Phishing examples on Antiphishing.biz

Fake “Complaint Center” / “INTERPOL” Scam

Threat Analysis: Fake “Complaint Center” / “INTERPOL” Scam (Recovery & Impersonation Fraud)

This set of screenshots reveals a fraudulent website impersonating a high-level international complaint center, loosely referencing INTERPOL, the FBI, and the U.S. Department of Justice. The site is designed to appear as a legitimate security or law enforcement agency offering services such as “Fund Recovery”, “Investigation”, and “Case Review”.

How it works:
The victim is likely directed to this site after being scammed previously (e.g., via a phishing email or an ad promising help with recovering lost funds). The site features fake testimonials, stock photos, generic security service descriptions, and a “Complaint Form”. The victim is asked to enter a “Case Number” or file a complaint. In subsequent steps (not fully shown in these screenshots), the victim would be asked to provide personal identification, banking details, or upfront fees for “investigation” or “asset recovery”.

The goal:

Steal personal information (name, address, ID documents) for identity theft.

Collect banking or credit card details under the guise of “verification” or “processing fees”.

Perpetrate an advance fee fraud (recovery scam) – the victim pays a fee to “unlock” their non-existent refund or investigation, but never receives any service.

Impersonate law enforcement to intimidate victims into compliance.

Red flags to watch for:

Suspicious domain & IP address: The URL shows an IP address 192.142.55.73 with a path containing ~cimb2/… – not an official government or law enforcement domain (which would be .gov, .int, or similar). The use of a raw IP and a hosting subdirectory is highly unprofessional for any legitimate agency.

Poor design & generic content: The site mixes unrelated topics (“Bodyguard”, “Computer Security”, “Biometric”) with stock images and placeholder text. The “Latest Post” section contains generic blog titles unrelated to law enforcement.

Impersonation of multiple agencies: The site claims to be run by a “Secretary General”, references INTERPOL, the FBI, and the U.S. Department of Justice. No single entity combines all these. This is a common tactic to fabricate authority.

Fake testimonials: Generic quote from “Zenifar Lopez, Business Owner, Spain” – likely fabricated.

Request for case number without prior interaction: Legitimate law enforcement does not ask you to enter a case number on a public website to start a complaint. Official reporting is done through verified government portals or in person.

Offers of “Fund Recovery”: This is a classic recovery scam promise. No legitimate law enforcement or security agency guarantees fund recovery for a fee.

What to do if you encounter this:

Do not enter any case number, personal information, or financial details.

Do not pay any fee for “investigation” or “fund recovery”.

If you have already submitted information, contact your bank immediately and monitor your credit reports for identity theft.

Report the fraudulent website to the real INTERPOL (via their official site), the FBI’s IC3, and the hosting provider.

Protective measures:

Always verify the official website of any law enforcement or security agency by typing the known official URL directly (e.g., interpol.int, fbi.gov, justice.gov).

Never pay upfront fees to recover money from a previous scam – this is almost always a secondary scam.

Be suspicious of unsolicited offers to resolve complaints or investigate fraud, especially if received via email or social media.

Use a password manager and keep your personal information secure.

Woolworths Vendor Summit fake page

⚠️ High-Risk Alert: Corporate “Vendor Summit” Phishing Scam

This image displays a classic example of B2B (Business-to-Business) Phishing. Scammers are impersonating the Australian retail giant Woolworths to harvest corporate intelligence and employee data.

How the Scam Works:

Exploiting Professional Authority: By using the Woolworths Vendor Summit 2026 branding, attackers target business partners and suppliers. They exploit the victim’s desire to maintain a good relationship with a major client.
The “Registration” Hook: The page asks for “Company Name,” “Agent Name,” and “Designation.” This is Corporate Reconnaissance. Scammers use this data to perform more convincing Business Email Compromise (BEC) attacks later.
The Image Upload Trap: The request to “Upload Image” is particularly dangerous. It can be used to harvest biometric data (photos) or, more maliciously, to trick users into uploading sensitive corporate ID documents.
Critical Technical Red Flags:

Insecure Connection: The browser explicitly marks the site as “Not secure.” Legitimate corporate portals always use encrypted HTTPS.
- Numerical URL: The website uses a raw IP address (43.225.148.223) instead of an official domain like woolworths.com.au. No major corporation hosts registration forms on an exposed IP address.
- Non-Standard Port: The use of port :8082 is a common sign of a temporary, malicious server setup.

