Ebay fake page in German detected

eBay / Kleinanzeigen Phishing – Fake “Ticket Sold” & Card Harvesting Scam (German Variant)

This phishing campaign impersonates eBay (or the German eBay Kleinanzeigen platform) to target sellers. The scam creates a fake “item paid” page for a high-demand concert ticket, then directs the seller to a credit card harvesting form under the guise of “receiving” payment.

How it works:
A seller receives a message—likely via the platform’s messaging system—from a supposed buyer claiming to have paid for a listed item. The message includes a link to the first phishing page.

Step 1 – Fake “Item Paid” Confirmation Page
The first page displays:

  • A heading suggesting funds are ready to be received
  • A specific event: a concert ticket (Peter Gabriel in Berlin) with a price in euros (€204)
  • A statement that the item has been paid
  • Fabricated buyer details, including a name, phone number, and shipping address in Germany
  • A prominent button implying the seller can claim or receive the money

Step 2 – Credit Card Harvesting Page
After clicking the button, the seller is taken to a second page that:

  • Uses eBay branding
  • Requests full credit card details: cardholder name, card number, expiration date, and (implied) security code
  • Includes payment brand logos (Visa, Mastercard) and a “Secure Connection” badge to appear trustworthy

The goal:
The attacker steals the seller’s credit card details. There is no actual buyer or payment—the entire transaction is fabricated. The concert ticket and the €204 price are realistic, making the scam plausible.

Red flags to watch for:

  • Illogical request for card details: A seller receiving money should never be asked to enter their credit card number, expiration date, and security code. Receiving funds requires bank account details (IBAN) or a linked payout method—not card credentials.
  • No eBay Kleinanzeigen branding on first page: The first page lacks clear eBay Kleinanzeigen branding, despite referencing a sale. The second page uses generic eBay branding, but the flow is inconsistent with how the platform actually processes payments.
  • Suspicious URL: The pages are hosted on a domain that is not ebay.de, ebay-kleinanzeigen.de, or any official eBay domain. Always check the address bar.
  • Fake buyer details: The provided buyer address and phone number are likely fabricated. In legitimate transactions on eBay Kleinanzeigen, payment is typically handled in person or via direct bank transfer—not through a third-party payment page.
  • No account login required: A legitimate sale would appear in the seller’s account dashboard after logging in. This scam bypasses account authentication entirely.
  • Generic card form: The second page lacks integration with eBay’s actual payment systems (such as the platform’s integrated checkout) and uses a generic form design.

What to do if you encounter this:

  • Do not click the button to “receive” money.
  • Do not enter your credit card details, cardholder name, expiration date, or security code on such pages.
  • If you are selling on eBay Kleinanzeigen or similar platforms, always log into your account directly (by typing the official URL) to check for real sales and messages.
  • Never trust links sent by buyers claiming they have paid—especially those directing you to external pages.
  • If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to the platform’s support team.

Why this scam is effective:
The German classifieds market is active, and concert tickets for popular artists like Peter Gabriel are frequently sold second-hand. The €204 price is realistic for a “Golden Circle” ticket. Sellers are often eager to complete a sale quickly. The use of the eBay brand on the second page (even if generic) adds a layer of false familiarity for German users.

Protective measures:

  • Always verify any sale by logging directly into your account (e.g., eBay Kleinanzeigen)—never through a link sent in a message.
  • Never enter credit card details to receive payment. Sellers provide payout details (bank account) during account setup; payments are processed automatically or arranged in person.
  • Be suspicious of any message that creates urgency or claims payment is already “waiting” but requires you to click an external link.
  • If a buyer sends you a link to “claim” payment, treat it as a red flag and verify directly through the platform’s official app or website.
  • On eBay Kleinanzeigen, prefer local, cash-on-pickup transactions for high-value items. If shipping, use the platform’s integrated payment system (if available) or a traceable bank transfer—never a link-based “card” form.

Booking.com phishing site detected

Booking.com Partner Phishing – Full Credential & 2FA Code Theft

This phishing campaign impersonates Booking.com’s partner portal (the extranet used by property owners and managers). The scam uses a multi-page flow designed to capture the victim’s username, password, and two-factor authentication (2FA) codes in real time, allowing attackers to bypass security measures and take over the account.

