Phishing examples on Antiphishing.biz

Singapore Post fake page detected

Package Tracking Phishing – Credit Card Harvesting

This phishing page impersonates a postal or courier service, likely targeting an international audience. The page claims to provide tracking information for a package (Tracking Number: SG904951986) while simultaneously requesting sensitive financial details under the guise of “pay by card.”

How it works:
The victim receives a phishing email or SMS claiming a package is awaiting delivery, that a customs fee is due, or that a redelivery fee must be paid. The link leads to this page, which displays:

A fake tracking number (SG904951986)

A description: “Standard package”

Fields for Full Name, Phone Number, and a complete credit card form (Card Number, Expiry Date, CVV)

When the victim fills out the form and clicks “Confirm,” all personal and financial information is sent directly to the attacker.

The goal:
This is a direct financial phishing attack. Unlike more sophisticated multi-step phishing pages that first collect login credentials and then payment details, this page combines both. The attacker obtains:

The victim’s full name and phone number (useful for identity theft or follow-up scams)

Complete credit card details (card number, expiration, CVV), which can be used for fraudulent online purchases, cloned cards, or sold on criminal marketplaces

Red flags to watch for:

No carrier branding: The page lacks any official logo or name of a legitimate carrier (e.g., USPS, FedEx, DHL, Royal Mail, etc.). Legitimate tracking pages always clearly display the carrier’s branding.

Vague tracking number: The tracking number “SG904951986” does not follow the standard format of any major carrier. Real tracking numbers are carrier-specific and can be verified on the official website.

Request for payment without context: The page demands credit card details but provides no explanation of what the payment is for (customs, redelivery, insurance, etc.). Legitimate carriers clearly state the reason for any fee.

Poor design and generic fields: The form is minimal, lacks security icons, and does not use HTTPS padlock indicators that legitimate payment pages display.

No delivery details: There is no recipient address, sender information, or estimated delivery date—all of which are standard on legitimate tracking pages.

What to do if you encounter this:

Do not enter your name, phone number, or any credit card details.

Do not click “Confirm” or any other buttons on the page.

If you are expecting a package, go directly to the official website of the carrier you believe is handling the shipment and enter your real tracking number.

Report the phishing page to the legitimate carrier being impersonated (if identifiable) and to anti-phishing organizations.

Why this scam is dangerous:
This type of phishing page is often distributed via SMS (“smishing”) with messages like “Your package could not be delivered. Please update payment information.” Because the requested amount is never specified, victims may assume it is a small fee. Once credit card details are submitted, attackers can drain accounts or make high-value purchases before the victim realizes what happened. The combination of personal information (name, phone) and financial data also enables identity theft.

Western Union fake page detected

Western Union Phishing – Fake “Receive Money” Scam

This phishing campaign impersonates Western Union, a legitimate money transfer service. The scam is presented in two steps:

A fake “tracking” page claiming money is ready to be received

A payment page designed to harvest credit card details

How it works:
The victim likely receives an email, SMS, or social media message claiming someone has sent them money via Western Union. The message includes a link to the first phishing page.

Step 1 – The Fake Tracking Page (First Screenshot)
This page displays:

A tracking number: 14773881745

An amount: 30000 Rs (30,000 rupees, approximately $360 USD)

A “Receive Money” button

The page mimics Western Union’s branding and claims the victim can “receive money your way all world.” To claim the funds, the victim is instructed to click “Receive Money.”

Step 2 – The Credit Card Harvesting Page (Second Screenshot)
After clicking “Receive Money,” the victim is taken to this page, which asks for:

Card Number

Card Holder name

Expiry Date

Option to “Save this card”

The page falsely claims to be secure (“protected by ssl (https) and pci das standards”) to lower suspicion.

The goal:
The attacker aims to steal full credit card details. There is no money waiting to be received—the entire “tracking” page is fabricated. If the victim enters their card information, the attacker can make unauthorized purchases, withdraw funds, or sell the card details.

Red flags to watch for:

No login required: Legitimate Western Union money transfers require the recipient to provide tracking information (MTCN) and identification—not credit card details—to receive money. You never need to enter a credit card to receive funds.

Fake tracking number: The tracking number format does not match Western Union’s standard MTCN (Money Transfer Control Number) format.

Currency mismatch: The page mixes English with “Rs” (rupees), which may indicate targeting of specific regions but lacks professional localization.

Unnecessary card request: Receiving money through Western Union never requires the recipient’s credit card information. This is the clearest red flag.

Generic security claims: The second page claims PCI compliance but provides no verifiable security details (e.g., no padlock icon, no recognizable payment processor branding like Stripe or Braintree).

Suspicious URL: Both pages are hosted on domains that are not westernunion.com.

What to do if you encounter this:

Do not click “Receive Money” or enter any credit card details.

If someone has actually sent you money via Western Union, go directly to westernunion.com or use the official app. You will need the MTCN (tracking number) and valid identification—never a credit card.

