A phishing campaign targeting Banco Cuscatlán users in El Salvador and Guatemala uses fraudulent “digital profile update” notifications to steal netbanking credentials and OTP codes. The attack, which directs victims to a pixel-perfect replica of the legitimate site, aims to perform real-time account takeovers via deceptive domains and urgent, alarming messaging. Customers are advised to use the official Banco Cuscatlán app and to never enter security tokens on websites reached via SMS or email links.
Target: Customers of Banco Cuscatlán (El Salvador / Guatemala)
Threat Level: Critical (NetBanking Access & Digital Token Theft)
Phishing Method Description
This attack uses Data Synchronization as a pretext. Victims receive a Phishing Email or SMS (Smishing) claiming that their “Digital Key” (Clave Digital) has expired or that their personal information must be updated to comply with new banking security standards.
The link leads to a pixel-perfect replica of the Banco Cuscatlán “NetBanking” portal. The phishing kit is specifically designed to harvest:
Username / User ID (Usuario)
Password (Contraseña)
Mobile Phone Number
One-Time Password (OTP) / Digital Token: The fake site prompts the victim to enter the code from their SMS or security app in real-time. The attacker uses this intercepted code on the actual bank site to perform fraudulent transfers or change account settings.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is bancocuscatlan.com. Phishing sites often use lookalike addresses such as cuscatlan-sv.online, bancocuscatlan-actualizacion.net, or free subdomains like cuscatlan-login.web.app.
Urgent & Threatening Tone: Phrases like “Acceso restringido temporalmente” (Access temporarily restricted) or “Evite el bloqueo de su cuenta” (Avoid account blockage) are used to force the victim to act impulsively.
Link in SMS/Email: Banco Cuscatlán explicitly states they will never send links in messages asking for your login credentials or security codes.
🛡️ How to Protect Yourself
Use the Official App: Manage your finances only through the official Banco Cuscatlán mobile app. Authentic security alerts will be handled within the secure app environment.
The “Manual Entry” Rule: Always type ://bancocuscatlan.com manually into your browser’s address bar. Never click on links provided in unexpected emails or text messages.
Verify the SMS Sender: Official alerts usually come from registered bank IDs. If you receive a message from a standard mobile number, treat it as a scam.
Immediate Action: If you have entered your credentials on a suspicious page, call the official Banco Cuscatlán fraud line immediately at 2212-2000 (El Salvador).
💡 Expert Security Tip:
This is a Session Hijacking attempt. The scammers are trying to steal your Digital Key while you are “syncing” your account. Remember: Your security codes are for authorizing actions you started. Never use your OTP or Token to “unblock” or “verify” an account through a link sent to you.