How it works:
The victim (a Booking.com partner) receives a phishing email, SMS, or message claiming an issue with their property listing, a payment problem, or a need to verify their account. The link leads to the first phishing page.

Step 1 – Fake Username Login Page
The first page mimics Booking.com’s partner login interface. It asks for the victim’s username (or login ID) associated with their property account.

Step 2 – Fake Password Page
After entering a username, the victim is taken to a second page that asks for the account password. This two-step approach is identical to Booking.com’s legitimate login flow, making it more convincing.

Step 3 – Fake 2FA Method Selection Page
Once the attacker has captured both username and password, the victim is presented with a page asking them to select a verification method (SMS or app). This mimics Booking.com’s actual two-factor authentication step.

Step 4 – Fake 2FA Code Entry Page
After selecting a method, the victim is shown a page requesting the verification code sent to their phone or authenticator app. When the victim enters the code, the attacker captures it and uses it to complete the login on the real Booking.com site—often within seconds.

The goal:
The attacker gains full access to the victim’s Booking.com partner account. With this access, they can:

  • View and modify property listings
  • Access guest payment information
  • Change bank account details for payouts, redirecting future earnings
  • Defraud guests by sending fake messages requesting additional payments
  • Use the compromised account to target other partners or guests

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not booking.com or booking.com/extranet. Always check the address bar before entering credentials.
  • Unsolicited login request: Booking.com does not send emails or messages with links requiring partners to log in to resolve account issues. Partners should always access the extranet by typing the URL directly.
  • Generic numbering: The second page shows a placeholder account number (“5436376543547”) that is not personalized to the actual victim—a common flaw in phishing kits.
  • Inconsistent flow: While the pages mimic Booking.com’s design, subtle differences in layout, fonts, or footer formatting may be present when compared to the real site.
  • No browser security indicators: Legitimate Booking.com login pages use HTTPS with valid certificates and often show a padlock icon in the address bar. Phishing pages may use HTTP or self-signed certificates.

What to do if you encounter this:

  • Do not enter your username, password, or any two-factor authentication codes on these pages.
  • If you are a Booking.com partner, always access the extranet by typing admin.booking.com directly into your browser or by using the official Pulse app.
  • Enable two-factor authentication on your Booking.com account if not already active, and use a physical security key or authenticator app rather than SMS where possible.
  • If you have already entered your credentials and 2FA code, contact Booking.com’s partner support immediately to secure your account and check for unauthorized changes (especially payout details).
  • Report the phishing page to Booking.com’s security team.

Why this scam is particularly dangerous:
This is a real-time credential and session hijacking attack. The attacker does not just collect credentials—they use the stolen 2FA code immediately to log into the real Booking.com account. By the time the victim realizes the mistake, the attacker may have already changed payout bank details and initiated fraudulent transfers. Booking.com partners (hotels, vacation rentals) manage significant financial transactions, making these accounts high-value targets.

Protective measures:

  • Bookmark the official extranet URL and use that bookmark to log in—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate Booking.com domains, not on phishing sites.
  • Verify any unexpected login request: If you receive an email about an account issue, open a new browser window and go to the official site directly instead of clicking links.
  • Use hardware-based 2FA (such as a YubiKey) or an authenticator app rather than SMS when available, as these are more resistant to phishing.
  • Regularly review payout details in your Booking.com account to ensure no unauthorized changes have been made.

Deutsche Post phishing page detected

Deutsche Post Phishing – Fake Shipment Tracking & Card Harvesting Scam (German Variant)

This phishing campaign impersonates Deutsche Post, the national postal service of Germany. The scam creates a fake shipment tracking page for a second-hand item (a children’s bicycle) to convince a seller that a buyer has paid and the item is ready to be shipped. The victim is then directed to a credit card harvesting page to “receive” payment.

How it works:
A seller receives a message—likely via a classified platform (e.g., eBay Kleinanzeigen) or messaging app—from a supposed buyer claiming to have paid for an item. The buyer sends a link to the first phishing page.