Report the phishing page to Western Union’s fraud team at [email protected].

Why this scam is effective:
The promise of receiving a large sum of money (30,000 Rs) creates excitement and urgency, overriding critical thinking. Victims may believe they need to “verify” their identity or “activate” the transfer with a credit card. Scammers often pose as a “buyer” on classified ad sites (e.g., Facebook Marketplace, OLX) claiming they’ve sent payment via Western Union and need the victim to “click the link to receive it.” In reality, the link steals card details.

Protective measures:

Never enter credit card information to receive money through any service

Always type the official URL of financial services directly into your browser

Be wary of unsolicited messages claiming unexpected money transfers

Kapital bank phishing page detected

Kapital Bank Phishing – Fake Transfer Confirmation & Card Harvesting

This phishing campaign impersonates Kapital Bank, one of the largest banks in Azerbaijan. The scam is presented in two steps:

A fake transfer confirmation page claiming money is ready to be received

A payment/card details harvesting page

How it works:
The victim likely receives a phishing email, SMS, or social media message claiming someone has sent them money or that they have a pending transfer. The link leads to the first phishing page.

Step 1 – The Fake Transfer Page (First Screenshot)
This page displays:

A claimed transfer amount: 450 AZN (Azerbaijani manat)

Sender information: “Göndaran” (Sender) field is blank

Limit: 100,000 AZN

Fee details: 1% service fee, net amount 445.50 AZN

A “Davam et” (Continue) button

The page mimics Kapital Bank’s interface to appear legitimate. The victim is told they are receiving money and must continue to claim it.

Step 2 – The Card Details Harvesting Page (Second Screenshot)
After clicking “Continue,” the victim is taken to this page, which requests:

Card number (placeholder shows 0000 0000 0000 0000)

Cardholder name (placeholder shows XXXX XXXX)

Expiry date (month/year)

CVV (three-digit code)

Phone number (with +994 country code for Azerbaijan)

The page also includes Visa branding and a checkbox with text in Azerbaijani (“Odənişləri təhlükəsiz et” – “Make payments secure”) to create a false sense of security.

The goal:
The attacker aims to steal complete credit or debit card details along with the victim’s phone number. With this information, they can make unauthorized transactions, link the card to digital wallets, or sell the data. There is no actual transfer of 450 AZN—the entire offer is fabricated.

Red flags to watch for:

No login required: Legitimate banking transfers do not require entering card details to receive money. Receiving funds never requires the recipient to input their card information.

Suspicious URL: Both pages are hosted on domains that are not kapitalbank.az (Kapital Bank’s official domain).

Missing sender information: The “Göndaran” (Sender) field is empty, yet a transfer is allegedly pending—this is unrealistic for a legitimate banking notification.

Typo in second page header: The second page says “Kapitel Bank” instead of “Kapital Bank,” a misspelling that is a clear indicator of a fake page.

Unnecessary card request: To claim a transfer, a legitimate bank would either deposit funds automatically or require login credentials—never a full card number, CVV, and phone number.

Generic placeholders: The form uses “XXXX XXXX” and “000” as placeholders, which is not standard for a legitimate banking portal.

Vague fee explanation: The fee is stated but the overall context (why a fee applies to receiving money) is suspicious.

What to do if you encounter this:

Do not click “Davam et” (Continue) or enter any card or personal information.

If you are a Kapital Bank customer, always type the official bank URL (kapitalbank.az) directly into your browser or use the official mobile app.

Never provide your card details, CVV, or phone number in response to a link claiming you are receiving money.

Report the phishing page to Kapital Bank’s fraud department and to local authorities.

Why this scam is effective:
The promise of receiving money (450 AZN) creates a sense of opportunity. Victims may believe they need to “verify” their card or “activate” the transfer by entering their details. Scammers often distribute these links via SMS or messaging apps, claiming a friend or family member sent money. Because the page mimics Kapital Bank’s branding and includes Azerbaijani language, local users may lower their guard.

Protective measures:

Never enter card details to receive money through any bank or payment service

Always access banking services by typing the official URL or using the official app

Be suspicious of unsolicited messages about unexpected money transfers

Check the URL carefully—phishing domains often differ by one letter or use unusual extensions

Foxpost phishing page detected

Classified Ads Phishing – Fake “Payment Received” & Bank Credential Harvesting

This phishing campaign is designed to steal online banking credentials from sellers on classified ad platforms (such as Facebook Marketplace, Jófogás, or Vatera) in Hungary. The scam is presented in three steps, creating an illusion of a legitimate payment holding service.

How it works:
The victim (a seller) receives a message from a potential buyer claiming they have paid for the item. The buyer sends a link to a fake “payment confirmation” page that mimics a trusted escrow or payment protection service.

