A phishing campaign targeting Grove Bank & Trust in Florida uses “system upgrade” pretexting to steal business and personal online banking credentials and MFA codes. The attack directs users to a high-fidelity clone of the real login portal to harvest sensitive data for unauthorized account access.
Analysis Memo: This malicious interface was detected, analyzed, and contained firsthand by the
Antiphishing.bizsecurity team during our daily link moderation procedures. To protect the public, the phishing source domain has been safely deactivated within our infrastructure. We document and analyze these live visual patterns to help security researchers and users detect replica fraud techniques before financial damage occurs.
Grove Bank & Trust “Secure Access” Phishing
Target: Clients and Business Partners of Grove Bank & Trust (USA / Florida)
Threat Level: High (Business & Personal Account Hijacking)
Phishing Method Description
This attack targets the Online Banking users of Grove Bank & Trust. Scammers use a Security Compliance pretext, sending out “Urgent Security Alerts” or “Account Verification” emails. They claim that due to a “System Upgrade” or “Unusual Activity,” the user must log in through a provided “Secure Link” to confirm their identity.
The link leads to a high-fidelity clone of the bank’s official portal. The phishing kit is specifically designed to harvest:
Access IDs / Usernames
Passwords
Multi-Factor Authentication (MFA) Codes: The fake site prompts the victim for their SMS or Email code in real-time. The attacker immediately uses this code on the actual bank site to perform unauthorized transfers or change account settings.
Identity Data: Fragments of personal information used for security challenge questions.
Red Flags to Watch For
The URL Discrepancy: The official domain is
grovebanktrust.com. Phishing sites often use lookalike addresses such as grovebank-secure.online, login-grovebanktrust.net, or free hosting subdomains like grovebank.web.app.Aggressive Urgency: Phrases like “Immediate action required to avoid account suspension” or “New security protocol must be accepted” are used to induce panic.
Requests for MFA during Login: If a site asks for an MFA code immediately after you enter your password on a page you reached via a link, it is a sign of a real-time interception (MitM) attack.
How to Protect Yourself
The “Manual Entry” Rule: Always access your banking by typing ://
grovebanktrust.com manually into your browser’s address bar. Never use links from unexpected emails or text messages.Verify the Sender: Check the sender’s email address carefully. Official bank communications come from the bank’s own domain. Be wary of addresses like support@
secure-banking-alert.xyz.Use the Mobile App: Manage your accounts through the official Grove Bank & Trust Mobile Banking app. Authentic security alerts will be delivered inside the secure app environment.
Protect Your MFA: Never share your One-Time Passcode (OTP) with anyone. A bank will never ask you to “verify” your identity by providing an SMS code on a page reached through a link.
Expert Security Tip:
This is a Corporate Credential Harvesting attempt. Scammers are acting as a “middleman” between you and the bank. Your MFA code is the final line of defense; if you enter it on a fake site, the threat actors gain full access to your funds in seconds. Never trust a login page that appears after clicking a link in an email.