How to Protect Your Organization:

Verify the Source: Official Woolworths communications will only come from verified @woolworths.com.au email addresses and point to official domains.
Inspect the URL: Never enter data into a site that uses a raw IP address (numbers only) or displays a “Not secure” warning.
Report & Block: If you encounter this specific IP or similar “Registration Forms,” report them to your IT Security department immediately.

🚨 Quick Check: Is This Site a Scam?

Before entering any corporate or personal data, look for these 4 Red Flags identified in the recent Woolworths impersonation scam:

🚩 The “Not Secure” Warning: If your browser displays a “Not secure” message in the address bar, stop immediately. Legitimate companies always use HTTPS to encrypt your data.
🚩 Numbers instead of a Name: Official portals use clear domains (e.g., woolworths.com.au). If the address is just a string of numbers (like 43.225.148.223), it is almost certainly a malicious server.
🚩 Unusual Data Requests: Be wary of forms asking for “Agent Names,” “Designations,” or especially those requiring you to upload images/files on an unverified site.
🚩 Poor Visual Quality: Look for “copy-paste” logos, inconsistent fonts, or strange phrasing like “Add Image Like.” Real corporate sites go through strict quality control.

Rule of Thumb: If a registration link doesn’t end in the official company domain, do not click, do not type, and do not upload.

Meine AOK (a major German health insurance provider) fake page detected

This screenshot is a perfect example of a sophisticated phishing landing page. Here is a description of this method in English, designed to inform and warn users:

⚠️ Phishing Alert: The “Professional Insight” Subscription Trap

This image reveals a deceptive phishing tactic used to harvest personal information under the guise of a professional newsletter subscription.

How the Scam Works:

Impersonation & Trust: The page uses the branding “Meine Aok” (mimicking a major German health insurance provider) to create a false sense of security. It uses a clean, professional layout and promises “Exclusive Content” and “Expert Analysis” to lure targets.
The Hook: It appeals to professionals by offering “Industry Insights” and “Weekly Updates,” claiming that thousands of others have already joined.
Data Harvesting: The form asks for your Full Name and Email Address. While it looks like a standard sign-up, this information is used to build profiles for identity theft or to launch more targeted “spear-phishing” attacks.
Malicious Domain: The URL in the address bar is meine-aok.digital. The official domain for AOK is aok.de. Scammers often use .digital, .info, or hyphenated names to trick users who aren’t looking closely.

Red Flags to Watch For:

Mismatched URL: Always check the domain. If the brand is “AOK” but the URL ends in something other than their official .de domain, it is a scam.
Generic Language: The text “Stay Ahead with Professional Insights” is very generic and doesn’t align with the actual services a health insurance company provides.
Privacy Policy Links: Often, on these fake sites, the “Privacy Policy” links are either broken or lead back to the same page.

How to Stay Safe:

Never enter your details on a site reached via a suspicious link in an email or SMS.
Manually type the official website address into your browser if you need to access a service.
Look for the lock icon, but remember: even scam sites can have SSL certificates. The domain name is your best clue.

Fake Storage Alert – Credential / Payment Harvesting Scam

This screenshot shows a fake “storage alert” phishing page designed to scare victims into believing their device or cloud storage is nearly full. The message threatens data loss, blocked files, and backup suspension unless the user clicks an “UPGRADE NOW” button – which leads to a phishing site.