Step 1 – The Fake Payment Confirmation Page (First Screenshot)
This page claims:

An item (PS4 games) has been paid: 8000 HUF (Hungarian forints)

The buyer’s shipping address (partial, with errors: “agytéti” likely a misspelling of Ágostyán or similar)

The buyer’s name: Adrián Szőke

Instructions: “Vigye fel a pénzt a bankkártyájára” – “Transfer the money to your bank card and send the item”

The page uses Hungarian language and presents itself as a secure intermediary. The seller is told they must click “Megkaptam a fizetést” (I received the payment) to proceed.

Step 2 – Bank Selection Page (Second Screenshot)
After clicking, the victim is taken to a page asking them to select their bank from a list of major Hungarian banks:

CIB BANK

K&H Bank (misspelled as “BESTEÉ” in the screenshot, likely an error or placeholder)

Raiffeisen BANK

Takarékbank (misspelled as “TAKABÉKBANK”)

Gránit Bank (misspelled as “GJÁNIT BANK”)

UniCredit Bank

Step 3 – Fake Bank Login Page (Third Screenshot)
Once a bank is selected (in this case, Raiffeisen), the victim is taken to a fake Raiffeisen login page. This page asks for:

Direkt ID (8-digit online banking identifier)

Password

The page mimics Raiffeisen’s branding and includes references to “RaIPay” (a real Raiffeisen payment service) to appear authentic.

The goal:
The attacker steals the victim’s online banking credentials (Direkt ID and password). With these, they can log in to the victim’s real bank account, transfer funds, or authorize fraudulent payments. There is no actual buyer, no payment of 8000 HUF, and no legitimate escrow service—the entire transaction is fabricated to trick sellers into “claiming” money that doesn’t exist.

Red flags to watch for:

Fake payment intermediary: Legitimate classified ad platforms (like Facebook Marketplace) do not use third-party pages to “hold” payments. Buyers either pay in person or through official platform payment systems.

Grammatical errors and misspellings: The first page contains a misspelled location (“agytéti”), and the second page has multiple bank name misspellings (“BESTEÉ,” “TAKABÉKBANK,” “GJÁNIT BANK”). Official financial pages do not have such errors.

Suspicious URL: All pages are hosted on domains that are not official bank domains nor legitimate classified platform domains.

Request for banking credentials: No legitimate payment process requires a seller to log into their bank account through a link provided by the buyer to receive funds.

Pressure to ship: The first page instructs the seller to ship the item after “receiving” the payment—sellers who fall for this may ship the item before realizing no payment was ever made.

No actual funds transfer: The process involves no real money movement; it’s purely a credential harvesting scheme.

What to do if you encounter this:

Do not click “Megkaptam a fizetést” or any buttons on these pages.

Do not select your bank or enter any login credentials.

If you are selling items online, never click links sent by buyers claiming payment is waiting. Instead, check the official platform (Facebook Marketplace, etc.) for payment confirmation.

If a buyer insists you click a link to “receive payment,” it is a scam. Legitimate buyers pay through official platform mechanisms or in cash upon pickup.

Report the phishing pages to the banks being impersonated and to the classified platform where the scam originated.

Why this scam is effective:
Sellers are eager to complete sales and may not be familiar with how online payment intermediaries work. The promise of already-received funds (8000 HUF) creates a sense of urgency to “claim” the money and ship the item. By using localized Hungarian language and mimicking familiar bank interfaces, the scam successfully lowers suspicion.

Protective measures:

Always complete transactions in person with cash, or use official platform payment systems

Never click links from buyers claiming payment is pending—log in to the platform directly

Never enter bank login credentials on a page you reached via an unsolicited link

Verify the URL carefully: official Hungarian banking domains end in .hu and use proper spelling (e.g., raiffeisen.hu, cib.hu, kh.hu)

Hotmail and Microsoft fake pages detected

Microsoft/Outlook Phishing – Fake Account Verification Scam

This phishing campaign impersonates Microsoft (specifically Hotmail/Outlook) to steal email account credentials. The scam is presented in two steps: a deceptive warning page followed by a fake login form.

How it works:
The victim receives an email, SMS, or social media message—likely in Spanish—claiming their email account requires verification or is at risk of being suspended. The link leads to the first phishing page.

Step 1 – The Fake Verification Warning (First Screenshot)
This page displays:

A heading: “HOTMAIL PREMIUM”

A message in Spanish: “VERIFIQUE SU CUENTA DE CORREO ELECTRÓNICO DE FORMA CORRECTA PARA QUE SIGA DISFRUTANDO DE NUESTROS SERVICIOS”
(Translation: “Verify your email account correctly so that you continue enjoying our services.”)

A button: “VERIFICA TU CUENTA” (Verify your account)

A footer: “© Microsoft 2023”

The page uses urgency and fear—implying that failure to verify will result in loss of service.