Step 1 – Fake Deutsche Post Shipment Tracking Page
The first page displays:

  • Deutsche Post branding and navigation elements copied from the legitimate website
  • A shipment tracking result showing:
  • A product: a children’s bicycle (PUKY brand)
  • A delivery address in Germany
  • An amount in euros (€100)
  • A fake tracking/reference ID
  • The layout mimics Deutsche Post’s official tracking interface

Step 2 – Customer Service Information Page
The second page displays:

  • Legitimate-looking Deutsche Post customer service phone numbers and hours
  • Footer links including imprint, privacy, and legal notices copied from the real Deutsche Post website
  • This page is designed to add credibility, making the overall scam appear more legitimate

Step 3 – Credit Card Harvesting Page
The third page is a payment form that:

  • Uses Deutsche Post branding (with a typo in the domain name and page title)
  • Displays the same amount (€100) and reference number
  • Requests:
  • Full credit card number
  • Expiration date (MM/YY)
  • Phone number
  • Includes a “Send” button and claims of secure encryption

The goal:
The attacker steals the victim’s credit card details along with their phone number. There is no actual buyer or payment—the entire transaction and tracking information are fabricated.

Red flags to watch for:

  • Illogical request for card details: A seller receiving money should never be asked to enter their credit card number, expiration date, or phone number. Receiving funds requires bank account details (IBAN) or a linked payout method—not card credentials.
  • Domain mismatch: The third page shows a URL that is not deutschepost.de. The legitimate Deutsche Post domain is deutschepost.de—any variation (misspellings, extra words, different TLDs) is a red flag.
  • Typo in branding: The third page contains a typo (“dentschpost” instead of “Deutsche Post”), a clear indicator of a fake page.
  • Mixed purpose: The first page presents shipment tracking information, but the final page asks for card details to “receive funds.” These functions are unrelated in legitimate postal services.
  • No login required: A legitimate shipment tracking or payment process would not ask for credit card details without first logging into a verified account.
  • Copied content: The second page contains real Deutsche Post customer service numbers and legal text, but it is hosted on the phishing domain—attackers often copy such content to appear authentic.

What to do if you encounter this:

  • Do not enter any credit card details, expiration date, or phone number on such pages.
  • Do not click any buttons claiming to “receive” funds or complete a transaction.
  • If you are expecting a payment for an item sold online, never use a link sent by the buyer. Instead, arrange payment via bank transfer (IBAN), PayPal (by logging into your account directly), or cash on pickup.
  • If you have already entered your credit card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Deutsche Post’s security team.

Why this scam is effective:
Deutsche Post is a trusted institution in Germany, and its tracking service is frequently used for shipments from classified platforms. The scam combines multiple familiar elements: a realistic product (children’s bicycle), a plausible price (€100), and a fake tracking page that mimics the official Deutsche Post interface. The inclusion of real customer service numbers and legal footers adds to the illusion. Sellers who are eager to complete a sale may not question why they are being asked for card details to receive money.

Protective measures:

  • Always verify tracking information by typing deutschepost.de directly into your browser and entering the tracking number manually—never through a link.
  • Never enter credit card details to receive payment. Sellers should provide their IBAN or PayPal email address directly to the buyer, and payments should appear in the seller’s account without further action.
  • Be suspicious of any message that creates urgency and directs you to an external page to “claim” payment or “complete” a shipment.
  • If a buyer sends you a link to a Deutsche Post tracking page, independently verify the tracking number on the official website.
  • For classified transactions in Germany, prefer local, cash-on-pickup transactions, or use the integrated payment system of the platform (e.g., eBay Kleinanzeigen’s “Sicher Bezahlen”).

Postbank phishing page detected

Postbank Phishing – Fake Login Page Stealing Postbank ID Credentials

This phishing campaign impersonates Postbank, a leading retail bank in Germany. The page is designed to steal customers’ online banking credentials—specifically the Postbank ID (the primary login identifier). The page mimics the legitimate Postbank login interface to trick victims into entering their credentials.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to this fake Postbank login page. The page asks for the Postbank ID, which is the first step in the bank’s legitimate authentication process. After the victim enters their Postbank ID, they would likely be taken to a subsequent phishing page requesting their password (and possibly a second factor or PIN).