Threat Analysis: Fake Storage Alert – Credential / Payment Harvesting Scam

How it works:
The victim receives an email, pop‑up, or SMS claiming that their storage is critically low. The message uses urgent language (“URGENT REMINDER”, “Action required”, “Failure to act may result in backup suspension”) to create fear. A button labelled “UPGRADE NOW” is prominently displayed.

Clicking the button leads to a fraudulent website that:

Asks for cloud account login credentials (e.g., Google, Microsoft, iCloud, Dropbox)
Requests payment information (credit card details) for a fake storage upgrade
Installs malware disguised as a “cleanup tool” or “upgrade utility”

The goal:
The attacker aims to:

Steal login credentials for cloud or email accounts
Capture credit card details for fraudulent transactions
Trick the victim into downloading malware

Red flags to watch for:

Unsolicited storage alert: Legitimate storage notifications come from within the app or operating system – not via random emails or pop‑ups with a clickable “UPGRADE NOW” button.
Threats of immediate data loss: “New files and emails will be blocked”, “Backups will fail silently”, “Important data may be lost permanently” – these are classic fear tactics.
Vague system references: The message does not specify which service or device is affected (e.g., no mention of Google Drive, iCloud, Windows, etc.).
Generic branding: No company logo or official header is shown.
Urgency and pressure: Phrases like “URGENT REMINDER” and “Failure to act” are designed to bypass critical thinking.

What to do if you encounter this:

Do not click the “UPGRADE NOW” button or any links.
Check your actual storage status through your device’s settings or the official app of your cloud provider.
If you have already clicked and entered credentials, change your password immediately and enable two‑factor authentication.
If you entered payment details, contact your bank immediately to block your card.
Report the phishing page to the legitimate service being impersonated (if identifiable).

Protective measures:

Never click links in unsolicited storage alerts. Always check storage directly through official system settings.
Use a password manager – it will not autofill on fake domains.
Enable two‑factor authentication on all cloud and email accounts.
Be suspicious of any message that creates urgency and threatens data loss.

Poshmark Phishing – Fake Account Restriction & Card Harvesting

This set of screenshots shows a phishing campaign impersonating Poshmark, a popular online marketplace for second‑hand goods. The scam uses a fake “account restricted” notification and a fake support chat to pressure victims into providing full credit/debit card details, personal information, and contact details.

Threat Analysis:

How the scam works (multi‑step flow):

Fake Account Restriction Page – The victim receives a link (via email, SMS, or social media) claiming their Poshmark account is restricted. The page shows a countdown or threat that the account will be deactivated within 24 hours. A “Verify” button is prominently displayed. A fake live chat window appears, with a “support agent” (e.g., “Amelia”) explaining that the victim must provide card details for verification.
Card Details Harvesting Page – The victim is asked to enter card details and billing information. Fake assurances about encryption and GDPR compliance are added:

Fake Order Summary & Submit Page – A final page shows an order summary (often with a small amount or zero) and a “Submit” button. The victim is told that completing this will “validate” their card and restore the account.

The goal:
The attacker collects:

Full credit/debit card details (number, expiry, CVV)
Personal information (full name, address, email, phone number)

With this data, the attacker can:

Make fraudulent online purchases
Clone the card or sell the information on criminal markets
Use the personal details for identity theft

Red flags to watch for:

Suspicious URL: The page is hosted on a domain like check0925.sbs, not poshmark.com. Legitimate Poshmark pages are only on official domains.
Request for CVV and full card details for “account verification”: Poshmark never asks for your card security code to verify or unblock an account.
Fake live chat support: The chat window is not a real support function – it is a scripted message designed to pressure victims. Legitimate customer support does not ask for card details via chat.
Threat of account restriction / 24‑hour deadline: Classic urgency and fear tactics.
Fake order summary and “Submit” button: There is no actual purchase; this is designed to mimic a checkout process and make the victim believe they are completing a legitimate transaction.
Copied branding: The pages use Poshmark’s logos, categories, and footer links, but these are stolen from the real site.
Warnings about scams on the page itself: Ironically, the page includes a generic warning about scams – this is copied text and does not make the page legitimate.

