Who This Guide Is For
This article is written for you. You are a customer of BBK – the Bank of Bahrain and Kuwait. You use BBK Mobile Banking to check balances, pay bills, and transfer money. You may be a Bahraini citizen or an expatriate living and working in the Kingdom. You have a CPR number, and you know that it is important. You also know that banks sometimes ask for verification. That is precisely what the criminals behind the new wave of phishing attacks are counting on.
You are not a cybersecurity expert. You do not analyze email headers or inspect website certificates. When a text message arrives saying your BBK account will be blocked within 24 hours unless you “verify your identity”, your first instinct is fear. And fear is the most effective weapon in the criminal’s arsenal.
Since early 2025, fraudsters across the Gulf have intensified their attacks on banking customers, using a simple but devastating formula: impersonate a trusted institution, create a false sense of urgency, and demand sensitive personal information. In Bahrain alone, victims have lost tens of thousands of Bahraini dinars. Some have seen their life savings vanish in minutes. A recent case involved a retiree who lost BD29,000 – nearly $77,000 – to a CPR renewal scam run by an international network. Another victim, an Asian national, lost BD1,800 after clicking a link to “update his banking data”. And cybersecurity experts confirm that CPR numbers, along with bank OTPs and login credentials, are among the most frequently stolen pieces of personal data in the Kingdom.
The two screenshots you see on this page are part of a live, active phishing operation. They show a fake identity verification page that mimics BBK Mobile Banking. The first page displays a countdown of fear: “Your account is at risk of deactivation because your CPR has expired. Please update your CPR immediately, otherwise your BBK account will be blocked within 24 hours.” The second page asks for your CPR number – the Civil Personal Record number that is the master key to your identity in Bahrain. The criminals did not stop to think about irony. They built a fake page to steal your most valuable identification number.
This guide will dissect exactly how the fake BBK verification scam works. It will share true stories of Bahraini residents who lost money and those who narrowly escaped. And it will give you the simple, expert‑backed rules that will keep your bank account safe.
How the Attack Unfolds: A Simple Psychological Trap, Step by Step
The fake BBK verification page follows a classic phishing pattern that has been documented by banks, cybersecurity firms, and government agencies across the region. But understanding the steps in advance is the difference between safety and ruin.
Step One: The Hook – A Message That Looks Like It Belongs to Your Bank
The attack begins with an unsolicited text message, email, or social media direct message. The sender appears to be BBK. The message is short and urgent. It may claim that “your CPR has expired in the bank record” and that your account will be “blocked within 24 hours” if you do not take immediate action. It may ask you to “update your CPR information” or “verify your identity” by clicking a link.
The criminals know exactly which words to use. “CPR” is a term every Bahraini resident recognizes. “24 hours” creates a ticking clock that bypasses logical thinking. And “blocked” triggers the fear of being locked out of your own money. The message does not ask you to think. It asks you to act.
Step Two: The Landing Page – A Clone That Feels Familiar
If you click the link, you are taken to a webpage that has been carefully constructed to look like a legitimate BBK Mobile Banking portal. The page displays the BBK logo, the familiar blue and white color scheme, and professional‑sounding legal notices. In the screenshots provided, the landing page features two buttons labelled “Front” and “Back” – a crude attempt to mimic a CPR card scanning interface – and a stern notice threatening deactivation.
Incident Report: This scam layout was detected, analyzed, and contained firsthand by the
Antiphishing.bizsecurity team during our standard URL vetting operations. To protect the public, the phishing source domain has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.
The second page (shown in the screenshot) is even more dangerous. It asks for your “Civil Personal Record (CPR) number” under the pretext of “enhanced security verification as per Bahrain banking regulations”. A “Continue” button invites you to submit the information.
Look closely at the address bar. The real BBK website uses the domain www.bbkonline.comapp-bh.click/bik/packages.php.click
Step Three: The Extraction – What the Criminals Do with Your Information
The fake page asks only for your CPR number. That is the first layer. But the criminals are not stopping there. Once you enter your CPR number, you may be redirected to a second page asking for your online banking login credentials, your card details, or a one‑time password (OTP) sent to your phone. The cybercriminals are after your full financial profile. Your CPR number alone can be used to impersonate you when contacting government agencies or even your bank’s customer service line. Combined with your bank account number and OTP, the criminals can drain your account in minutes.
