This phishing campaign targeting Ecuador’s Banco del Pacífico uses a fake “Intermático Security Sync” page to steal online banking credentials, security challenge questions, and One-Time Passcodes (OTP). Scammers employ a “sync” pretext in emails or SMS, directing victims to a malicious website that mimics the legitimate site to bypass multi-factor authentication and gain full account control. For protection, users must always access banking services by manually typing the official URL and never enter credentials through links provided in messages.
This phishing case highlights a sophisticated Real-Time Token Interception attack, where attackers use a fake Banco del Pacífico portal to steal credentials and prompt for 6-digit OTP security codes in real-time. By acting as a live “middleman,” the attacker uses the intercepted code to authorize fraudulent transfers or register a new device instantly, rather than just stealing credentials for later use.
Expert Security Tip:
Real-Time Session Hijacking If a website asks for a Token/OTP code immediately after you log in, and you have not initiated a transfer, it is a major red flag indicating a scam. Always type the official bank URL directly into your browser, as Banco del Pacífico will never ask for security tokens to “verify” your profile via an email or SMS link.
A phishing campaign targeting Banco Sabadell users in Spain employs SMS and email, mimicking a security update to steal credentials and Digital Signature (Firma Digital) codes. The attack uses lookalike domains, such as sabadell-online-seguridad.net or acceso-bancosabadell.com, to redirect victims to a Man-in-the-Middle site designed to harvest login data and authorize fraudulent transfers in real-time.
A Sabadell Bank phishing campaign uses SMS-based social engineering to falsely warn customers of a blocked account, directing them to a fake, pixel-perfect site designed to steal login credentials and digital signatures in real-time. This sophisticated scam tricks users into entering their app-generated security codes to authorize unauthorized wire transfers. Users are advised to avoid clicking links in SMS messages and only use official app channels.
This Banco Sabadell phishing case highlights a real-time Man-in-the-Middle attack, where criminals use urgent smishing tactics to steal credentials and SMS OTP codes instantly to authorize fraudulent transactions. Users must understand that SMS security codes are used for authorizing transactions, not for logging in, and that banks never send login links via text. To protect accounts, always log in manually via the official website and carefully read the purpose of every SMS code before entering it.
Crédit Mutuel de Bretagne (CMB) “Security Key” Phishing Target: Customers of Crédit Mutuel de Bretagne (France / Brittany region) Threat Level: Critical (Real-time Account Takeover & “Clé Digitale” Hijacking) Phishing Method Description This attack targets users of the CMB Online Banking and the “CMB suivi de compte” mobile app. Scammers use a “Security Alert” pretext, sending out Smishing (SMS) messages claiming that an “unauthorized transaction” has been detected or that the user’s “Digital Key” (Clé Digitale) must be synchronized immediately to avoid account suspension. The link leads to a professional-looking clone of the CMB portal, featuring the distinctive red and grey triskelion-style logo. This sophisticated phishing kit is designed to harvest: Identifiant / Login ID Password / PIN: Captured via a fake interactive virtual keyboard that mimics the bank’s security feature. Mobile Phone Number Real-time Authorization: The fake site prompts the victim to confirm a notification in their official CMB app or enter an SMS code. This allows the attacker to authorize a fraudulent wire transfer or register a new “Trusted Device” to the account instantly.
Red Flags to Watch For
The Deceptive URL: The official domain is cmb.fr. Phishing sites use addresses like votre-compte-cmb.online, securite-cmb-bretagne.net, or free subdomains like cmb-client.web.app. Virtual Keyboard Glitches: While the fake site mimics the official numeric keypad, it may load slowly or fail to respond correctly to clicks, as it is capturing your input in real-time. Unsolicited SMS with Links: CMB officially states they will never include a clickable link in an SMS regarding account security or “blocking” access.
Expert Security Tip:
The “Digital Key” Interception The Method: This case highlights a Man-in-the-Middle (MitM) attack targeting the French “Clé Digitale” (Digital Key) system. Scammers are not just looking for your password; they are waiting in real-time to intercept your app-based authorization. The Trap: When you enter your credentials on this fake page, the attacker simultaneously logs into the actual CMB server. The moment the bank sends a “Push Notification” to your phone to confirm your identity, the phishing site tells you to “Accept the notification on your smartphone to finish synchronization.” By tapping “Confirm,” you are actually authorizing the hacker’s login or a large fraudulent payment. How to Protect Yourself: Read Before You Tap: When you receive a confirmation prompt on your smartphone, read the text carefully. If it says “Confirm new device registration” or “Confirm a transfer of X €” while you were just trying to “log in” via a link, REJECT IT immediately. The “Context” Rule: A digital key notification should only appear if YOU manually accessed the official www.cmb.fr website or opened the official app. Zero Trust for SMS Links: If an SMS says your account is blocked and provides a link to “unblock” it, it is a scam. Log in directly through your official app to check for any real alerts.
