Antiphishing.biz

---

Threat Analysis: Generic Banking Phishing – Credential & SMS Code Harvesting

This phishing campaign impersonates a financial institution (likely a bank or digital wallet in Latin America, based on the Spanish language and the “reactivar” – reactivate – pretext). The scam uses a multi-page flow to capture the victim’s username, password, and SMS verification code (two-factor authentication), enabling full account takeover.

How it works:
The victim receives a phishing email, SMS, or other message claiming that their account has been deactivated or requires verification to “reactivate” it. The message includes a link to the first phishing page.

Step 1 – Fake Credentials Page (First Screenshot)
The first page asks for:

• Usuario (username)
• Clave (password)

This page captures the victim’s primary account credentials. The pretext of “reactivating” the account creates urgency.

Step 2 – Fake Waiting/Loading Page (Second Screenshot)
The second page displays a fake loading message with a countdown timer (24 seconds), claiming that the victim’s information is being verified. This page serves two purposes:

• It creates a sense of legitimate processing
• It buys time for the attacker to use the stolen credentials to log into the real bank/platform and trigger an SMS code to the victim’s phone

Step 3 – Fake SMS Code Page (Third Screenshot)
The third page asks for the SMS verification code sent to the victim’s mobile phone. When the victim enters this code, the attacker captures it and uses it to complete the login on the real platform.

The goal:
The attacker aims to:

• Steal the victim’s account credentials (username and password)
• Capture the SMS verification code (2FA) in real time
• Gain full access to the victim’s account to transfer funds, make payments, or commit fraud

Red flags to watch for:

• Suspicious URL: The pages are hosted on domains that are not the official domain of the legitimate financial institution. Always check the address bar before entering credentials.
• Unsolicited “reactivation” request: Legitimate banks do not send emails or messages with links requiring customers to log in to “reactivate” accounts.
• Fake loading page with countdown: Legitimate banking sites do not display artificial countdown timers during login. This is a classic phishing tactic to buy time for the attacker.
• Multi-step design with SMS code request: After entering credentials, the victim is asked for an SMS code. While this mirrors the real 2FA flow, the pages themselves are fake.
• Generic branding: The pages lack the specific logos, security notices, and personalized elements that would appear on a legitimate bank’s login interface.
• “Reactivate” pretext: The claim that the account needs to be reactivated is a common fear-based tactic to pressure victims into acting without thinking.

What to do if you encounter this:

• Do not enter your username, password, or SMS verification code on these pages.
• If you are a customer of any financial institution, always access your account by typing the official website URL directly into your browser or by using the official mobile app.
• If you have already entered your credentials but not the SMS code, contact your bank immediately to change your password and secure your account.
• If you have entered the SMS code as well, the attacker may have already accessed your account. Contact your bank’s fraud department immediately.
• Report the phishing pages to the legitimate institution being impersonated.

Why this scam is particularly dangerous:
This is a real-time account takeover phishing kit. The attacker uses the stolen username and password immediately to log into the real platform and trigger an SMS code. The fake loading page buys time for this process. When the victim enters the SMS code on the phishing page, the attacker uses it to complete the login—often within seconds. The “reactivation” pretext is effective because it creates urgency and implies that the account is at risk if no action is taken.

Protective measures:

• Never click links in unsolicited messages claiming your account needs to be reactivated or verified. Instead, type the official website URL directly into your browser.
• Use a password manager: It will autofill only on legitimate domains, not on phishing sites.
• Never enter your SMS verification code on a page you reached via a link. Legitimate banks only ask for 2FA codes after you have initiated a login on their official site.
• Be suspicious of any unsolicited message that creates urgency and asks you to log in to your account.
• Check the URL carefully: Look for misspellings, extra words, or unusual top-level domains.
• If in doubt, contact your bank directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

---

Then visitor will be redirected to the official website of Citizens Bank.

---

Threat Analysis: Citizens Bank Phishing – Full Identity & Financial Data Harvesting

This phishing campaign impersonates Citizens Bank, a prominent bank in the United States. The scam uses a multi-page flow to capture:

• Online banking credentials (User ID and Password)
• Full personal identification information (full name, SSN, address, date of birth, phone number)
• Full card details (cardholder name, card number, expiration date, CVV)

This combination of data enables attackers to commit identity theft, open fraudulent accounts, and drain victims’ financial accounts.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to the first phishing page.