What to do if you encounter this:

Do not enter any personal or card information.
Do not interact with the fake chat or click any buttons.
If you are a Poshmark user, always log in directly by typing poshmark.com into your browser. Check your account status from the official dashboard.
If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
Report the phishing page to Poshmark’s security team and to the hosting provider.

Protective measures:

Never click links in unsolicited messages claiming your account is restricted.
Always type the official website URL directly into your browser.
Never provide your card CVV or expiration date for “account verification” – legitimate businesses do not need this information to confirm your identity.
Enable two‑factor authentication on your Poshmark account and email.
Be suspicious of any page with a live chat that immediately asks for card details – this is almost always a scam.
Check the URL carefully – look for misspellings, extra words, or unusual top‑level domains (.sbs, .top, .xyz).

dao (Danish Parcel Service) Phishing – Fake Delivery Failure & Address Update Scam

This phishing campaign impersonates dao, a Danish parcel delivery service. The scam uses a fake “delivery failed” notification to trick victims into providing personal information, which can later be used for identity theft or to redirect victims to a payment page where credit card details are stolen.

How it works:

Fake Tracking Page – The victim receives an SMS or email with a link to a fake tracking page. The page displays a fake tracking number and a false status (e.g., “Delivery attempt failed”).

Delivery Failure Notice – The victim is informed that the package could not be delivered because the address was unclear. A button or link (e.g., “Update Address”) is presented.

Address Update Form – The victim is taken to a page that asks for personal details: first name, last name, street address, city, postal code, email, and phone number (with Danish country code +45 pre‑filled).

Potential Next Step (not fully shown) – After submitting the address, the victim may be redirected to a payment page requesting card details (e.g., a small “redelivery fee”). This is a common pattern.

The goal:
The attacker collects:

Full name, address, postal code, city

Email address and phone number

With this information, the attacker can:

Sell the data to other criminals

Use it for identity theft

Target the victim with follow‑up scams (e.g., fake bank calls)

If a payment page follows, also steal credit card details

Red flags to watch for:

Suspicious URL: The pages are hosted on domains that are not dao.dk or the official dao website. The visible fragments (e.g., 135.2.tv, 135.1.tv) suggest a subdomain or odd URL structure.

Unsolicited delivery failure notification: dao does not send links to update addresses via SMS or email. Legitimate delivery issues are handled through the official tracking system or by contacting customer service directly.

Fake tracking number: The tracking number (CP318587863DK) is fabricated and cannot be verified on the real dao website.

Request for personal information before delivery: A legitimate courier already has your address. They will not ask you to re‑enter it via a link in a message.

Generic design / copied content: The pages use dao’s branding, navigation menus, and help section links, but these are copied from the real site. The domain is the giveaway.

What to do if you encounter this:

Do not enter any personal information (name, address, email, phone).

If you have already entered such information, be aware that it may be used for identity theft or follow‑up scams.

If you were redirected to a card payment page and entered card details, contact your bank immediately to block your card.

Always track packages by typing the official courier URL directly (e.g., dao.dk) and entering your real tracking number.

Report the phishing page to dao’s customer service.

Protective measures:

Never click links in unsolicited delivery messages. Always go directly to the official courier website.

Never provide your address, email, or phone number in response to a delivery notification link.

Check the URL carefully: Official dao domains end with dao.dk. Look for misspellings, extra words, or unusual top‑level domains (e.g., .tv, .th).

Enable two‑factor authentication on your email and banking accounts.

🇩🇿 🇫🇷 Cross-Border B2B Fraud: The “Atoms.dev” Phishing Wave

HIGH RISK / SCAM

A sophisticated phishing campaign originated in Algeria, targeting the French business sector. Scammers used Google Share links to bypass email security filters, redirecting victims to a temporary Atoms.dev deployment. The site impersonated a fake Spanish trade entity, “Pro Lite Stock,” offering fraudulent import/export services for premium Algerian products.