Step 2 – Fake Microsoft Login Page (Second Screenshot)
After clicking “VERIFICA TU CUENTA,” the victim is taken to a fake Microsoft login page. This page asks for:

Correo electrónico (Email address)

It mimics Microsoft’s branding with the official Microsoft logo and the “Iniciar Sesión” (Sign in) header.

The goal:
The attacker aims to steal Microsoft/Outlook/Hotmail email credentials. Once they have the email address and password (likely captured on a subsequent page after the email is entered), they can:

Access the victim’s emails (searching for sensitive information or password reset links)

Reset passwords for other accounts linked to that email (banking, social media, etc.)

Use the compromised email to send further phishing messages to the victim’s contacts

Red flags to watch for:

No personalization: Legitimate Microsoft security alerts address you by your name or partial email address. This page uses a generic warning.

Suspicious URL: Both pages are hosted on domains that are not microsoft.com or outlook.com.

Poor Spanish grammar: The phrasing “VERIFIQUE … PARA QUE SIGA DISFRUTANDO” is slightly awkward. Official Microsoft communications are professionally localized.

No two-factor authentication (2FA) mention: Legitimate Microsoft account verification often involves 2FA or confirmation within the authenticator app—not simply clicking a link and entering a password.

Generic footer: The footer only shows “© Microsoft 2023” and a random “CREATE A FREE BIO SITE” link, which is completely unrelated to Microsoft and a clear indicator of a fake page.

Single-field login: The second page asks only for email initially, but a subsequent page would ask for a password. Phishing pages sometimes do this to first validate if the email is active before presenting the password field.

What to do if you encounter this:

Do not click “VERIFICA TU CUENTA” or enter any email or password.

If you are concerned about your Microsoft account, go directly to outlook.com or account.microsoft.com by typing the URL into your browser—never click links in unsolicited messages.

Legitimate Microsoft account verification never requires you to click a link in an email to “verify” your account. Instead, you may receive a code via SMS or email that you enter on the official site if you initiated a change.

Report the phishing page to Microsoft using their reporting tools: forward suspicious emails to [email protected] or use the “Report Message” add-in in Outlook.

Why this scam is effective:
Email accounts are a high-value target because they serve as the “keys to the kingdom” for password resets across other services. Spanish-speaking users may be less frequently targeted with localized phishing, making this campaign particularly dangerous. The use of Microsoft branding and the fear of losing email service prompts users to act quickly without scrutinizing the URL or page details.

Protective measures:

Enable two-factor authentication (2FA) on your Microsoft account to prevent unauthorized access even if your password is stolen

Always check the URL before entering credentials—Microsoft’s login pages always end in microsoft.com or live.com

Be suspicious of any message that creates urgency and asks you to “verify” your account by clicking a link

If in doubt, contact Microsoft support through official channels rather than using links in suspicious messages

Nuevo Banco del Chaco phishing page detected

Nuevo Banco del Chaco Phishing – Fake Platform Update Scam

This phishing campaign impersonates Nuevo Banco del Chaco (NBCH) , a bank serving the Chaco province in Argentina. The scam uses the pretext of a “platform update” or “security verification” to steal online banking credentials.

How it works:
The victim receives a phishing email, SMS, or social media message—likely in Spanish—claiming that the bank has updated its online banking platform (Home Banking) and that the user must verify their account to continue using services. The link leads to the first phishing page.

Step 1 – Fake Platform Update Notification (First Screenshot)
This page displays:

“VERIFIQUE SU CUENTA” (Verify your account) as a prominent heading

A message in Spanish: “TE INVITAMOS A CONOCER EL RENOVADO HOME BANKING. Mejoramos nuestra plataforma para que sea aún más fácil, ágil y cómoda para hacer tus operaciones.”
(Translation: “We invite you to get to know the renewed Home Banking. We improved our platform to make your transactions even easier, faster, and more convenient.”)

The bank’s name: “Nuevo Banco del Chaco SA”

A reference to the official website: www.nbch.com.ar

A button: “VERIFIQUE SU CUENTA”

The page mimics NBCH’s branding and uses the bank’s real website URL in the text to appear legitimate.

Step 2 – Fake Security Verification Page (Second Screenshot)
After clicking the verification button, the victim is taken to this page, which displays:

“VERIFICA TU CUENTA POR SEGURIDAD Y SIGUE DISFRUTANDO DE NUESTROS SERVICIOS”
(Translation: “Verify your account for security and continue enjoying our services”)

Another “VERIFIQUE SU CUENTA” button

Footer with a copyright notice and customer service phone numbers (which may be copied from the real bank)

The actual credential harvesting form likely appears after clicking the button on this second page (though not shown in the screenshots, such forms typically request User ID, password, or security details).

The goal:
The attacker aims to steal NBCH online banking credentials. By impersonating a legitimate “platform update” or “security verification,” the scam tricks users into entering their login details on a fake page, giving attackers direct access to their bank accounts.

