Threat Analysis: Bam (Banco Agrícola) Phishing – Username Harvesting (First Stage)
This phishing campaign targets customers of Bam – Banco Agrícola, a major bank in Central America (particularly El Salvador). The page mimics the bank’s “Bamvirtual Personas” login interface. It only asks for a username at this stage, but the captured username will be used in subsequent fake pages to request the password and potentially a second factor (such as a token or SMS code).
How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to this fake Bamvirtual login page. After entering their username and clicking “CONTINUAR”, the victim is taken to a second fake page (not shown in these screenshots) that asks for their password. In many such kits, a third page then captures a two‑factor authentication code, giving the attacker full access.
The goal:
The attacker aims to steal the victim’s online banking credentials (username and password) and, if applicable, any two‑factor authentication codes. With these, they can log into the victim’s real bank account, view balances, transfer funds, and commit fraud.
Red flags to watch for:
- Suspicious URL: The pages are hosted on domains that are not the official bank domain. Legitimate Bamvirtual login is accessed through the bank’s official website (e.g.,
bancoagricola.com). Always check the address bar. - Unsolicited login request: Banco Agrícola does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access online banking by typing the official URL directly or using the official mobile app.
- Inconsistent design elements: While the pages use the bank’s logo and color scheme, the layout and text contain small inconsistencies (e.g., the repeated headers, slightly different phrasing in each screenshot) that are not present on the legitimate site.
- Multi‑page flow with only username first: Legitimate banking portals often combine username and password on a single page or use a security image after username entry. This separate, sequential flow is a common phishing‑kit pattern.
- “Grupo Bancolombia” copyright: The footer mentions Grupo Bancolombia, which is correct for Banco Agrícola, but the presence of this copied text does not make the page legitimate.
What to do if you encounter this:
- Do not enter your username on this page. If you have already done so, do not proceed to enter your password on any subsequent page.
- If you are a Banco Agrícola customer, always access online banking by typing the official bank URL directly into your browser (e.g.,
bancoagricola.com) or by using the official mobile app. - If you have already entered your username and suspect you may have been phished, contact Banco Agrícola immediately through their official customer service to change your password and secure your account.
- Report the phishing pages to the bank’s fraud department.
Why this scam is effective:
Banco Agrícola (Bam) is a well‑known bank in Central America, and “Bamvirtual” is its standard online banking platform. The page uses the bank’s logo and familiar branding, and the two‑stage process (username first, then password) mirrors the real login flow used by many banks. The footer with “Grupo Bancolombia” adds an extra layer of perceived legitimacy. Victims who are not paying close attention to the URL may enter their username without suspicion.
Protective measures:
- Bookmark the official Bamvirtual login page and use that bookmark to access online banking—never click links in emails or messages.
- Use a password manager: It will autofill only on legitimate bank domains, not on phishing sites.
- Enable two‑factor authentication (2FA) on your bank account if available, to add an extra layer of protection.
- Be suspicious of any unsolicited message that creates urgency and asks you to log in to your bank account.
- Check the URL carefully: Legitimate Banco Agrícola domains end with
bancoagricola.com(or country‑specific variations). Look for misspellings, extra words, or unusual top‑level domains. - If in doubt, contact Banco Agrícola directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.