Technical Breakdown

Vector: Google Share Redirects (share.google)
Hosting: Atoms.dev (Serverless Phishing)
Identity Theft: Fake Spanish entity “Pro Lite Stock” (Non-existent in Spanish Mercantil Registry).
Goal: B2B Credential Harvesting and Invoice Fraud.

Key Facts Table

Attacker Origin: Algeria (DZ)
Traffic Target: France (FR)
Infrastructure: Obfuscated deployment on atoms.dev
Status: Neutralized (Domain and IP Cluster Blacklisted)

Это очень дельный совет. Для французского бизнеса (и европейского в целом) проверка налоговых идентификаторов — это «базовый гигиенический минимум». Добавление такого совета в разбор поднимет ценность твоего контента с «просто предупреждения» до практического руководства по безопасности (Business Intelligence).

🛡️ Expert Advice for French Businesses (Conseil aux Entreprises)

Scammers often impersonate European entities to gain trust. Before interacting with any “Trade Offer” or “Logistics Portal,” take these three steps:

Verify NIF/CIF (Spain) or SIRET/SIREN (France): Any legitimate European company must display its official registration number. The “Pro Lite Stock” entity failed to provide a valid CIF (Código de Identificación Fiscal). You can verify Spanish companies for free via the Registro Mercantil Central.
Inspect the Hosting Infrastructure: No established international trade firm hosts its official portal on developer subdomains like *.atoms.dev or *.vercel.app. These are red flags for temporary, throwaway infrastructure.
Cross-Check the Domain History: Use tools like WHOIS to check the domain age. If a company claims to be a “Trusted Global Partner” but their website was created 14 days ago, it is 100% a scam.

Case Study: Intercontinental Crypto-Scam Uncovered

Our system just neutralized a sophisticated Pump & Dump scheme targeting the Singaporean market using North African infrastructure.
The Technical Anatomy of the Attack:

Target Audience: Users in Singapore 🇸🇬.
Traffic Vector: Paid advertisements on TikTok.
Infrastructure: Managed from Morocco 🇲🇦 (IP cluster 154.144.253.x).

Deep Dive into TikTok Ads Metadata:
Our engine intercepted the link containing specific tracking parameters used by professional fraud-arbitrageurs:

utm_source=tiktok & utm_medium=paid: Confirmed high-budget bypass of organic content filters.
utm_id=CAMPAIGN_ID: A dynamic macro used in TikTok Ads Manager, indicating a template-based, scalable attack.
utm_campaign=CAMPAIGN_NAME: Evidence of an automated “industrial” approach to scam distribution.

The Fraud Mechanism:
Scammers use paid TikTok ads to target affluent regions (Singapore) with “get-rich-quick” narratives. The traffic is funneled to a private Telegram channel “Better Call Ton”, where organizers manipulate TON-based memecoins. Our Covariance Matrix flagged the 10/10 risk score due to the extreme geographical mismatch and the use of automated advertising macros to promote market manipulation.
The Verdict:
The link is Permanently Blocked. The author’s IP is Blacklisted.
By analyzing metadata patterns, Antiphishing.biz stops fraudulent campaigns before they reach their peak.

#CyberSecurity #TikTokAds #MarTech #CryptoScam #TON #Antiphishing

GitHub Pages Abused for French Banking Fraud

🛡️ Phishing Alert: The “Agency Complaint Matrix” Trap## Target: Customers and Employees of French Banking Groups (Crédit Agricole)

Our AI-engine, Miniban, has detected a highly sophisticated spear-phishing campaign hosted on GitHub Pages. This attack mimics internal banking tools to bypass standard security filters and steal sensitive financial data.

1. The “Trusted Host” Camouflage

Scammers are using the domain github.io to host their landing pages.