The goal:
The attacker aims to steal the victim’s Postbank ID and, through a follow-up page, their password and any additional authentication credentials. With these, the attacker can log into the victim’s real Postbank account, view balances, transfer funds, and potentially access other linked financial services.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not postbank.de. The legitimate Postbank online banking domain is postbank.de. Always check the address bar before entering any credentials.
  • Unsolicited login request: Postbank does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access online banking by typing the URL directly or using the official app.
  • Generic greeting: The page uses a generic greeting (“Guten Morgen” – Good morning) rather than addressing the customer by name. Legitimate banking portals often personalize the greeting or display a security image after initial identification.
  • Missing security indicators: Legitimate Postbank login pages use HTTPS with valid certificates and display a padlock icon. Phishing pages may lack these indicators or use self-signed certificates.
  • No step for password or second factor: This page only asks for the Postbank ID. The password and second factor would be requested on subsequent pages—a common pattern in phishing kits that first validate the identifier before proceeding.

What to do if you encounter this:

  • Do not enter your Postbank ID or any other credentials on this page.
  • If you are a Postbank customer, always access online banking by typing postbank.de directly into your browser or by using the official Postbank app.
  • If you have already entered your Postbank ID, do not proceed to enter your password or any security codes. Contact Postbank immediately to secure your account.
  • Report the phishing page to Postbank’s fraud department (e.g., by forwarding the original message to [email protected] or using their official reporting channels).

Why this scam is effective:
Postbank has millions of customers in Germany, making it a frequent target for phishing. The page closely mimics the design of the legitimate Postbank login interface, including familiar elements such as the “IT-Umzug” (IT migration) references and security warnings. The inclusion of real-looking footer links (impressum, data protection, etc.) adds to the illusion of legitimacy.

Protective measures:

  • Bookmark the official Postbank login page and use that bookmark to access online banking—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate postbank.de domains, not on phishing sites.
  • Enable two-factor authentication (2FA) on your Postbank account if available, to add an extra layer of protection.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your bank account.
  • Check the URL carefully: Legitimate Postbank domains end with postbank.de (e.g., meine.postbank.de). Look for misspellings, extra words, or unusual top-level domains (.com, .xyz, etc.).
  • If in doubt, contact Postbank directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

Banco De Oro phishing page detected

BDO Online Banking Phishing – Credential Harvesting Page

This phishing campaign impersonates BDO Unibank, a major bank in the Philippines. The page is designed to steal customers’ online banking credentials—specifically the User ID and Password used to access BDO’s online banking platform.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account suspension, or the need to verify their information. The message includes a link to this fake BDO login page. The page mimics the real BDO Online Banking interface, including toll-free numbers, footer links, and other elements copied from the legitimate site. When the victim enters their User ID and Password and clicks “Login,” the credentials are captured and sent to the attacker.

The goal:
The attacker aims to steal the victim’s BDO online banking credentials. With these, they can log into the victim’s real bank account, view balances, transfer funds, pay bills, and potentially commit further fraud.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not bdo.com.ph. The legitimate BDO online banking domain is bdo.com.ph. Always check the address bar before entering any credentials.
  • Typographical error: The page contains the phrase “Logn to BDO Online Banking” instead of “Log in.” This type of error is common in phishing pages and is a clear red flag.
  • Generic security message: The page includes a note about browser versions, but legitimate BDO login pages do not typically display such a message prominently on the login form.
  • Unsolicited login request: BDO does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access online banking by typing the URL directly or using the official BDO app.
  • No personalization: Legitimate BDO Online Banking often displays a security image or personalized greeting after entering the User ID—this page does not.
  • Copied footer content: While the footer contains real BDO information (toll-free numbers, regulatory disclosures), phishing pages often copy this text to appear credible. The presence of this content does not make the page legitimate.