Red flags to watch for:

Suspicious URL: Both pages are hosted on a domain (antiphishing.biz) that is not nbch.com.ar or any official NBCH domain.

No personalization: The messages address the user generically rather than using their name or account details.

Two-step verification process: Legitimate banks do not require clicking a link in an email to “verify” an account due to a platform update. Such updates are communicated via official app notifications or direct mail, and users are expected to log in normally (not through a provided link).

Unusual footer content: The second page includes “CREATE A FREE BIO SITE” at the bottom—a completely unrelated and suspicious addition that no legitimate bank would include.

Urgency without authentication: The page pressures the user to “verify” without requiring any prior authentication, which is a common phishing tactic.

Copy of official content: While the first page references the real NBCH website (www.nbch.com.ar), the phishing site itself is not on that domain. Attackers often copy legitimate URLs into text to mislead users.

What to do if you encounter this:

Do not click the “VERIFIQUE SU CUENTA” buttons or enter any personal information.

If you are an NBCH customer, always access your online banking by typing www.nbch.com.ar directly into your browser or by using the official NBCH mobile app.

Never log into your bank account through a link sent via email, SMS, or social media.

Report the phishing page to Nuevo Banco del Chaco using their official customer service channels (e.g., the phone numbers listed on their genuine website, not those on the phishing page).

Why this scam is effective:
Regional banks in Argentina, such as NBCH, have a strong local customer base. Phishing campaigns that use the pretext of a “platform update” exploit the fact that users may have heard about digital transformation efforts at their bank. The use of the real bank URL in the text and the familiar branding lowers suspicion. Additionally, the page is fully localized in Argentine Spanish, making it more convincing than generic phishing attempts.

Protective measures:

Always verify the URL in your browser’s address bar before entering any credentials

Bookmark the official bank website and use that bookmark to log in

Enable two-factor authentication (2FA) if offered by the bank

Be suspicious of any unsolicited message that asks you to “verify” or “update” your account

If you receive such a message, contact your bank directly using a phone number or email from your bank statement or official website—never use contact details provided in the suspicious message.

Facebook and Freefire fake pages detected

Free Fire “Skin Generator” Scam – Facebook Credential Harvesting

This phishing campaign targets players of Free Fire, a popular mobile battle royale game developed by Garena. The scam promises free in-game skins and diamonds through a fake “generator” tool. In reality, it is a multi-step scheme designed to steal victims’ Facebook login credentials (the primary method of logging into Free Fire on many devices).

How it works:
The victim encounters a link to this scam via YouTube videos, TikTok, Discord, Instagram, or other social media platforms, often with captions like “Free Fire Free Diamonds Generator 2023” or “Get Free Skins No Human Verification.”

Step 1 – Selection Page (First Screenshot)
The victim is presented with a page showing various skins (e.g., “Chocolate”) and diamonds. The interface mimics a legitimate selection menu, asking the user to choose what they want to “generate.”

Step 2 – Username & Platform Entry (Second Screenshot)
The victim is asked to enter their Free Fire username and select their platform. This is designed to make the scam feel personalized and legitimate.

Step 3 – Fake Progress Indicator (Third Screenshot)
A progress bar appears showing “Generating…” with a percentage (e.g., 15%). This builds anticipation and tricks the victim into believing the generator is working.

Step 4 – “Sponsor Activity” Requirement (Fourth Screenshot)
After the fake generation, the victim is told that to complete the process, they must complete a “sponsor activity” – typically described as a quick verification step that “helps pay for your skins.” A countdown timer (Time Left: 0442) creates urgency. The text appears in multiple languages (English and Dutch) to target a broader audience.

Step 5 – Facebook Login Phishing Page (Fifth Screenshot)
The “sponsor activity” leads to a fake Facebook login page. This page asks for:

Email or Phone

Password

Once the victim enters their Facebook credentials, the information is sent directly to the attacker.

The goal:
The attacker steals the victim’s Facebook login credentials. Since many Free Fire players log into the game using their Facebook account, gaining access to the Facebook account effectively gives the attacker control over the victim’s Free Fire account as well. Attackers can then:

Steal or sell the Free Fire account

Access personal information linked to Facebook

Use the compromised Facebook account to spread the scam further to the victim’s friends

Red flags to watch for:

“Too good to be true” offer: No legitimate service provides free in-game currency or rare skins through an external “generator.” Such items must be purchased or earned through official game events.

No official branding: The pages use generic “FREE FIRE” text but lack official Garena branding, logos, or copyright notices.

Request for credentials: The final step asks for Facebook login details. No legitimate in-game reward system ever requires entering Facebook credentials on a third-party site.

Fake “sponsor activity” concept: The “sponsor activity” is a common phishing tactic to justify why the user must complete an additional step, often involving a credential harvest or survey scam.

