A sophisticated phishing campaign targeting La Banque Postale customers in France uses a fake “Certicode Plus” security update to bypass two-factor authentication. Scammers use smishing and phishing to steal credentials and register their own devices, granting full access to victims’ accounts.
Target: Customers of La Banque Postale (France)
Threat Level: Critical (Mobile Authentication & Funds Theft)
Phishing Method Description
In this attack, scammers use a Security Compliance pretext. Victims receive a Phishing Email or SMS (Smishing) stating that their “Certicode Plus” service (the bank’s strong authentication system) is expiring or needs to be re-activated to comply with European banking regulations.
The link leads to a pixel-perfect replica of the La Banque Postale login portal. The phishing kit is specifically designed to harvest:
Identifiant ID (10-digit customer ID)
Personal Password (entered via a fake numeric keypad to mimic the real site)
Mobile Phone Number
Certicode Plus Activation Codes: The fake site attempts to intercept the activation or validation codes in real-time, allowing the attacker to link their device to the victim’s bank account.
⚠️ Red Flags to Watch For
The Deceptive URL: The official domain is labanquepostale.fr. Phishing sites often use lookalike addresses such as connexion-labanquepostale.com, certicode-plus-activation.net, lbp-securite.online, or free subdomains like la-banque-postale.web.app.
The Numeric Keypad: While the fake site mimics the official virtual keypad, pay attention to the speed and responsiveness. If the layout of the numbers changes or looks “blurry,” it may be a captured image used for phishing.
Urgent Warnings: Messages like “Your access will be suspended in 48 hours” are classic social engineering tactics to induce panic.
🛡️ How to Protect Yourself
Never Click Login Links: La Banque Postale explicitly states they will never send an email or SMS containing a link to the login page. Always type the address manually or use the official “La Banque Postale” mobile app.
App Notifications Only: Manage your Certicode Plus settings only within the official app. If you receive a request to “validate” something you didn’t initiate, ignore it and check your app directly.
Verify the Sender: Official banking SMS in France usually come from short-codes (e.g., 38004). If the message comes from a standard mobile number (+33 6… or +33 7…), it is 100% a scam.
Reporting: You can report La Banque Postale phishing by forwarding suspicious emails to [email protected] or SMS to the number 33700.