What to do if you encounter this:

  • Do not enter your User ID, Password, or any other personal information on this page.
  • If you are a BDO customer, always access online banking by typing bdo.com.ph directly into your browser or by using the official BDO mobile app.
  • If you have already entered your credentials, contact BDO immediately through their official customer service hotline to secure your account and change your password.
  • Report the phishing page to BDO’s fraud department (e.g., by forwarding the original message to [email protected]).

Why this scam is effective:
BDO has millions of online banking users in the Philippines, making it a frequent target for phishing. The page closely mimics the design of the legitimate BDO login interface, including familiar elements such as the toll-free numbers, footer links, and the “We find ways” slogan. The inclusion of real-looking customer service details and regulatory disclosures adds to the illusion of legitimacy. The typo “Logn” is one of the few visual red flags—underscoring how carefully users must scrutinize every detail.

Protective measures:

  • Bookmark the official BDO login page and use that bookmark to access online banking—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate bdo.com.ph domains, not on phishing sites.
  • Enable two-factor authentication (2FA) on your BDO account if available, to add an extra layer of protection.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your bank account.
  • Check the URL carefully: Legitimate BDO domains end with bdo.com.ph. Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact BDO directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

Shinhan bank phishing pages detected

Shinhan Bank Fake “Registration Reward” Scam (Vietnamese Variant)

This campaign impersonates Shinhan Bank, a legitimate international bank with a significant presence in Vietnam. The scam promotes a fake “ambassador” program offering a cash reward (800,000 VND, approximately 30 USD) for registering an account through a provided link. The goal is to trick victims into downloading a malicious app, entering personal information, or installing malware on their device.

How it works:
The victim encounters this scam via social media ads, SMS, email, or messaging apps (such as Facebook, Zalo, or Telegram). The page claims that by registering for a Shinhan Bank account through the provided links, the user will receive a cash reward.

The fake promotion includes:

  • A promise of 800,000 VND for new account registration
  • Instructions to download an app via Android or iOS buttons
  • Steps that appear to describe a legitimate banking registration process (downloading the app, registering for internet banking, entering phone number and email, receiving OTP, completing eKYC – electronic Know Your Customer verification)

The goal:
The attacker aims to:

  • Trick victims into downloading a fake banking app that may contain malware or steal credentials
  • Capture personal information (phone number, email, ID documents) during the fake registration process
  • Steal one-time passwords (OTP) or other authentication details
  • Potentially gain access to the victim’s actual banking accounts if the victim mistakenly uses real credentials on a fake interface

There is no legitimate reward—the entire promotion is fabricated.

Red flags to watch for:

  • Too good to be true offer: A cash reward of 800,000 VND for simply downloading an app and registering is highly unusual for a legitimate bank. Banks do not typically offer such promotions through unofficial channels with download links.
  • Suspicious download links: The “Tải Android” and “Tải Cho iOS” buttons likely lead to fake apps or phishing pages, not the official Shinhan Bank app from the Google Play Store or Apple App Store.
  • Unofficial distribution: Legitimate banking apps are distributed exclusively through official app stores (Google Play, App Store). Banks never require users to download apps via third-party links in promotional messages.
  • Domain mismatch: The page is hosted on a domain that is not the official Shinhan Bank Vietnam domain (which is shinhan.com.vn).
  • Generic instructions: The registration steps are described in vague terms. A legitimate bank would direct customers to its official website or app store listing, not provide a step-by-step guide on a promotional page with direct download buttons.
  • Pressure to act: The language encourages immediate action (“còn chờ gì” – “what are you waiting for”) to create urgency.

What to do if you encounter this:

  • Do not click the “Tải Android” or “Tải Cho iOS” buttons.
  • Do not download any app from links provided on this page.
  • Do not enter any personal information, phone numbers, email addresses, or ID documents.
  • If you wish to open an account with Shinhan Bank, visit the official Shinhan Bank Vietnam website (shinhan.com.vn) or go directly to a branch. Only download the official banking app from the Google Play Store or Apple App Store.
  • If you have already downloaded an app from a suspicious link or entered personal information, contact Shinhan Bank’s official customer service immediately to secure your accounts, and run a security scan on your device.