Booking.com “Internal Messaging” Phishing Target: Travelers and Hospitality Partners Worldwide Threat Level: Critical (Authorized Account Access & Financial Fraud) Phishing Method Description This is a Multi-Stage Attack that exploits a chain of trust. Unlike typical phishing, the fraudulent message arrives directly within the official Booking.com app or your reservation chat. Phase 1 (The Initial Breach): Attackers first compromise a hotel’s professional account (Extranet) by sending malware to the staff, often disguised as a guest request. Phase 2 (The Customer Lure): Once inside the hotel’s account, scammers see real reservation details (names, dates, prices). They then message the guests through the official Booking.com system, claiming there is a “payment verification error”. Phase 3 (The Theft): The guest is urged to click a link to “re-verify” their card details to avoid cancellation. The link leads to a perfect clone of Booking.com that harvests full credit card data and even 2FA codes in real-time.
Red Flags to Watch For Requests for Payment via Chat: Booking.com and legitimate hotels will never ask you to provide credit card details or make a payment directly through a chat, email link, or WhatsApp. Urgent & Threatening Tone: Phrases like “Verification required within 4 hours or your booking will be cancelled” are used to bypass your critical thinking. The URL Check: Even if the message is in the app, the link itself will lead to a non-official domain (e.g., booking-verification.online instead of booking.com).
Expert Security Tip:
The “Booking Confirmation” Rule The Method: This case is a prime example of Brand Identity Abuse. Scammers use the actual infrastructure of a trusted platform to hide their tracks. Because the message comes from the “official” account of the hotel you actually booked, it is almost impossible to distinguish from a real request at first glance.
The Trap: Attackers are exploiting social engineering rather than a flaw in Booking.com’s backend. They use your real travel dates and the hotel’s name to make the request feel 100% legitimate.
How to Protect Yourself: Check the App’s Payment Status: If you have already paid or have a “pay at property” policy, any request for “pre-payment” is 100% a scam. Call the Hotel Directly: If you receive an urgent payment request, do not use the link. Instead, find the hotel’s phone number on their official website (not from the chat message) and call them to verify the request. Pay Only on the Platform: Legitimate payments should be handled only through the official Booking.com checkout process, not through third-party links like Stripe or PayPal sent via chat. Enable 2FA Everywhere: If you are a hotelier or a traveler, multi-factor authentication is your final line of defense against account takeovers.
Raiffeisen Bank “Digital Security Update” Phishing Target: Raiffeisen Bank Customers (Central and Eastern Europe) Threat Level: Critical (Raiffeisen Identity & Digital Token Theft) Phishing Method Description This attack targets users of the Raiffeisen Online Banking and the Digital ID apps. Scammers distribute urgent notifications via SMS (Smishing) or Email, claiming that “New Security Regulations” or a “System Maintenance” requires the user to re-verify their profile to avoid account suspension. The link leads to a high-fidelity clone of the Raiffeisen “Login” portal. This sophisticated phishing kit is specifically designed to harvest: Customer ID / Username PIN / Password Mobile Phone Number One-Time Password (OTP) / Push Authorization: The fake site prompts the victim to enter the code from their SMS or confirm a notification in their official Raiffeisen app in real-time. This allows the attacker to authorize a fraudulent transfer or link a new device to the account instantly. Red Flags to Watch For The Lookalike URL: The official domains are raiffeisen.at, raiffeisen.ro, etc. Phishing sites use deceptive addresses like raiffeisen-securitate.online, verificare-raiffeisen.net, secure-raiffeisen-login.com, or free subdomains like raiffeisen.web.app. Urgent & Threatening Tone: Phrases like “Immediate action required” or “Your access will be blocked within 24 hours” are classic social engineering tactics. Link in SMS/Email: Raiffeisen Bank officially states they will never include a clickable link in an SMS or email that leads directly to a login page asking for your credentials.