Multiple languages: The presence of Dutch text alongside English suggests a broad targeting but also indicates unprofessional localization—official Garena communications are consistently in one language per region.

Countdown timer: The timer creates artificial urgency to pressure the user into completing the “verification” without thinking.

Suspicious URL: All pages are hosted on domains that are not garena.com or facebook.com.

What to do if you encounter this:

Do not enter your Free Fire username, select a platform, or proceed through any steps.

Do not enter your Facebook email/phone and password on the final page.

If you have already entered your Facebook credentials, change your Facebook password immediately, enable two-factor authentication (2FA), and check for any unauthorized activity.

If you use the same password for other accounts, change those passwords as well.

Report the phishing page to Facebook and to Garena (Free Fire’s developer).

Why this scam is effective:
Free Fire is extremely popular, especially among younger audiences who may be eager for free in-game items. The multi-step process with progress bars and “sponsor activity” explanations makes the scam feel elaborate and legitimate. The use of Facebook as the final credential harvest is strategic because many Free Fire players have their game progress tied directly to their Facebook account—losing Facebook access means losing their game progress and purchases.

Protective measures:

Never trust third-party “generators” or “hacks” that promise free in-game currency or items. They are always scams.

Enable two-factor authentication (2FA) on your Facebook account to protect it even if your password is stolen.

Log into Free Fire only through the official app and official Garena methods.

Educate younger gamers about these scams, as they are frequently targeted.

Freefire fake page ad Facebook phishing revealed

Free Fire “Rewards Generator” Scam – Facebook Credential Harvesting (Variant)

This phishing campaign targets Free Fire players by promising free in-game rewards (skins, diamonds, rare items) through a fake “generator” tool. The scam uses a multi-step process designed to steal victims’ Facebook login credentials, which are commonly used to access Free Fire accounts.

How it works:
The victim encounters a link to this scam via YouTube, TikTok, Discord, Instagram, or other social media platforms with enticing claims of free rewards.

Step 1 – Reward Selection Page (First Screenshot)
The victim lands on a page displaying numerous reward icons (weapons, skins, items) with “COLLECT” buttons. The page includes:

A suspicious URL: lesilesalacarte.com/… (not associated with Garena)

Text indicating “Fake ⬆ MWM got a game reward” (likely a tester’s note)

Garena branding to appear legitimate

Step 2 – Username & Platform Entry (Second Screenshot)
The victim is asked to:

Enter their Player Username (Free Fire in-game name)

Select their platform

Click “START THE TRANSFER”

This step collects basic information and creates the illusion of a personalized reward delivery.

Step 3 – Reward Confirmation (Third Screenshot)
After entering credentials, the victim sees another page filled with reward icons and “COLLECT” buttons. This reinforces the belief that rewards are ready to be claimed. A “Back to reward” link allows navigation, but all paths lead to the verification trap.

Step 4 – “Manual Human Verification” Requirement (Fourth Screenshot)
This page claims:

“Manual Human Verification is Required.”

Explanation: many robots try to use the generator, so to prove the user is human, they must complete a “quick task” (register a phone number or download a mobile app).

The instructions claim: “All applications are safe and must be running for 30 seconds to complete verification. You can delete apps later.”

This is a classic social engineering tactic to convince victims to complete the next step.

Step 5 – Facebook Login Phishing Page (Fifth Screenshot)
The “VERIFY NOW” button leads to a fake Facebook login page. This page asks for:

Mobile number or email address

Password

The page mimics Facebook’s mobile login interface and includes multiple language options to appear authentic.

The goal:
The attacker steals the victim’s Facebook credentials. Since Free Fire accounts are often linked to Facebook, this grants the attacker access to both the Facebook account and the associated Free Fire game account. Attackers can then:

Steal or sell the Free Fire account (including any purchased items or progress)

Access personal information on Facebook

Use the compromised Facebook account to spread the scam to the victim’s friends

Red flags to watch for:

“Too good to be true” offer: No legitimate service provides free in-game currency or rare items through an external website. Garena sells diamonds and items only through official channels.

Suspicious URL: The initial page is hosted on lesilesalacarte.com, a domain completely unrelated to Garena (garena.com) or Free Fire.

No official branding consistency: While the pages use the Free Fire and Garena names, they lack official logos, copyright notices, and professional design elements.

“Human verification” scam pattern: The requirement to “verify” by completing a task (phone registration, app download) is a classic phishing tactic. No legitimate game reward system uses such methods.

Facebook login request: The final step asks for Facebook credentials. Legitimate in-game rewards never require logging into Facebook through a third-party site.

Multiple “COLLECT” buttons: The repetitive design is meant to overwhelm the user and create a sense of abundance, but it is unprofessional and inconsistent with official Garena interfaces.

“Back to reward” loop: The navigation allows users to go back, but all paths eventually lead to the same phishing request.

What to do if you encounter this:

Do not enter your Free Fire username, select a platform, or click any “COLLECT” or “START THE TRANSFER” buttons.