Why this scam is effective:
Shinhan Bank is a well-known and trusted financial institution in Vietnam. The promise of a cash reward (800,000 VND) is attractive to many individuals. The use of Vietnamese language, the mention of eKYC (a legitimate banking process), and the step-by-step instructions make the offer appear authentic. Scammers often use such “registration reward” campaigns to distribute malware or harvest personal data for identity theft.

Protective measures:

  • Always download banking apps exclusively from official app stores (Google Play, App Store) and verify the developer name matches the official bank.
  • Be suspicious of any unsolicited message offering cash rewards for downloading apps or registering accounts.
  • Verify promotions by visiting the bank’s official website or contacting customer service through official channels—never use contact information provided in the suspicious message.
  • Never enter personal information or banking credentials on pages reached via unsolicited links.
  • Report suspicious promotions to the bank being impersonated and to local authorities.

First National Bank (FNB) phishing page detected

FNB Online Banking Phishing – Credential Harvesting Page

This phishing campaign impersonates FNB (First National Bank) , a major bank in South Africa. The page is designed to steal customers’ online banking credentials—specifically the Username and Password used to access FNB’s online banking platform.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to this fake FNB login page. When the victim enters their Username and Password and clicks “Login,” the credentials are captured and sent to the attacker.

The goal:
The attacker aims to steal the victim’s FNB online banking credentials. With these, they can log into the victim’s real bank account, view balances, transfer funds, pay bills, and potentially commit further fraud.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not fnb.co.za or fnb.com. The legitimate FNB online banking domain is fnb.co.za. Always check the address bar before entering any credentials.
  • Extremely minimal design: The legitimate FNB login page includes additional security elements such as a security image, personalized greeting, or step-by-step authentication flow. This page is bare and lacks those features.
  • Generic branding: The page uses a basic FNB logo but lacks the full branding, navigation menus, and security indicators present on the real FNB site.
  • No security messaging: Legitimate FNB login pages display security tips, fraud warnings, and links to report suspicious activity. This page has none.
  • Outdated copyright notice: The footer shows “Copyright © 2020” while the legitimate site would display the current year. This is a common oversight in phishing pages.
  • Unsolicited login request: FNB does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access online banking by typing the URL directly or using the official FNB app.

What to do if you encounter this:

  • Do not enter your Username, Password, or any other personal information on this page.
  • If you are an FNB customer, always access online banking by typing fnb.co.za directly into your browser or by using the official FNB app.
  • If you have already entered your credentials, contact FNB immediately through their official customer service hotline to secure your account and change your password.
  • Report the phishing page to FNB’s fraud department (e.g., by forwarding the original message to [email protected] or using their official reporting channels).

Why this scam is effective:
FNB is one of South Africa’s largest banks, with millions of digital banking users. The simple, clean design of the page mimics the real FNB login interface enough to deceive users who are not paying close attention to the URL. The use of the FNB logo and the familiar “how can we help you?” tagline adds to the illusion. Many phishing pages rely on the fact that users often glance at the logo and layout rather than scrutinizing the address bar.

Protective measures:

  • Bookmark the official FNB login page and use that bookmark to access online banking—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate fnb.co.za domains, not on phishing sites.
  • Enable two-factor authentication (2FA) on your FNB account if available, to add an extra layer of protection.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your bank account.
  • Check the URL carefully: Legitimate FNB domains end with fnb.co.za. Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact FNB directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

M&T Bank phishing page revealed

M&T Bank Online Banking Phishing – Credential Harvesting Page

This phishing campaign impersonates M&T Bank, a well-known bank in the United States, particularly active in the Northeast and Mid-Atlantic regions. The page is designed to steal customers’ online banking credentials—specifically the User ID and Passcode (password) used to access M&T Bank’s online banking platform.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account suspension, or the need to verify their information. The message includes a link to this fake M&T Bank login page. The page mimics the real M&T Bank online banking interface, including familiar footer links. When the victim enters their User ID and Passcode and clicks “Log In,” the credentials are captured and sent to the attacker.