Expert Security Tip:
The “Digital ID” Proxy Attack The Method: This case highlights a Real-Time Authentication Hijack. Scammers are not just looking for your password; they are acting as a “middleman” between you and the real bank server. The Trap: When you enter your credentials on the fake page, the attacker simultaneously enters them on the actual Raiffeisen website. This triggers a legitimate Push Notification or SMS OTP to your phone. The phishing site then asks you to “Confirm the notification to finish the update.” By doing so, you are not securing your account—you are signing a digital signature that authorizes the hacker to drain your funds. How to Protect Yourself: The “Context” Rule: Only confirm a notification or enter an OTP if YOU were the one who manually typed the official bank address into your browser. If a prompt appears after clicking a link, REJECT it. Read the Prompt Carefully: If the notification on your phone says “Authorize a payment” or “Register a new device” but you are just trying to “log in,” it is 100% a scam. Zero Trust for Links: Raiffeisen will never send you a link to “Log in” or “Update” your security credentials via SMS. Always use the official Raiffeisen Smart Mobile app.
Bankinter Portugal “Security Alert” Phishing Target: Bankinter Customers in Portugal Threat Level: Critical (Real-time Account Takeover & SMS OTP Theft) Phishing Method Description This attack targets users of Bankinter Particulares (Online Banking). Scammers use a “Fraud Alert” pretext, sending out Smishing (SMS) messages claiming that an “unauthorized access” or “unusual purchase” has been detected. To “cancel” the transaction or “secure” the account, the user is pressured to click a link immediately. The link leads to a high-fidelity clone of the Bankinter.pt portal. This sophisticated phishing kit is designed to harvest: User ID / NIF (Número de Identificação Fiscal) Access Password (Multichannel Key) Mobile Phone Number SMS One-Time Password (OTP): The fake site prompts the victim to enter the security code in real-time. The attacker immediately uses this code on the actual Bankinter server to authorize a fraudulent wire transfer or to register their own device as the primary security key. Red Flags to Watch For The Lookalike URL: The official domain is bankinter.pt. Phishing sites use deceptive addresses like seguranca-bankinter.online, verificar-acesso-bankinter.net, bankinter-portugal.com, or free subdomains like bankinter-login.web.app. Urgent & Alarming Tone: Phrases like “Acceso no autorizado detectado” or “Bloqueo preventivo” are used to bypass critical thinking and force an impulsive click. Link in SMS/Email: Bankinter officially states they will never include a clickable link in an SMS message regarding account security or “blocking” access.
Expert Security Tip:
The “Cancellation” Deception The Method: This case highlights a Social Engineering Trick known as the “Cancellation Scam.” Scammers create a fake “security threat” to make you panic. The Trap: When you enter an SMS OTP on a fake site to “cancel a fraudulent transaction,” you are actually doing the exact opposite. Because the attacker is logged into your real account in the background, they have just triggered a new fraudulent transfer. The code you just entered is the final digital signature they need to move your money out of the bank. How to Protect Yourself: OTP is for Authorization ONLY: A real bank will never ask you to enter an SMS code to cancel or block something. SMS codes are strictly for authorizing actions you started yourself. The “Manual Entry” Rule: If you receive a security alert via SMS, ignore the link. Open your browser and manually type www.bankinter.pt to log in safely. Read the SMS Content: Carefully read the text accompanying the code. If it says “Code to authorize a transfer of 1,000 €” but you are trying to “secure your account,” it is 100% a scam.
Phishing Method Description This attack relies on Psychological Pressure. Victims receive a Smishing (SMS) or Email claiming that their “OTPdirekt access has been suspended” or that a “Suspicious login attempt” was detected from a new device.
The link leads to a high-fidelity clone of the OTP Bank login page. This sophisticated phishing kit is designed for a Man-in-the-Middle (MitM) attack, harvesting:
User ID / Account Number (HAZ / ID) Password / PIN Mobile Phone Number Mobile Signature (SMS OTP): The fake site prompts the victim to enter the 6-digit security code received via SMS in real-time. The attacker immediately uses this code on the actual bank site to authorize a fraudulent transfer or link their own device to the account.
Red Flags to Watch For Deceptive Domain: The official domains are otpbank.hu, otpbank.ru, otpbanka.rs, etc.. Phishing sites use lookalikes such as otpbank-security.online, verific-otp.net, or free subdomains like otp-login.web.app. Requesting OTP for “Blocking” or “Updates”: A real bank will never ask you for an SMS code to cancel a transaction or unblock an account. Codes are strictly for authorizing actions you started yourself. Urgent Tone: Messages demanding you “Act within 2 hours” to avoid a total block are clear signs of a scam.
How to Protect Yourself Use the Mobile App: Manage your security exclusively through the official OTP SmartBank or m-bank app. The “Manual Entry” Rule: Always type the official address manually into your browser’s address bar. Never click on links in bank messages. Verify the SMS Source: Official alerts come from registered bank IDs. If a message comes from a standard mobile number, delete it. Immediate Action: If you have entered data on a suspicious site, call the official OTP Bank support immediately at +36 1 3666 666 (Hungary) or +7 495 783-54-00 (Russia) to freeze your account.