This is not speculation. In a documented case, an Asian national received a deceptive message falsely claiming to be from a finance service provider. He keyed in his account number, ID card details, and a verification code he received for the update. Shortly afterward, he received text notifications confirming the withdrawal of BD1,800 in two separate instalments from his account. In another case, a retired man lost BD29,000 after receiving a phone call notifying him that his CPR was about to expire. He provided his personal and banking details to the scammers, unaware of their fraudulent intentions.
The second screen in the screenshots also includes a line that should raise every alarm: “Your data will be stored in the Bank’s records and kindly note that your CPR data will be reviewed by BBK employees.” This is a deliberate fabrication. Legitimate banks do not announce that employees will review your data on a public web form. They do not need to.
Real Stories: The Human Cost of a Single Click
The Retiree Who Lost BD29,000 to a CPR Renewal Call
A retired man in Bahrain received a phone call notifying him that his Central Population Registry (CPR) card was about to expire. The caller was professional, convincing, and insistent. He directed the retiree to follow renewal procedures and, over the course of the call, convinced him to reveal personal and banking details. The man, unaware that he was speaking to a criminal, provided everything.
To his shock and dismay, he discovered that his account had been emptied of BD29,000 – nearly $77,000 – by unknown individuals. The police managed to freeze some of the accounts used to withdraw the stolen funds, but a significant portion had already been wire‑transferred to an account in Pakistan. The investigation revealed the involvement of six men, one of whom resides in Pakistan, operating as part of a network.
The lesson here is brutal and simple. A phone call that claims to be from a government authority or a bank should never be trusted at face value. Always hang up and call back using a number you have independently verified.
The Asian National Who Lost BD1,800 to a “KYC Update” Text
Another victim, an Asian national, received a deceptive text message falsely claiming to be from a finance service provider. The message asked him to update his banking data by clicking an electronic link. Succumbing to the ruse, he keyed in his account number, ID card specifics, and a verification code received for the update.
After some time, he received text notifications confirming the withdrawal of BD1,800 in two separate instalments from his account. He contacted the bank to freeze his account and reported the incident to the police. Investigations led to an Asian individual primarily employed as a private driver, who had accumulated a total of BD5,000 through previous fraudulent operations.
The victim’s story is a warning about the dangers of clicking links in unsolicited messages, no matter how official they look. The link is always the trap. The form is always the extraction.
The IT Manager Who Woke Up to Find BD860 Missing from His Account
Ajeesh P K, a resident in Bahrain who works as an IT manager, lost BD4,500 from his personal and company accounts combined. One day he woke up to see that BD860 had been taken from his account through ten online transactions, mostly of BD99 and lesser amounts. The same day, his employer called him to say BD310 had been robbed from the company account. Both accounts were with the same bank.
As Ajeesh and the bank officials were in the process of blocking the accounts, the robber struck again. Twenty‑five transactions of BD99 were carried out, leaving the bank officials clueless as to what to do next. Speaking to The Daily Tribune, Ajeesh said: “What has happened is hard to believe.” He filed a complaint with the local police but remains unsure about getting his money back, which he says is the case with most victims.
Staff at commercial banks across Bahrain now find it challenging to handle the rising number of complaints from customers after fraudulent online money transfers. “It’s not easy to handle the increasing number of complaints, and we feel embarrassed to face our customers as we don’t have genuine answers to deal with them,” a bank official told The Daily Tribune. The official added that victims “hardly get their money back”.
The People Who Saved Themselves (And How You Can Too)
Not every story ends in tragedy. Some people recognize the trap before it snaps shut. Their actions can teach us how to protect ourselves.
The Expatriate Woman Who Froze Her Account Before It Was Too Late
An expatriate woman in Bahrain received an SMS under the name of a prominent establishment, falsely claiming she had received a promotional reward. Initially, she was overwhelmed, as she had bought products from that establishment. But soon she realized that scammers were on the other side. As she started ignoring the subsequent messages, the scammers began calling on social media apps including WhatsApp. She recognized the danger and asked the bank to freeze her account for a while. She also uninstalled all mobile payment applications from her phone. Her swift action – freezing the account before any money could be taken – saved her from financial loss.