The goal:
The attacker aims to steal the victim’s M&T Bank online banking credentials. With these, they can log into the victim’s real bank account, view balances, transfer funds, pay bills, and potentially commit further fraud.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not mtb.com. The legitimate M&T Bank online banking domain is mtb.com. Always check the address bar before entering any credentials.
  • Outdated copyright notice: The footer shows “©2022 MAT Bank” (with a typo: “MAT” instead of “M&T”) and an incorrect year. Legitimate pages display the current year and correct branding.
  • Typographical error: The bank name is misspelled as “MAT Bank” in the copyright line—a clear indicator of a fake page.
  • Unsolicited login request: M&T Bank does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access online banking by typing the URL directly or using the official app.
  • No personalization or security image: Legitimate M&T Bank login pages often display a security image or phrase after entering a User ID. This page lacks that additional security layer.
  • Generic footer: While the footer contains links similar to the real M&T Bank site, the presence of these links does not make the page legitimate—attackers copy them from the real website.

What to do if you encounter this:

  • Do not enter your User ID, Passcode, or any other personal information on this page.
  • If you are an M&T Bank customer, always access online banking by typing mtb.com directly into your browser or by using the official M&T Bank mobile app.
  • If you have already entered your credentials, contact M&T Bank immediately through their official customer service hotline to secure your account and change your password.
  • Report the phishing page to M&T Bank’s fraud department (e.g., by forwarding the original message to [email protected] or using their official reporting channels).

Why this scam is effective:
M&T Bank has millions of customers across the United States. The page closely mimics the design of the legitimate M&T Bank login interface, including the familiar header, form layout, and footer links. The typo in the copyright line (“MAT Bank”) is one of the few visual red flags—underscoring how carefully users must scrutinize every detail. Many users glance at the logo and layout without checking the URL or noticing small text errors.

Protective measures:

  • Bookmark the official M&T Bank login page and use that bookmark to access online banking—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate mtb.com domains, not on phishing sites.
  • Enable two-factor authentication (2FA) on your M&T Bank account if available, to add an extra layer of protection.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your bank account.
  • Check the URL carefully: Legitimate M&T Bank domains end with mtb.com. Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact M&T Bank directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

Bank of America phishing page revealed

Bank of America Phishing – Fake “Preventive Unlock” Scam (Spanish Variant)

This phishing campaign impersonates Bank of America (BoA) , one of the largest banks in the United States, and targets Spanish-speaking customers. The page uses a fake security alert—claiming the account requires a “preventive unlock”—to create urgency and direct victims to a credential harvesting page.

How it works:
The victim receives a phishing email, SMS, or other message in Spanish claiming that their Bank of America account has been locked or requires verification. The message includes a link to this page. The page presents a message stating that the user must click a button to proceed with an “unlock” process. Clicking the button leads to a fake Bank of America login page (not shown in this screenshot) where the victim is asked to enter their online banking credentials.

The goal:
The attacker aims to steal the victim’s Bank of America online banking credentials (User ID and password). With these, they can log into the victim’s real bank account, view balances, transfer funds, and commit fraud.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not bankofamerica.com. Always check the address bar before interacting with any page claiming to be from your bank.
  • Poor Spanish grammar: The text contains awkward phrasing and grammatical errors that would not appear in official Bank of America communications. Legitimate bank communications are professionally written and localized.
  • Vague and irrelevant content: The page includes unrelated text about “the company” carrying out deposits in the United States, a description of a “BoA” building in Buenos Aires (Argentina), and information about Zelle. This content is copied from various sources and is not cohesive—a clear sign of a hastily assembled phishing page.
  • Generic redirect message: The page claims to be “redirecting” but presents a button to click. Legitimate banking websites do not use such redirect pages with manual confirmation buttons for account unlocks.
  • Unsolicited account action request: Bank of America does not send messages with links requiring customers to click a button to “unlock” their account. Customers should always access their accounts by typing the official URL directly or using the official app.
  • Mixed geographic references: The page mentions the United States (deposits) and Buenos Aires (Argentina) in the same context, which is inconsistent for a US-based bank targeting customers.