Expert Security Tip:
The “Live Proxy” Hazard The Method: This case highlights the Real-Time Token Relay tactic. Scammers use automated kits that act as a “live bridge” between you and the real bank.
The Trap: When you enter your Mobile Signature SMS code on the fake site, you aren’t “verifying” anything. You are providing the final authorization for a transaction the hacker has already prepared in the background.
How to Protect Yourself: Read the SMS Content Carefully: If the SMS says “Code to authorize a transfer of X amount” while you are just trying to “log in,” do not enter it. Switch to Biometric Auth: Use Fingerprint or FaceID inside the official app. These methods are much harder to phish than 6-digit SMS codes. One-Time Rule: An OTP is meant for one specific action. If the site asks you to enter multiple codes in a row for a single “verification,” close the page—they are draining your account transaction by transaction.
PayPal “Account Suspension Alert” Phishing Target: PayPal Users Worldwide Threat Level: Critical (Financial & Full Identity Theft) Phishing Method Description This attack uses a “High-Pressure Security” pretext. Victims receive an email or SMS (Smishing) claiming that “Your account has been temporarily suspended” or that “Unusual activity was detected on your account.” To “restore full access” or “cancel a fraudulent payment,” the victim is pressured to click a link and complete a verification process. The link leads to a sophisticated, multi-step phishing portal that mimics the official PayPal login flow. This “Fullz” kit is designed to harvest: PayPal Credentials (Email and Password) Full Personal Identity (Name, Date of Birth, and Home Address) Credit/Debit Card Details (Number, Expiration Date, and CVV) Bank Account Information Security Challenge Answers: Intercepted to bypass future password recovery attempts. Red Flags to Watch For Deceptive Domain: The official domain is strictly paypal.com. Phishing sites use lookalikes such as verify-paypal-secure.com, account-resolution-paypal.net, or free subdomains like paypal-limit.web.app. Generic Salutation: Official PayPal emails almost always address you by your full name. Be wary of emails starting with “Dear Customer,” “Dear Member,” or just your email address. Requesting Card Details to “Unlock”: PayPal will never ask you to enter your full credit card number and CVV code just to “verify” your identity or unlock a login. How to Protect Yourself The “Login Direct” Rule: Never click a link in an email to log into PayPal. Always open a new browser tab and manually type ://paypal.com or use the official PayPal App. Check the Message Center: If there is a real issue with your account, a notification will always be waiting for you in the secure “Message Center” inside your PayPal account. 2FA is Mandatory: Enable Two-Factor Authentication (2FA). Even if scammers steal your password, they won’t be able to log in without the code from your authenticator app or SMS. Forward to Spoof: You can report PayPal-branded phishing by forwarding the suspicious email or link to [email protected].
Expert Security Tip:
The “Fullz” Harvesting Hazard The Method: This case highlights a Full Identity (Fullz) Extraction. Scammers are not just trying to steal your PayPal balance; they are gathering enough data to impersonate you permanently. The Trap: By providing your CVV code, SSN/National ID, and Security Answers, you are giving the hackers the power to open new credit lines in your name or take over your other financial accounts. How to Protect Yourself: CVV is for Buying, Not Logging: Your CVV (the 3 digits on the back) is only for authorizing a purchase. Never enter it on a page that claims to be for “identity verification” or “account unlocking.” Zero Trust for Links: A “Locked Account” message is the most common bait. Always verify account status by logging in through the official app only. Use Virtual Cards: For online services like PayPal, use a virtual card with a spending limit. This protects your main bank account even if your card details are phished.
Blocket “Safe Payment / Shipping” Phishing Target: Buyers and Sellers on Blocket (Sweden) Threat Level: Critical (Bank Account Takeover & BankID Hijacking) Phishing Method Description This attack targets users of the Swedish marketplace Blocket. Scammers usually contact a seller or buyer via WhatsApp or SMS, claiming they want to use “Blocket Paket” (shipping service) or a fake “Direct Payment” system to complete the deal. The link leads to a high-fidelity clone of the Blocket or BankID verification page. The phishing kit is specifically designed to harvest: Personal Identity Number (Personnummer) Credit/Debit Card Details (Number, Expiry, CVV) BankID Authentication: The fake site triggers a real BankID or Mobile BankID request on the victim’s phone. Thinking they are “verifying the payment,” the victim enters their PIN, which actually authorizes the attacker to log into their real bank account or sign a fraudulent transaction. Red Flags to Watch For Deceptive Domain: The official domain is blocket.se. Phishing sites use lookalikes such as blocket-betalning.online, verifera-blocket.net, frakt-blocket.com, or free subdomains like blocket-portal.web.app. Off-Platform Communication: If a buyer or seller insists on moving the conversation from Blocket’s internal chat to WhatsApp or SMS, it is a major warning sign. Urgent Payment Links: Blocket will never send you a link via SMS or WhatsApp asking you to “enter your card details to receive money.” How to Protect Yourself Stay on the Platform: Use only the official Blocket Paket and payment systems integrated directly into the Blocket app or website. The “No Link” Rule: Never click on links sent by other users to “confirm a payment” or “track a package.” If the payment is real, it will show up in your official Blocket account. Verify BankID Context: Before entering your PIN in the BankID app, always check the “Requester” (Mottagare) and the action. If you are selling an item, you should not be “signing” or “authenticating” a login to your bank. Zero Trust for Card Requests: You do not need to provide your CVV code to receive money. If a site asks for it to “verify your account for a payout,” it is a scam.
