‑Step Phishing – Bank Negara Malaysia & Google Credential Harvesting

This campaign targets users in Malaysia and Indonesia (based on the language mix: Malay/Indonesian and English). It is designed to steal online banking credentials (User ID, password, phone number, and bank selection) first, and then capture the victim’s Google account credentials in a second step.

How it works:

Step 1 – Fake Bank Negara Malaysia Login Page (First Screenshot)
The victim receives a phishing link (e.g., via SMS, email, or social media) claiming a financial service issue or the need to log in. The link leads to a page hosted on taplink.ws (a link‑in‑bio service often abused for phishing). The page mimics the official Bank Negara Malaysia portal. It asks for:

  • Telephone number (with a Dutch prefix +31 as an example)
  • Bank selection (from a dropdown)
  • User ID / Username
  • Password
  • A checkbox to agree to “Terma & Syarat” (Terms & Conditions)

After the victim submits this data, they are redirected to the next step.

Step 2 – Fake Google Login Pages (Second and Third Screenshots)
The victim is then taken to a page that mimics the Google login interface (in Indonesian). It asks for:

  • Email address
  • Password

The language (“Gunakan Akun Google Anda” – Use your Google account) and the note about adding the account to the device are copied from legitimate Google screens.

The goal:
The attacker collects:

  • The victim’s bank login credentials (including which bank they use, their user ID, password, and phone number)
  • The victim’s Google account credentials (email and password)

With this combination, the attacker can:

  • Log into the victim’s bank account to transfer funds
  • Access the victim’s Google account to intercept password reset emails, steal personal data, and compromise other linked services
  • Use the phone number for SIM swapping or to bypass two‑factor authentication

Red flags to watch for:

  • Suspicious URL: The pages are hosted on taplink.ws, not on bnm.gov.my (Bank Negara Malaysia’s official domain) or google.com.
  • Unusual combination of requests: A central bank would never ask for your bank selection, user ID, password, and phone number in a single form – and certainly not redirect you to a Google login afterwards.
  • Language inconsistency: The Bank Negara page mixes English and Malay/Indonesian, but the domain and design are clearly not official.
  • Google login page on a third‑party domain: Legitimate Google login pages are only on google.com domains. The URL in the second screenshot is not shown fully, but the context makes it clear it is a phishing copy.
  • Unsolicited login request: Neither Bank Negara Malaysia nor Google sends links requiring you to log in via external sites to resolve “service” issues.

What to do if you encounter this:

  • Do not enter any information on these pages.
  • If you have already entered your bank credentials, contact your bank immediately to change your password and secure your account.
  • If you have entered your Google credentials, change your Google password immediately, enable two‑factor authentication (2FA), and review recent activity for any unauthorized logins.
  • Always access your bank and Google accounts by typing the official URLs directly (bnm.gov.my, google.com) – never through links.

Protective measures:

  • Bookmark the official login pages for your bank and Google.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on all important accounts.
  • Be suspicious of any unsolicited message that asks you to log in via a link, especially when it involves multiple steps or different services.
  • Check the URL carefully – look for unusual top‑level domains (.ws, .top, .xyz) and free hosting services.

Touch ‘n Go eWallet Hijack detected

🛡️ Phishing Alert: The “eWallet Hijack” Scam

This screenshot shows a sophisticated phishing page that impersonates the Touch ‘n Go eWallet login interface. While the URL suggests a gaming theme (sangepoints), the actual goal is to drain your digital wallet.

1. Brand Impersonation (Spoofing)

The attackers use the official colors, fonts, and the Touch ‘n Go eWallet logo at the top of the page.

  • The Tactic: This is a “Double Trap.” The user might come for gaming points but is told they need to log in with their wallet to “pay a small fee” or “verify their identity” to receive the reward.
  • The Reality: Any legitimate login for Touch ‘n Go would occur on their official domain (touchngo.com.my) or within the app, never on a Taplink page.

2. High-Value Data Theft: Mobile Number & PIN

The form asks for two critical pieces of information:

  • Mobile Number: Used as the account ID for most eWallets.
  • 6-digit PIN: This is the master key to your funds.
  • The Theft: Once a victim enters these details, the scammer can instantly log into the real app, change the password, and transfer all the money to another account.

3. False Sense of Security

At the bottom, there is a reassuring message: “Don’t worry, rest assured that your data are kept secure and confidential.”