What to do if you encounter this:

  • Do not click the button to “Confirm” or proceed with any unlock process.
  • Do not enter any personal information, User ID, or password on any subsequent pages.
  • If you are a Bank of America customer, always access online banking by typing bankofamerica.com directly into your browser or by using the official Bank of America mobile app.
  • If you have already entered your credentials, contact Bank of America immediately through their official customer service number to secure your account and change your password.
  • Report the phishing page to Bank of America’s fraud department (e.g., by forwarding the original message to [email protected]).

Why this scam is effective:
Bank of America has a large Spanish-speaking customer base in the United States. The use of Spanish language and the “preventive unlock” pretext (which implies a security measure) can cause concern and prompt quick action. The inclusion of familiar terms like Zelle adds a veneer of legitimacy. Victims who are not carefully checking the URL may click the button and proceed to enter their credentials on the following fake login page.

Protective measures:

  • Bookmark the official Bank of America login page and use that bookmark to access online banking—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate bankofamerica.com domains, not on phishing sites.
  • Enable two-factor authentication (2FA) on your Bank of America account to add an extra layer of protection.
  • Be suspicious of any unsolicited message that creates urgency and asks you to click a button to unlock or verify your account.
  • Check the URL carefully: Legitimate Bank of America domains end with bankofamerica.com. Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact Bank of America directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.
  • Be aware of language quality: Legitimate bank communications are professionally written. Grammatical errors, awkward phrasing, or irrelevant content are strong indicators of a scam.

FNB (FirstRand Bank Limited) phishing page detected

FNB Online Banking Phishing – Credential Harvesting Page

This phishing campaign impersonates FNB (First National Bank) , a major bank in South Africa. The page is designed to steal customers’ online banking credentials—specifically the Username and Password used to access FNB’s online banking platform.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to this fake FNB login page. When the victim enters their Username and Password and clicks “Login,” the credentials are captured and sent to the attacker.

The goal:
The attacker aims to steal the victim’s FNB online banking credentials. With these, they can log into the victim’s real bank account, view balances, transfer funds, pay bills, and potentially commit further fraud.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not fnb.co.za or fnb.com. The legitimate FNB online banking domain is fnb.co.za. Always check the address bar before entering any credentials.
  • Extremely minimal design: The legitimate FNB login page includes additional security elements such as a security image, personalized greeting, or step-by-step authentication flow. This page is bare and lacks those features.
  • Generic branding: The page uses a basic FNB logo but lacks the full branding, navigation menus, and security indicators present on the real FNB site.
  • No security messaging: Legitimate FNB login pages display security tips, fraud warnings, and links to report suspicious activity. This page has none.
  • Unsolicited login request: FNB does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access online banking by typing the URL directly or using the official FNB app.
  • Copyright notice: While the copyright year (2023) matches the screenshot’s timeframe, the presence of a copyright line does not guarantee legitimacy—attackers copy these details from real sites.

What to do if you encounter this:

  • Do not enter your Username, Password, or any other personal information on this page.
  • If you are an FNB customer, always access online banking by typing fnb.co.za directly into your browser or by using the official FNB app.
  • If you have already entered your credentials, contact FNB immediately through their official customer service hotline to secure your account and change your password.
  • Report the phishing page to FNB’s fraud department (e.g., by forwarding the original message to [email protected] or using their official reporting channels).

Why this scam is effective:
FNB is one of South Africa’s largest banks, with millions of digital banking users. The simple, clean design of the page mimics the real FNB login interface enough to deceive users who are not paying close attention to the URL. The use of the FNB logo and the familiar “how can we help you?” tagline adds to the illusion. Many phishing pages rely on the fact that users often glance at the logo and layout rather than scrutinizing the address bar.

Protective measures:

  • Bookmark the official FNB login page and use that bookmark to access online banking—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate fnb.co.za domains, not on phishing sites.
  • Enable two-factor authentication (2FA) on your FNB account if available, to add an extra layer of protection.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your bank account.
  • Check the URL carefully: Legitimate FNB domains end with fnb.co.za. Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact FNB directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.