The Deception: Because GitHub is a legitimate platform used by developers worldwide, many corporate firewalls do not block these links by default.
The Tactic: The URL lumialous.github.io/matrice_reclamations_agences/ is designed to look like a professional internal resource for handling “Agency Complaints” (Réclamations Agences).

2. How the Attack Works (The “Complaint” Hook)

Unlike common phishing that offers “prizes,” this campaign uses negative social engineering.

The Hook: Victims are contacted via SMS or Email regarding a “filed complaint” or a “security issue” with their account.
The Trap: Users are directed to this fake “Matrix” page to “verify” their identity or “cancel” a fraudulent transaction.
The Theft: The page features a perfect clone of the bank’s login interface. Once you enter your credentials, attackers gain full access to your online banking, including the ability to intercept 3-D Secure codes.

3. Why it is Sophisticated

This is part of a Multi-Stage Attack. We have linked this specific GitHub page to recent fraudulent activity involving high-risk 3DS relay intercepts. By using terms like “Matrice” and “Réclamations,” scammers target the victim’s sense of urgency and professional duty.

🚩 How to Protect Yourself:

Check the Domain: A real bank will never host its login or complaint forms on github.io, vercel.app, or other free hosting providers. Official banking services only operate on their verified private domains (e.g., credit-agricole.fr).
Verify the Source: If you receive a link about a “complaint” you didn’t file, do not click it. Log in to your bank’s official app or website directly.
Look for SSL Details: While the site may have a green lock (HTTPS), clicking it will show the certificate belongs to “GitHub, Inc.,” not your bank.

Technical Analysis for Pros:

Incident ID: PH-FR-8842
Threat Type: Credential Harvesting / Spear Phishing
Platform Abuse: GitHub Pages
Miniban Risk Score: 10/10 (Critical)

___________________________________

🛡️ Alerte au Phishing : Le piège de la “Matrice de Réclamations”## Cible : Clients et employés des groupes bancaires français (Crédit Agricole)

Notre moteur d’intelligence artificielle, Miniban, a détecté une campagne de phishing (hameçonnage) sophistiquée hébergée sur GitHub Pages. Cette attaque imite les outils internes de gestion bancaire pour contourner les filtres de sécurité classiques et voler des données financières sensibles.

1. Le camouflage sur un hôte de confiance

Les escrocs utilisent le domaine github.io pour héberger leurs pages de destination.

La tromperie : GitHub étant une plateforme légitime utilisée par les développeurs du monde entier, de nombreux pare-feu d’entreprise ne bloquent pas ces liens par défaut.
La tactique : L’URL matrice_reclamations_agences est conçue pour ressembler à une ressource professionnelle interne dédiée à la gestion des “Réclamations Agences”.

2. Fonctionnement de l’attaque (L’appât de la “Réclamation”)

Contrairement au phishing classique qui promet des “cadeaux”, cette campagne utilise une ingénierie sociale basée sur l’urgence.

L’accroche : Les victimes sont contactées par SMS ou e-mail concernant une “réclamation déposée” ou un “problème de sécurité” sur leur compte.
Le piège : L’utilisateur est dirigé vers cette fausse page de “Matrice” pour “vérifier” son identité ou “annuler” une transaction frauduleuse.
Le vol : La page contient un clone parfait de l’interface de connexion de la banque. Une fois vos identifiants saisis, les attaquants accèdent à votre compte et peuvent intercepter les codes 3-D Secure.

3. Pourquoi cette attaque est-elle redoutable ?

Elle fait partie d’une attaque en plusieurs étapes. Nous avons lié cette page GitHub à des activités frauduleuses récentes impliquant l’interception de relais 3DS. En utilisant des termes techniques comme “Matrice” et “Réclamations”, les fraudeurs exploitent le sens du devoir professionnel et l’inquiétude de la victime.