Step 1 – Fake Online Banking Login Page (First Screenshot)
The first page mimics Citizens Bank’s online banking login interface, asking for:

• Online User ID
• Password

This page captures the victim’s primary banking credentials.

Step 2 – Intermediate Page(s) (Screenshots 2 and 3 – failed to load)
While the second and third screenshots are not available, the pattern suggests they may have been fake loading/waiting pages or additional information requests, designed to make the process appear legitimate and to buy time for the attacker.

Step 3 – Fake “Verify Your Banking Information” – Personal Details Page (Fourth Screenshot)
The fourth page asks for:

• Full name
• Social Security Number (SSN)
• Address, state, city, zip code
• Date of birth
• Phone number

This information is used for identity theft and to answer security questions for account takeover.

Step 4 – Fake “Verify Your Banking Information” – Card Details Page (Fifth Screenshot)
The fifth page asks for:

• Cardholder name
• Full card number
• Expiration date
• Card Security Code (CVV)

This captures the victim’s credit or debit card details for fraudulent purchases.

The goal:
The attacker aims to:

• Gain full access to the victim’s Citizens Bank online banking account
• Steal the victim’s identity (SSN, DOB, address, phone) to open new accounts, apply for loans, or commit tax fraud
• Use the captured card details for unauthorized purchases or to create cloned cards

Red flags to watch for:

• Suspicious URL: The pages are hosted on domains that are not citizensbank.com or any official Citizens Bank domain. Legitimate Citizens Bank online banking is accessed through the bank’s official website. Always check the address bar.
• Unsolicited login request: Citizens Bank does not send emails or messages with links requiring customers to log in and then provide extensive personal and card information.
• Excessive data requests: A legitimate bank would never ask for SSN, full card details, and CVV in a single “verification” flow after login. This combination is a clear indicator of a phishing and identity theft operation.
• Inconsistent page flow: After entering online banking credentials, the victim is taken to pages asking for personal and card details—something that never happens on the real bank site.
• Copied content: The pages include help sections, navigation menus, and footer content copied from the legitimate Citizens Bank website. Attackers use such content to appear credible, but its presence does not make the pages legitimate.
• No personalization or security indicators: Legitimate banking portals display account-specific information, security images, or other personalized elements. These pages lack such features.

What to do if you encounter this:

• Do not enter any information on these pages—neither banking credentials, nor personal details, nor card details.
• If you are a Citizens Bank customer, always access online banking by typing citizensbank.com directly into your browser or by using the official mobile app.
• If you have already entered your banking credentials, contact Citizens Bank immediately to change your password and secure your account.
• If you have entered your SSN, card details, or other personal information, contact your bank’s fraud department, the major credit bureaus (Equifax, Experian, TransUnion) to place a fraud alert or credit freeze, and file a report with the FTC (IdentityTheft.gov) and local authorities.
• Report the phishing pages to Citizens Bank’s fraud team.

Why this scam is particularly dangerous:
This is a comprehensive identity theft phishing kit. It does not just target banking credentials—it aims to collect enough information for the attacker to impersonate the victim fully. With the victim’s SSN, date of birth, address, and card details, the attacker can:

• Drain the victim’s bank account
• Open new credit cards or loans in the victim’s name
• File fraudulent tax returns to steal refunds
• Take over other accounts using the stolen personal information

Protective measures:

• Bookmark the official Citizens Bank login page and use that bookmark to access online banking—never click links in emails or messages.
• Use a password manager: It will autofill only on legitimate citizensbank.com domains, not on phishing sites.
• Never provide your SSN, full card details, or CVV on a page you reached via a link. Legitimate banks already have this information on file and will not ask for it in an unauthenticated flow.
• Enable two-factor authentication (2FA) on your bank account to add an extra layer of protection.
• Be suspicious of any unsolicited message that creates urgency and asks you to log in and then provide extensive personal information.
• Check the URL carefully: Legitimate Citizens Bank domains end with citizensbank.com. Look for misspellings, extra words, or unusual top-level domains.
• If in doubt, contact Citizens Bank directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

---

---

Threat Analysis: Bank of America Phishing – Email Credential & Card Data Harvesting

This phishing campaign impersonates Bank of America, targeting Spanish-speaking customers. The scam uses a multi-page flow to capture:

• The victim’s email address and email password
• Full credit/debit card details (card number, expiration date, security code)

By compromising both the email account and the payment card, attackers can gain persistent access to sensitive communications and conduct unauthorized transactions.

