A phishing campaign targeting First Investment Bank (Fibank) in Bulgaria uses a fake “digital certificate update” to steal user credentials and one-time passwords (OTP). Scammers employ a “security scare” tactic, directing victims to a lookalike login portal that harvests login IDs, passwords, and OTPs for real-time account takeover.
Target: Customers of First Investment Bank (Fibank / ПИБ) in Bulgaria
Threat Level: High (Online Banking & SMS OTP Theft)
Phishing Method Description
This attack targets users of the “My Fibank” online portal. Scammers distribute links via Phishing Emails or SMS (Smishing) that look like official bank alerts. Common pretexts include “Security Update Required,” “Mandatory Account Synchronization,” or “Your Digital Certificate is Expiring.”
The fraudulent page is a pixel-perfect copy of the Bulgarian/English login interface. It is designed to capture:
Customer ID / Username (Потребителско име)
Login Password (Парола)
Mobile Phone Number
One-Time Password (OTP): The fake site often asks for the SMS code in real-time, allowing hackers to authorize a fraudulent transaction immediately.
⚠️ Red Flags to Watch For
The URL Discrepancy: The official domain is my.fibank.bg. Phishing sites often use deceptive addresses like fibank-bg.online, pib-login.net, or free hosting subdomains like my-fibank.github.io.
Requests for SMS Codes during Login: While some banks use SMS for login, be extremely wary if the site asks for multiple codes or a “Confirmation Code” just to view your balance.
SSL Certificate Check: Even if the site has a “lock” icon (HTTPS), clicking on it will often reveal a generic certificate or one issued to an unrelated entity, rather than “First Investment Bank AD.”
🛡️ How to Protect Yourself
Use the Token/App: Fibank’s official Token or the My Fibank Mobile App are much more secure than SMS-based authorization. Always prefer biometric (FaceID/Fingerprint) login through the official app.
Check the Language: Many phishing kits for Bulgaria contain subtle translation errors or use Russian/English characters where Bulgarian (Cyrillic) should be.
Bookmark the Login: Save the official https://fibank.bg as a bookmark and only use that link to access your finances.
Suspicious Sender: If you receive a banking alert from a standard mobile number (+359 8…) instead of the “Fibank” sender ID, delete it immediately.