🚩 Comment vous protéger :

Vérifiez le domaine : Une banque ne demandera jamais de vous connecter via des plateformes comme github.io, vercel.app ou d’autres hébergeurs gratuits. Les services officiels n’opèrent que sur leurs domaines privés vérifiés (ex: credit-agricole.fr).
Vérifiez la source : Si vous recevez un lien concernant une “réclamation” que vous n’avez pas déposée, ne cliquez pas. Connectez-vous directement via l’application officielle ou le site web de votre banque.
Inspectez le certificat SSL : Même si le site affiche un cadenas (HTTPS), un clic sur celui-ci révélera que le certificat appartient à “GitHub, Inc.” et non à votre banque.

Analyse technique :

ID de l’incident : PH-FR-8842
Type de menace : Vol d’identifiants / Spear Phishing
Abus de plateforme : GitHub Pages
Score de risque Miniban : 10/10 (Critique)

Norwegian BankID phishing revealed

Below is a description of the Norwegian BankID phishing campaign shown in the screenshots. The attack attempts to harvest multiple layers of authentication data.

Threat Analysis: BankID Phishing – Full Credential & 2FA Harvesting (Norwegian Variant)

This multi‑step phishing campaign impersonates BankID, the common Norwegian electronic identification system used by most banks. The attacker’s goal is to collect enough information to log into the victim’s online bank and authorise fraudulent transactions.

How the attack works (six‑step flow):

Fødselsnummer (national ID) – The victim’s 11‑digit personal identification number is requested.
Phone number – The victim is asked to enter their phone number (linked to BankID).
Choice of BankID method – The victim selects between using the BankID app or a kodebrikke (physical code generator).
If “app” is chosen – The victim sees a page stating “Godkjenn med din BankID‑app” (Approve with your BankID app). This is a waiting step, while the attacker uses the previously collected data to trigger a real push notification in the official app.
If “kodebrikke” is chosen – The victim is asked for their BankID password (the one used with the physical code generator).
Additional steps – Depending on the variant, the attacker may also ask for a response from the code generator or for an SMS‑code, all captured in real time.

The goal:
The attacker collects:

Phone number (used to identify the victim in the banking system)
National ID number (fødselsnummer)
BankID password (if the code generator method is used)
In the case of the app method, the attacker will also capture the push‑notification approval (by tricking the victim into approving a fraudulent login or transaction).

With this information, the attacker can:

Log into the victim’s bank account
Authorise payments or money transfers
Commit identity theft or sell the data

Red flags to watch for:

Suspicious URL: The pages are hosted on myntro-gebyr.com (and subdomains), not on any official Norwegian bank or BankID domain (e.g., bankid.no).
Unsolicited request: You should never receive a link to enter your BankID credentials. Real BankID authentication always starts from the bank’s official website or app, not from an external link in a message.
Multiple steps with increasing sensitivity: A legitimate BankID login asks for either a single push notification or a one‑time code, not for phone number, national ID, password, and choice of method all in one session.
Mixed Norwegian / English wording: Official BankID pages are consistently in Norwegian (Bokmål or Nynorsk). The presence of “ID‑porten” (the national authentication portal) is real, but the URL gives it away.
No personalisation: Legitimate BankID steps show a partially masked name or a known device – this page does not.

What to do if you encounter this:

Do not enter any personal information, BankID password, or approve any request from your BankID app.
If you have already entered your phone number and fødselsnummer, contact your bank immediately to block your BankID.
If you have entered your BankID password, change it immediately (through the official bank website, not via any link).
If you approved a push notification from your BankID app, call your bank’s fraud department immediately – the attacker may already have authorised a transaction.
Always access BankID by typing your bank’s official URL directly or by using the official BankID‑app without any external link.

Protective measures:

Never click links in unsolicited messages claiming payment issues, package delivery, or account problems – especially if they ask for BankID.
Use a password manager – it will not autofill on fake domains.
Enable BankID with push notifications (app) – and never approve a request unless you have just initiated a login yourself.
Check the URL carefully – legitimate BankID pages are on bankid.no or your bank’s domain.
If in doubt, contact your bank directly using a phone number from your bank card or official website – never use numbers from a suspicious message.