How it works:
The victim receives a phishing email, SMS, or other message in Spanish claiming a security alert, account verification issue, or the need to confirm their identity. The message includes a link to the first phishing page.

Step 1 – Simple Entry Page (First Screenshot)
A minimal page with Bank of America branding and a call to “verify your online account.” This likely leads to the next step.

Step 2 – Fake Identity Verification – Email & Email Password Page (Third Screenshot)
This page asks for:

• Correo electrónico (Email address)
• Clave del correo (Email password)
• Aim o Pin (likely “ATM PIN” – a banking PIN)

The page includes a fake Bank of America dashboard preview (with a greeting “Hello, Jane”) to appear legitimate. This step captures the victim’s email credentials and banking PIN.

Step 3 – Fake Identity Verification – Card Details Page (Fourth Screenshot)
This page asks for:

• Card number
• Expiration date
• Security code (CVV)

It claims these details are needed to “verify identity” for security purposes.

The goal:
The attacker aims to:

• Steal the victim’s email account credentials to intercept bank communications, reset passwords, and maintain long-term access
• Obtain the victim’s debit/credit card details for unauthorized purchases, cloning, or selling on criminal marketplaces
• Gather a banking PIN for ATM or transaction authorization

Red flags to watch for:

• Suspicious URL: The pages are hosted on domains that are not bankofamerica.com. Legitimate Bank of America online services are accessed through the official website.
• Request for email password: A legitimate bank never asks for your email account password. This is a clear indicator of a phishing attack designed to take over your email.
• Multiple sensitive data requests in one flow: Asking for email credentials, banking PIN, and full card details in sequence is not part of any legitimate bank verification process.
• Fake dashboard elements: The page includes a mock-up of a Bank of America dashboard (“Hello, Jane”) with reward points and account numbers. This is copied from the real site but appears out of context on a verification page.
• Outdated copyright: The footer shows “© 2021” (the screenshots are from late 2022), a common oversight in phishing pages.
• Mixed languages: The page uses Spanish for instructions but includes English text in the fake dashboard, which may indicate copied content.
• Unsolicited “identity verification” request: Bank of America does not send emails or messages with links requiring customers to enter email credentials and card details to verify identity.

What to do if you encounter this:

• Do not enter your email address, email password, banking PIN, or card details on these pages.
• If you are a Bank of America customer, always access online banking by typing bankofamerica.com directly into your browser or using the official app.
• If you have already entered your email credentials, change your email password immediately and enable two-factor authentication. Check for any unauthorized forwarding rules.
• If you have entered card details, contact Bank of America immediately to block your card and dispute any unauthorized transactions.
• Report the phishing pages to Bank of America’s fraud department (e.g., [email protected]).

Why this scam is particularly dangerous:
This phishing kit targets two critical assets simultaneously: email account access and payment card details. With email access, the attacker can intercept password reset links, delete fraud alerts, and take over other accounts. With card details, they can make fraudulent purchases. The combination of Spanish language and Bank of America branding is designed to reach a large Spanish-speaking customer base in the United States.

Protective measures:

• Bookmark the official Bank of America login page and use that bookmark to access online banking—never click links in emails or messages.
• Use a password manager: It will autofill only on legitimate bankofamerica.com domains.
• Never provide your email password on any banking site. Legitimate banks never ask for it.
• Enable two-factor authentication (2FA) on both your email and bank accounts, preferably using an authenticator app rather than SMS.
• Be suspicious of any unsolicited message that creates urgency and asks you to “verify” your identity by providing extensive personal information.
• Check the URL carefully: Legitimate Bank of America domains end with bankofamerica.com. Look for misspellings, extra words, or unusual top-level domains.
• If in doubt, contact Bank of America directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

---

---

Threat Analysis: Crédit Agricole Phishing – Multi‑Stage SécuriPass & Credential Theft

This phishing campaign impersonates Crédit Agricole. The scam uses a long, multi‑page flow to capture:

• The victim’s online banking identifier and personal code (password)
• The victim’s SMS verification code (2FA)
• An email verification code (second 2FA channel)

By harvesting both the SMS and email codes, attackers can bypass multiple security layers and gain full account access.