  • Social Engineering: This is a psychological trick designed to lower the victim’s guard at the most critical moment. Scammers often use professional-sounding legal or security disclaimers to appear legitimate.

How to Stay Safe:

  • Check the URL twice: If you see a banking or eWallet login form on a domain like taplink.ws, it is 100% a scam.
  • Never enter your PIN on a website: Payment apps are designed to be used inside the app. Your eWallet will never ask for your PIN via a browser link sent by a stranger.
  • Enable Biometrics: Using FaceID or Fingerprint for your wallet makes it much harder for scammers to use a stolen PIN.

🛡️ Phishing Alert: The “Push Notification” Hijack

This screenshot captures the final step of an account takeover. After stealing your credentials, the scammer is now tricking you into authorizing their fraudulent login.

1. The “Check Your Phone” Trap

The page displays a convincing message: “We sent a notification to your device. Tap ‘Yes’ to complete the process.”

  • The Tactic: This is timed perfectly. While you are looking at this fake page, a real notification from the actual Touch ‘n Go eWallet app pops up on your phone.
  • The Reality: The notification you see on your phone is not to “receive points” or “verify a reward.” It is a request to authorize a new device (the scammer’s phone) to access your wallet.

2. Social Engineering: The “Continue” Button

The large “Continue” button at the bottom does nothing technical—it is purely psychological.

  • The Goal: It keeps the victim engaged and waiting on the site while the scammer waits for the victim to tap “Yes” on their mobile device.
  • The Deception: By creating a professional-looking “Processing” screen, the scammer makes the illegal login attempt feel like a legitimate part of the “Get Money” or “Get Points” flow.

3. Exploiting 2FA (Two-Factor Authentication)

  • The Breach: Scammers know that most people trust their app’s notifications. They rely on the victim’s confusion: the victim thinks they are confirming a “Safe Receipt of Funds,” but they are actually handing over the keys to their account.
  • The Result: If you tap “Yes” or enter an OTP code on this site, the scammer gains full control of your eWallet. They can immediately drain your balance and any linked bank accounts or credit cards.

How to Stay Safe:

  • Never “Authorize” via a Link: If you receive a push notification to log in while you are on a third-party website (like Taplink), always tap “No” or “Reject”.
  • Read the Notification Carefully: Real security alerts will say “Are you trying to log in from a new device?” or “Authorize this transaction?”. If you didn’t initiate it yourself inside the official app, it’s a scam.
  • Close the Browser: If a site asks you to “wait for a notification” to receive a prize, it is 100% a scam. Official rewards never require 2FA authorization.

🛡️ Phishing Alert: The “Google Login” Account Takeover

This screenshot reveals a fake Google login page hosted on Taplink. Scammers use the familiarity of Google to gain full access to your emails, photos, cloud storage, and saved passwords.

1. The Visual Deception (Impersonation)

The page uses the official Google logo and mimics the layout of a real login screen.

  • The Tactic: The text is in Indonesian (“Gunakan Akun Google Anda…”), which suggests this specific campaign is targeting users in Southeast Asia.
  • The Red Flag: A real Google login will always be hosted on ://google.com. If you see a Google login form on taplink.ws or any other domain, it is 100% a fake.

2. High-Stake Theft: Email and Password

The form asks for your Email and Password.

  • The Goal: Once the victim enters these, the scammer gains access to the victim’s primary email. From there, they can reset passwords for other services (banking, social media, crypto exchanges) and steal sensitive personal data from Google Drive and Photos.

3. Exploiting “Safe” Domains

By using sangepoints.taplink.ws, the attackers hope that the “safe” reputation of Taplink will prevent the browser from showing a “Dangerous Site” warning. They often lure victims to this page by promising “Premium Game Features” or “Early Access” that supposedly requires a Google login to “sync progress.”

How to Stay Safe:

  • Check the URL Bar: This is the most important rule. If the URL doesn’t end in google.com, do not type anything.
  • Use a Password Manager: Professional password managers (like 1Password or Bitwarden) will refuse to autofill your password on a phishing site because they recognize the domain is wrong.
  • Enable 2-Step Verification (2FA): Always use a physical security key (like YubiKey) or an Authenticator App. Never trust a login request that pops up while you are on a suspicious website.