Do not complete any “human verification” tasks, especially those asking for phone numbers or app downloads.

Do not enter your Facebook email/phone and password on the final page.

If you have already entered your Facebook credentials, change your Facebook password immediately, enable two-factor authentication (2FA), and check for any unauthorized activity.

Report the phishing page to Facebook and to Garena (Free Fire’s developer).

Why this scam is effective:
Free Fire has a massive global player base, especially among younger audiences who may be more susceptible to offers of free premium content. The multi-step process with multiple reward icons and the “human verification” explanation makes the scam appear legitimate and elaborate. The use of Facebook as the final credential harvest is strategic—once attackers have Facebook access, they can compromise the game account and potentially spread the scam further.

Protective measures:

Never trust third-party “generators” or “hacks” that promise free in-game currency or items. They are always scams.

Enable two-factor authentication (2FA) on your Facebook account to prevent unauthorized access even if your password is stolen.

Log into Free Fire only through the official app and official Garena methods.

Educate younger gamers about these scams, as they are frequently targeted through social media platforms.

Facebook phishing page detected

Free Fire “Anniversary Event” Scam – Facebook Credential Harvesting (Indonesian Variant)

This phishing campaign targets Free Fire players in Indonesia and other Indonesian-speaking regions by promoting a fake “anniversary event” offering free rewards. The scam uses localized language and cultural references to appear legitimate.

How it works:
The victim encounters a link to this scam via social media platforms (YouTube, TikTok, Instagram, Facebook) or messaging apps, often with captions promoting a Free Fire anniversary giveaway.

Step 1 – Fake Anniversary Promotion (First Screenshot)
The victim lands on a page with:

A suspicious URL: dangerous walkmiepaltreks.com/… (clearly not an official domain)

Indonesian text: “EXCEPT YANG DI TUNGBU-TUNGBU PARA BURNHOR DENGAN BERBABAN HADIAN KEREN JIJIN AND ELJIYY SPECIALI FREE DIFFS IN THIS ANNIVERSARY”
(Note: The text contains multiple typos and nonsensical phrases, likely machine-translated or poorly written.)

A heading: “4TH ANNIVERSARY”

A button: “AMBIL HADIAH” (Take Prize)

Step 2 – Login Request (Third Screenshot – second image failed to load)
After clicking “AMBIL HADIAH,” the victim is taken to a page that instructs:

Indonesian: “LIGHT DENGAN AKUR ANDA UNTUK MEDIAPATKAN HADIAN ANDA”
(Rough translation: “Login with your account to get your prize”)

A button: “Login dengan Facebook” (Login with Facebook)

Step 3 – Fake Facebook Login Page (Fourth Screenshot)
Clicking the login button leads to a fake Facebook login page. This page:

Asks for Nomer ponsel atau email (Mobile number or email) and Kata Sandi (Password)

Includes Facebook branding and language options (Bahasa Indonesia, English, etc.)

Is designed to steal the victim’s Facebook credentials

The goal:
The attacker steals the victim’s Facebook login credentials. Since many Free Fire players in Indonesia use Facebook to log into the game, gaining access to the Facebook account gives attackers control over the associated Free Fire account as well.

Red flags to watch for:

Suspicious URL: The initial page is hosted on a domain unrelated to Garena or Free Fire (dangerous walkmiepaltreks.com with obvious typos).

Poor Indonesian grammar: The text contains multiple misspellings and awkward phrasing (e.g., “EXCEPT YANG DI TUNGBU-TUNGBU,” “BERBABAN HADIAN,” “JIJIN AND ELJIYY”). Official Garena announcements use correct, professional Indonesian.

No official branding: The pages lack official Garena or Free Fire logos and copyright notices.

Anniversary timing: While Free Fire does have anniversary events, they are always announced and hosted on official channels (ff.garena.com), never through third-party domains.

Facebook login requirement: No legitimate Free Fire event requires logging into Facebook through a third-party link. Official events are accessed within the game app or on official Garena websites.

Multiple typos: The heading “4MWERSARY” instead of “4TH ANNIVERSARY” is a clear typo that indicates a fake page.

What to do if you encounter this:

Do not click “AMBIL HADIAH” or “Login dengan Facebook.”

Do not enter your Facebook email/phone and password on the fake login page.

If you are a Free Fire player, always check official Free Fire social media accounts and the official website (ff.garena.com) for legitimate event information.

If you have already entered your Facebook credentials, change your Facebook password immediately, enable two-factor authentication (2FA), and check for any unauthorized activity.

Report the phishing page to Facebook and to Garena.

Why this scam is effective:
Indonesia has a massive Free Fire player base, and anniversary events are highly anticipated. Scammers exploit this by creating fake “anniversary giveaway” pages that mimic the excitement of official events. The use of the Indonesian language (even with errors) makes the scam more convincing to local users than generic English phishing pages.

