A phishing campaign targeting BNP Paribas customers in Europe uses a “Restricted Access” pretext to steal credentials, mobile numbers, and digital tokens for the “Mon Compte” system. Attackers use sophisticated fake portals with fake virtual keypads, aiming to intercept real-time authorization codes to hijack online banking accounts.
BNP Paribas “Digital Key Verification” Phishing
Target: Customers of BNP Paribas (France and International)
Threat Level: Critical (Mobile Access & Digital Key Takeover)
Phishing Method Description
This attack targets the “Clé Digitale” (Digital Key) security system. Scammers distribute urgent notifications via SMS (Smishing) or Email, claiming that the user’s account will be restricted unless they “synchronize their security device” or “confirm their identity” due to a new security protocol.
The link leads to a high-fidelity clone of the BNP Paribas “Accès Client” portal. This sophisticated phishing kit is specifically designed to harvest:
Numéro Client (10-digit customer ID)
Personal Secret Code (Password entered via a fake interactive numeric keypad)
Mobile Phone Number
Authorization Codes: The fake site prompts the victim to enter the validation code received via SMS or generated by their app. This allows the attacker to register their own smartphone as the primary “Digital Key” for the victim’s account.
⚠️ Red Flags to Watch For
The Lookalike URL: The official domain is mabanque.bnpparibas. Phishing sites use deceptive addresses like bnpparibas-securite.online, mabanque-connexion.net, verification-bnp.com, or free subdomains like bnpparibas.web.app.
Numeric Keypad Anomalies: While the fake site mimics the official virtual keypad, it is often a static image or a script that captures your clicks in real-time. If the keypad looks “blurry” or loads slowly, it’s a scam.
Link in SMS/Email: BNP Paribas officially states they will never send a link in an email or SMS to ask for your login credentials or security codes.
🛡️ How to Protect Yourself
Use the Official App: Manage your accounts and Digital Key exclusively through the official “Mes Comptes” app from BNP Paribas.
The “Manual Entry” Rule: Always type the address manually into your browser. Never follow links from messages.
Verify the SMS Sender: Official alerts in France usually come from short codes. If the message comes from a standard 10-digit mobile number, it is 100% a fraud.
Immediate Action: If you have entered your data on a suspicious page, call the official BNP Paribas fraud department immediately at 01 60 17 70 00 (France).
💡 Expert Security Tip:
This is a Device Binding Attack. The scammers aren’t just after your password; they want to steal your Digital Key to bypass all future security checks. Your bank will never ask you to “synchronize” or “verify” your security key through a web link.