🛡️ Phishing Alert: The “Success” Deception

This screenshot captures the moment after a victim has already submitted their Google credentials. It is a critical psychological tactic used to buy time for the attacker.

1. The Fake Success Message

The popup says: “Terima kasih atas aplikasi Anda” (“Thank you for your application”) with a green checkmark.

  • The Tactic: By showing a “Success” screen, the scammer makes the victim feel that the process is over and everything is fine.
  • The Reality: At this very second, the victim’s email and password have already been sent to the scammer’s server.

2. Psychological “Cooling Off”

  • Why it works: If the page just crashed or showed an error, the victim might realize they were scammed and immediately try to change their password or enable 2FA.
  • The Goal: The “Tutup” (“Close”) button encourages the user to simply close the tab and move on, giving the scammer minutes or hours of uninterrupted access to the stolen account.

3. Language Targeting

The Indonesian text confirms that this specific campaign (sangepoints.taplink.ws) is a localized attack. Scammers often use the victim’s native language to increase the conversion rate and build trust.

How to Stay Safe:

  • Check your Activity: If you ever realize you’ve entered data into a suspicious site, go to google.com immediately.
  • Sign out of all devices: Use the “Sign out of all sessions” feature to kick any intruders out of your account.
  • Change your password instantly: Every second counts before the scammer sets up their own recovery info.

Fake Carousell”Safe Payment” Receipt

🛡️ Phishing Alert: The “Fake Buyer” Marketplace Scam

This screenshot demonstrates a common and dangerous phishing tactic used on classifieds and marketplace platforms (like Carousell, Olx, or Avito).

Here is a breakdown of how this scam works to steal your banking information:

1. The Domain Deception

Look closely at the URL: carousell.83774920.sale/….

  • The Trap: Scammers use a subdomain that includes the brand name (carousell) to create a false sense of security.
  • The Reality: The actual domain is 83774920.sale. Official Carousell transactions will never happen on a random numeric domain or a .sale extension. They always stay within carousell.ph or the official app.

2. The Emotional Hook: “Receipt of Funds”

The page is designed to look like a legitimate “Safe Receipt of Money” portal.

  • The Tactic: The scammer contacts a seller and claims they have already paid for the item. They send this link to the seller, claiming it’s the only way to “accept” or “receive” the money.
  • The Red Flag: Legitimate marketplaces do not require you to enter your full card details or address on a third-party link to receive a payment.

3. Psychological Manipulation

  • Urgency: The text states the item “must be shipped within 3 days,” pushing the victim to act quickly.
  • False Protection: Using terms like “Protection Carousell” and “Dedicated team” is a social engineering trick to make the victim lower their guard.
  • The “Get Money” Button: The bright red button “Stage 2/2: Get Money” is the final trap. Clicking it will typically lead to a fake bank login page or a form asking for your card number, CVV, and SMS OTP.

How to Stay Safe:

  • Stay on the App: Never follow links sent by buyers in external messengers (WhatsApp, Viber, Telegram).
  • Verify the URL: Always check the main domain. If it’s not the official platform address, it’s a scam.
  • No Card Info for Receiving: You do not need to provide your CVV or a one-time password (OTP) to receive money. These are only for sending money.

Phishing Scheme: Fake “Safe Payment” Receipt
How the scam works:
The Approach: A scammer contacts a seller on a marketplace (Carousell), posing as a legitimate buyer. They claim to have already made the payment through the platform’s internal “safe deal” system.
The Link: The scammer sends a generated link (like the one above) via an external messenger (WhatsApp/Viber), claiming it’s the official “Receipt of Funds” page.
The Trap: The page looks identical to the official marketplace design. It displays a “Stage 1/2: Receipt of Funds” form, asking the seller to confirm their details.
The Theft: When the seller clicks “Get Money,” they are redirected to a fake payment gateway that asks for Full Card Number, Expiry Date, CVV, and even an SMS OTP (One-Time Password). Instead of receiving funds, the victim’s account is drained.
Warning Signs:
External Links: Official platforms never send payment links via third-party messengers.
Fake Domain: Always check the root domain. In this case, it is 83774920.sale, which has nothing to do with the official carousell.ph.
Receiving Money Doesn’t Require CVV: You never need to provide your card’s CVV or an SMS confirmation code to receive a payment.