Protective measures:

Never click links claiming to offer free Free Fire rewards from unofficial sources.

Always access Free Fire events through the official game app or official Garena websites.

Enable two-factor authentication (2FA) on your Facebook account.

Be suspicious of any page that asks for your Facebook login credentials outside of facebook.com.

DPD phishing page in Czech detected

DPD Czech Phishing – Fake “Buyer Payment Confirmation” & Card Harvesting

This phishing campaign impersonates DPD, a legitimate international parcel delivery service, specifically targeting customers in the Czech Republic. The scam uses the pretext of a “buyer payment confirmation” to trick victims into entering credit card details on a fake payment page.

How it works:
The victim receives a phishing email or SMS claiming that a buyer has paid for a shipment or that a package requires payment confirmation. The link leads to a series of fake DPD-branded pages.

Step 1 – Fake DPD Landing Page (First Screenshot)
The page displays:

A suspicious URL: dpd cz.info orders7657 pw/… (not the official DPD domain)

DPD branding and navigation links (copied from the real DPD website)

A heading: “Potvrzení o zaplacení kupujícím” (Buyer payment confirmation)

A button or link likely leading to the next step (not fully visible in this screenshot)

The page mimics DPD’s legitimate Czech website layout to appear authentic.

Step 2 – Fake DPD Information Page (Second Screenshot)
This page displays legitimate-looking DPD content about the company’s services, corporate social responsibility, and support. Attackers often copy entire sections from real websites to make the phishing page appear credible. The page includes:

DPD’s real branding, mission statements, and navigation menus

Social media links and cookie policy information (copied from the official site)

However, the page is hosted on the fraudulent domain, not dpd.cz.

Step 3 – Bank Selection Page (Third Screenshot)
The victim is directed to a page asking them to select their bank from a list of major Czech and international banks, including:

MONETA

mBank

UniCredit

Raiffeisen BANK

Česká spořitelna

KB (Komerční banka)

Fio banka

and many others

This page is designed to make the victim believe they are about to complete a legitimate payment through their own bank’s secure portal.

Step 4 – Credit Card Harvesting Page (Fourth Screenshot)
After selecting a bank, the victim is taken to a page that requests:

Full credit card number (placeholder: XXXX XXXXX XXXXX XXXXX)

Expiry date (MM/YY)

Cardholder name and surname

The page displays a DPD logo and an amount: 2999 Kč (Czech koruna), along with a transaction number (#163962098).

The goal:
The attacker steals the victim’s credit card details (card number, expiry date, and cardholder name). With this information, they can make fraudulent online purchases, create cloned cards, or sell the data. There is no legitimate payment—the entire “buyer confirmation” and delivery context is fabricated.

Red flags to watch for:

Suspicious URL: The initial page is hosted on dpd cz.info orders7657 pw/…. The official DPD Czech domain is dpd.cz. Any deviation (extra words, misspellings, or different TLDs like .info) is a red flag.

Unusual request for card details: DPD does not process payments through a “bank selection” page that asks for full credit card details on a third-party site. Legitimate DPD payments are handled through integrated payment gateways (e.g., ComGate, GoPay) on the official website.

Context mismatch: The scam combines a “buyer payment confirmation” (suggesting the victim is receiving money) with a request for the victim’s own credit card details. This is illogical—receiving money does not require entering your card information.

Copied content: The second page contains legitimate DPD text, but it is hosted on a fake domain. Attackers often copy entire sections of real websites to make their pages look authentic.

Generic transaction details: The transaction number (#163962098) and amount (2999 Kč) are fabricated and not tied to any real shipment.

No login or tracking number: A legitimate DPD payment confirmation would require a tracking number or reference to a specific shipment. This page lacks any such identifier.

What to do if you encounter this:

Do not select your bank or enter any credit card details.

Do not enter any personal information on these pages.

If you are expecting a package from DPD, go directly to dpd.cz and enter your tracking number to check its status.

If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.

Report the phishing page to DPD Czech and to the relevant anti-phishing authorities.

Why this scam is effective:
DPD is a widely used delivery service in the Czech Republic. The scam exploits the common scenario of e-commerce transactions where buyers pay for shipments. The copied legitimate content from DPD’s real website makes the fake pages visually convincing. The bank selection list with well-known Czech banks adds to the illusion of authenticity, making victims believe they are being redirected to a secure banking portal.

Protective measures:

Always type the official URL (dpd.cz) directly into your browser to track shipments or make payments.

Never click links in unsolicited emails or SMS messages claiming delivery issues or payment confirmations.

Be suspicious of any page that asks for your credit card details outside of a well-known, secure payment gateway (e.g., ComGate, GoPay) on the official merchant site.

Check the URL carefully—phishing domains often contain the brand name but add extra words, use different TLDs (.info, .site, .xyz), or have slight misspellings.