Expert Security Tip:
The “BankID Relay” Attack The Method: This case highlights a Real-Time Authentication Relay. Scammers are acting as a “live bridge” between the victim and their bank. The Trap: When you enter your Personnummer on the fake Blocket site, the attacker enters it on the real bank website. You receive a BankID notification. If you sign it, you aren’t “confirming a sale”—you are signing the attacker into your bank account. How to Protect Yourself: Check the App carefully: In the BankID app, it will show who is requesting the identification (e.g., “Logga in på [Din Bank]”). If you see your bank’s name while you are supposedly on “Blocket,” cancel immediately. Never trust “Verification” links: Blocket and banks in Sweden will never ask you to identify yourself via BankID through a link sent in a private message.
French National Police (ANTAI) “Unpaid Fine” Phishing Target: Residents and Visitors in France Threat Level: Critical (Real-time Credit Card Skimming & Identity Theft) Phishing Method Description This attack impersonates the ANTAI (Agence Nationale de Traitement Automatisé des Infractions), the official agency for traffic and parking fines in France. Victims receive a “Smishing” (SMS) or Phishing Email claiming they have an unpaid fine (often 35€ or 135€) that will increase if not settled immediately.
The link leads to a highly realistic clone of the official French government portal, often displaying the “Marianne” and ANTAI logos. The phishing kit harvests:
Personal Identity Data: Name, address, and email. Payment Details: Full credit/debit card information (Number, Expiry, CVV). 3D-Secure / OTP Codes: The fake site intercepts verification codes in real-time, allowing attackers to authorize large, fraudulent purchases instead of a small fine payment.
Red Flags to Watch For The URL Trap: The only official website for paying fines in France is www.amendes.gouv.fr. Scam sites use lookalikes such as portails-amendes-gouv.com, antai-fines.net, or amendes-gouv-infractions.fr. No SMS for Reminders: ANTAI only sends SMS messages for immediate payment during a direct interaction with an officer on the ground. They never send unsolicited SMS reminders for old or “unpaid” fines. Generic Sender Addresses: Real emails from ANTAI always end in @antai.gouv.fr (specifically [email protected]). Be wary of senders with .mu, .br, or free domains.
How to Protect Yourself The “Manual Entry” Rule: Never click on a link to pay a fine. Always type www.amendes.gouv.fr manually into your browser or use the official amendes.gouv app. Wait for the Paper Copy: Genuine fine notices are almost always sent via physical mail to the address on your vehicle registration (carte grise). If you haven’t received a letter, the message is likely a scam. Report Smishing: In France, you can forward fraudulent SMS messages to 33700 or report them to signal-spam.fr.
Expert Security Tip:
The “Real-Time Fine” Verification The Method: This case highlights a Real-Time Token Relay attack. Scammers are banking on the fact that drivers are often stressed by the threat of increased fines and legal action.
The Trap: When you enter your card details on a fake ANTAI site, the attackers are simultaneously using that data on a real payment gateway for a high-value purchase. The OTP/3D-Secure code you enter to “pay your fine” is actually the final signature the hackers need to empty your bank account.
How to Protect Yourself: Use the Reference Number: Every legitimate fine has a 14 or 18-digit reference number. If the website doesn’t ask for this specific number or doesn’t show your car registration plate, it is 100% a scam. Zero Trust for QR Codes: Be cautious of QR codes on fake physical tickets left on windscreens, a new tactic used to bypass digital spam filters. Check the App Context: If your bank’s authorization app asks you to “confirm a payment” of a different amount than the fine while you are on a “government” site, cancel immediately
Manage Cookie Consent
We use cookies to optimize our website and our service.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