Pinkoi Fake Suspension Notice detected

These screenshots show a phishing campaign impersonating Pinkoi (a popular e‑commerce platform for designers and handmade goods) and an associated seller named “Amberlithuania”. The scam uses a fake account suspension notice to trick victims into providing full bank card details and personal information.

Threat Analysis: Pinkoi Seller Phishing – Fake “Account Suspended” / Card Verification Scam

How it works:

  1. Fake Suspension Notice – The victim (likely a seller or buyer on Pinkoi) sees a page claiming that the “Amberlithuania” account is suspended and must verify a bank card within 24 hours to restore access. Logos of Visa, Mastercard, PayPal, and Google Pay are shown to create a false sense of security.
  2. Card Details Request – The victim is directed to a page that asks for card number and later cardholder name and phone number. A fake “Secure Connection” badge and SSL claim are added to appear legitimate.
  3. Urgency and False Reassurance – The message states that verification must be completed within a limited time (24 hours) and claims that all personal details are protected and not visible to anyone – a common tactic to lower suspicion.

The goal:
The attacker steals:

  • Full credit/debit card number
  • Cardholder name
  • Phone number

With this information, the attacker can make fraudulent online purchases, clone the card, or sell the data on criminal markets. There is no actual account suspension – the entire notice is fabricated.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain like pinkoi.83774920.sale, not the official Pinkoi domain (pinkoi.com).
  • Request for full card details to “verify” an account: Legitimate platforms never ask for your card number, expiration date, or CVV to reactivate a suspended account. Such verification would happen through official payment gateways or by contacting support directly.
  • Threat of immediate suspension / limited time: The 24‑hour deadline is a classic pressure tactic to prevent victims from thinking critically.
  • Fake “Secure Connection” badge and SSL claim: These are copied from legitimate sites but do not guarantee safety – the page is still a phishing site.
  • Poor design / generic layout: The pages lack the full Pinkoi branding, navigation, and security notices that would appear on the real site.

What to do if you encounter this:

  • Do not enter any card details, personal information, or phone number.
  • If you are a Pinkoi user, always access your account by typing pinkoi.com directly into your browser. Check your account status through official channels.
  • If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Pinkoi’s security team.

Protective measures:

  • Never click links in unsolicited messages claiming your account is suspended or needs verification.
  • Always type the official website URL directly into your browser.
  • Never provide your card details, CVV, or expiration date in response to an account suspension notice.
  • Enable two‑factor authentication on your e‑commerce and email accounts.
  • Check the URL carefully – look for misspellings, extra words, or unusual top‑level domains (e.g., .sale, .xyz).

Easybank phishing page detected

A phishing campaign targeting easybank (a German direct bank), based on the two screenshots.

Threat Analysis: easybank Phishing – Fake Online Banking Login with Fake Waiting Page

This phishing campaign impersonates easybank, a German online bank. The attack is designed to steal the victim’s online banking credentials (username and password) and then use a fake “processing” page to reduce suspicion.

How it works:

Step 1 – Fake Login Page (First Screenshot)
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to log in. The link leads to this page, which mimics the easybank Online‑Banking login portal. The page asks for:

  • Benutzername (username)
  • Passwort (password)

A link for “Zugangsdaten vergessen” (forgotten credentials) is added to appear legitimate. The page also includes a “Jetzt registrieren” (register now) option and references to “Tagesgeldkonto” (overnight money account) – all copied from the real bank’s website.

Step 2 – Fake Waiting Page (Second Screenshot)
After the victim submits their credentials, they are taken to this page. It claims that the request is being processed and asks the victim not to leave the page to avoid interruption. This serves two purposes:

  • It buys time for the attacker to use the stolen credentials to log into the real easybank portal.
  • It reduces suspicion – the victim believes the login was successful and that the system is working normally.

In reality, the credentials have already been captured, and the attacker may be using them to access the victim’s real account, transfer funds, or change settings.

The goal:
The attacker steals easybank login credentials to:

  • Access the victim’s bank account
  • View balances, transfer money, and make unauthorized payments
  • Commit fraud or identity theft

Red flags to watch for:

  • Suspicious URL: The login page is hosted on a domain that is not easybank.de or the official easybank domain. The URL contains somafi-group.fr – an unrelated French domain, not the bank’s official address.
  • Unsolicited login request: easybank does not send links requiring customers to log in to resolve account issues. Always type the official URL directly.
  • Generic waiting page: A legitimate online banking system does not display a simple “please wait” page after login – the user is either logged in or shown an error. This waiting page is a classic phishing tactic to stall while the attacker works.
  • Minimal design / missing security features: The fake login page lacks the full branding, security notices, and multi‑factor authentication prompts (e.g., chipTAN, pushTAN) that would appear on the real easybank site.