The Reddit User Who Exposed the Fake LMRA Facebook Page
A Reddit user recently shared a post exposing a fake Labour Market Regulatory Authority (LMRA) page on Facebook that was disseminating false information about Bahrain’s free online CPR renewal. The page was designed to collect personal information by offering services such as renewal of CPR, driving licence, and visa. The user reported the page as fraud, but it remained live. By posting the warning publicly, the user helped others avoid the same trap. The lesson is simple: when you see a scam, report it and warn others.
The Resident Who Refused to Update His Bank Details Over the Phone
A resident who is in charge of recruitment for a private firm received many calls from South Asian countries. He received a link and upon clicking it was connected to a video call, which he instantly disconnected. The next day he received a call from the same number, asking him to update his bank details. He refused. Then began a long series of threatening calls asking him to transfer money. He blocked the number and subsequently reported the experience to friends and colleagues. His refusal to comply with the request – even under pressure – saved his bank account.
Expert Advice: Three Rules to Keep Your BBK Account Safe
The following rules are not optional. They are the difference between staying safe and becoming another statistic.
Rule One: Never, Ever Click Links in Unsolicited Messages about Your Bank Account
This is the single most important rule. If you receive a text message, email, or social media message claiming that your BBK account will be blocked, your CPR has expired, or you need to “verify your identity” – do not click any links. Do not reply. Do not call any phone numbers in the message.
Instead, open a new browser tab. Type the official BBK website address manually: www.bbkonline.com
That one habit – typing the official address yourself instead of clicking a link – would have prevented every victim story in this article.
Rule Two: Understand What BBK Will Never Ask You
BBK has stated publicly that it will never ask its accountholders to confirm their information or provide any up‑to‑date details via email, web‑links, pop‑up messages, or SMS. The bank will also never ask you for your CPR number through an unsolicited text message or a web form you reached by clicking a link. If a message asks for any of these things, you are not dealing with BBK. You are dealing with a criminal.
Rule Three: When in Doubt, Freeze First and Ask Questions Later
If you have clicked a link and entered your CPR number – or worse, your banking credentials – do not wait. Call your bank immediately using the phone number printed on your physical debit card. Do not use any number from the suspicious message. Ask them to freeze your account and review recent transactions. The faster you act, the more likely you are to prevent a loss.
What to Do If You Have Already Fallen for This Scam
If you realize that you have clicked a link, entered your CPR number, or provided any sensitive information on a suspicious website, do not panic. But do not wait, either. Time is the enemy. Act immediately.
First, contact BBK immediately using the official phone number from the back of your debit card or from the bank’s official website. Tell them that your CPR number may have been compromised. Ask them to freeze your account, block all outgoing transfers, and change your online banking credentials.
Second, if you entered any card details, request a new card. The criminals may not act immediately, but they now have the information they need.
Third, review your recent transactions carefully. Look for small test charges as well as large amounts. Criminals sometimes test a compromised account with a tiny transfer – BD0.10 or BD1.00 – before moving larger sums. If you see anything you do not recognize, report it to BBK immediately.
Fourth, file a police report. Report the incident to your local police station. In Bahrain, you can also report cybercrime through the official e‑crime platform. Many victims delay reporting because they feel embarrassed or ashamed. Do not let that stop you. These criminal networks defraud thousands of people every year.
Fifth, warn others. Share your experience with friends and family. Post a warning on social media. The more people understand this scam, the harder it becomes for criminals to profit.
A Final Word
The fake BBK CPR verification scam is a masterpiece of psychological manipulation. It uses your CPR number – the key to your identity in Bahrain – as the bait. It uses a 24‑hour deadline to trigger panic. It uses the familiar BBK branding to lower your guard. And it relies entirely on you clicking before you think.
But the scam has a fatal weakness. It falls apart the moment you pause, take a breath, and ask one simple question: “Did I ask for this message?”
If the answer is no – and it almost always is – do not click. Do not type. Do not call the number in the message. Open your browser. Type www.bbkonline.com
The criminals are counting on your speed, your fear, and your momentary distraction. Do not give them any of those things. Stay slow. Stay skeptical. And always, always type the address yourself.
This phishing page was identified and analyzed by the Antiphishing.biz security team during standard threat hunting operations. The malicious domain has been reported and fully defanged within their infrastructure to protect the public. If you found this guide helpful, share it with every BBK customer you know.