What to do if you encounter this:

  • Do not enter your username or password.
  • If you have already entered your credentials, contact easybank immediately to block your account and change your access data.
  • Always access online banking by typing easybank.de directly into your browser or using the official easybank app.
  • Report the phishing page to easybank’s fraud department.

Protective measures:

  • Bookmark the official easybank login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate domains.
  • Enable two‑factor authentication (chipTAN, pushTAN, or mobileTAN) – but be aware that attackers may also try to intercept these codes if they have already captured your credentials.
  • Be suspicious of any unsolicited message that asks you to log in via a link.
  • Check the URL carefully – look for misspellings, extra words, or unusual top‑level domains.

ING Home’Bank phishing page revealed

Target: ING Bank Customers (Europe/Romania/Poland)
Threat Level: Critical (Session Hijacking)
Phishing Method Description
This method focuses on Device Authorization Theft. The phishing page mimics the ING “HomeBank” interface, often using a “Synchronize your security device” or “Update HomeBank app” pretext.
The attacker’s goal is not just your password, but the Authorization Code (token) generated by your mobile app. By entering this code into the fake site, you are actually authorizing the hacker’s device to access your bank account.
⚠️ Red Flags to Watch For
Suspicious Domain: The URL might look like ing-homebank-update.com or authorization-ing.net. ING only uses its official national domains (e.g., ing.ro, ing.pl, ing.com).
Unusual Requests: Banks will never ask you to “synchronize” or “re-verify” your device through a link sent via SMS or Email.
Language Errors: Often, these pages contain subtle grammatical mistakes or incorrect font rendering that differs from the official app.
🛡️ How to Protect Yourself
App Notifications: Trust only the notifications that appear inside your official ING mobile app.
Never Share Codes: Never enter a 2FA or authorization code on a website you reached via a link. Codes should only be entered in the official app or the bank’s main website that you opened yourself.
Enable Push-Alerts: Set up instant notifications for any login or transaction so you can react immediately if your account is compromised.

Banco de Bogota phishing page detected

A sophisticated phishing campaign targeting Banco de Bogotá in Colombia uses deceptive “security update” messages to steal user credentials, including identification numbers and full credit card details. This fraudulent site imitates the official banking portal to bypass security checks and solicit sensitive information through high-pressure tactics.

Target: Customers of Banco de Bogotá (Colombia)
Threat Level: High (Credit Card & Identity Theft)
Phishing Method Description
This attack uses Visual Impersonation to mimic the “Banca Virtual” (Virtual Banking) portal of Banco de Bogotá. Scammers typically distribute these links via SMS (Smishing) or Email, claiming that the user’s digital key has expired or that an “unusual transaction” requires immediate verification.
The fake site is designed to harvest:
Customer ID / Username (Documento de Identidad)
Online Banking Password
Token / OTP Codes (One-Time Passwords)
Full Debit/Credit Card Details (Number, Expiration Date, and CVV)
⚠️ Red Flags to Watch For
The URL Trap: The official domain is bancodebogota.com. Phishing links often use strange subdomains or lookalike addresses like bancodebogota-seguro.com, validar-bogota.net, or free hosting platforms.
Requesting the CVV: Real banking login pages never ask for your 3-digit CVV code (on the back of your card) just to log into your account. This is a clear sign of a credit card “skimmer.”
Mixed Languages/Broken Links: Often, the “Help” or “Contact Us” buttons on these fake pages lead nowhere or return a 404 error, as only the login form is functional.
🛡️ How to Protect Yourself
Type, Don’t Click: Always manually type ://bancodebogota.com into your browser address bar. Never click on links in SMS messages.
Verify the SMS Sender: Banco de Bogotá sends alerts from official short codes. If you receive a security alert from a regular 10-digit mobile number, it is 100% a scam.
Use the Official App: Perform all sensitive operations and balance checks through the official “Banca Móvil” app downloaded from the App Store or Google Play.
Identify Verification: If the site asks you to enter multiple codes from your Token one after another, close the page immediately. Scammers do this to perform unauthorized transfers in real-time.