How it works:
The victim receives a phishing email claiming they have not activated SécuriPass (a real security feature) and must update their contact details.

Step 1 – Fake Security Alert Email (First Screenshot)
A convincing email impersonating Crédit Agricole. It claims SécuriPass is not activated and urges the victim to click a link to verify their phone and email details. A threat is implied by referencing “article 30” (contract modification), adding false legitimacy.

Step 2 – Fake Bank Homepage (Second Screenshot)
After clicking the link, the victim lands on a page that mimics the Crédit Agricole public website. It includes navigation menus, app download links, and a prominent “MON ESPACE” (My Space) button. This page is designed to look like the official bank portal before login.

Step 3 – Fake Login Page (Third Screenshot)
Clicking “MON ESPACE” leads to a fake login page asking for:

• Identifiant (11‑digit identifier)
• Code personnel (6‑digit personal code/password)

This captures the victim’s primary credentials.

Step 4 – Fake “First Connection” SMS Code Page (Fourth Screenshot)
The victim is told it is their first visit and asked to enter a 6‑digit code sent by SMS. This is a classic 2FA capture step. The attacker, having the credentials from Step 3, likely triggers the real SMS code on the legitimate site.

Step 5 – Fake SécuriPass Activation – Two‑Code Page (Fifth Screenshot)
The final page presents a “SécuriPass activation in two steps”:

• First, an SMS code (another 6‑digit code)
• Second, a 6‑digit email code

The page instructs the victim not to close the window and to enter both codes. This captures both SMS and email‑based authentication codes, giving the attacker persistent access.

The goal:
The attacker aims to:

• Steal the victim’s Crédit Agricole credentials (identifier + personal code)
• Capture SMS 2FA codes
• Capture email verification codes
• Gain full access to the victim’s bank account and email account, enabling fund transfers and identity theft

Red flags to watch for:

• Suspicious URL: All pages are hosted on domains that are not credit-agricole.fr. Legitimate Crédit Agricole services are accessed through the official domain.
• Multi‑page flow with redundant code requests: Asking for an SMS code twice, and then also an email code, is highly unusual. Legitimate SécuriPass activation is a one‑time process within the app or after login, not a multi‑code web flow.
• Inconsistent messaging: The victim is told they have an existing account (step 3), then treated as a “first‑time” user (step 4), and then asked to activate SécuriPass (step 5). This is illogical and a sign of a phishing kit stitching together different templates.
• Copied legitimate content: The pages contain real Crédit Agricole branding, menus, and legal text copied from the genuine site. Attackers use this to appear legitimate.
• Request for email code: No legitimate bank asks for an email verification code in addition to SMS codes during a simple login or activation flow. This is designed to compromise the email account.
• Unsolicited activation request: Crédit Agricole does not send emails with links to “activate SécuriPass” by entering credentials and multiple codes.

What to do if you encounter this:

• Do not enter any identifiers, personal codes, SMS codes, or email codes on these pages.
• If you are a Crédit Agricole customer, always access online banking by typing credit-agricole.fr directly into your browser or using the official mobile app.
• If you have already entered credentials but not the later codes, contact Crédit Agricole immediately to change your password.
• If you have entered SMS or email codes, assume your account is compromised. Contact Crédit Agricole’s fraud department immediately and also secure your email account (change password, check for forwarding rules).
• Report the phishing pages to Crédit Agricole ([email protected]).

Why this scam is particularly dangerous:
This is a full account takeover kit that harvests both authentication factors and the victim’s email credentials. By asking for two separate SMS codes, the attacker can maintain a logged‑in session while also capturing a second code for a later transaction. The request for an email code suggests the attacker is also aiming to compromise the victim’s email account, which is often the “master key” for resetting passwords across other services.

Protective measures:

• Bookmark the official Crédit Agricole login page and use that bookmark to access your account—never click links in emails.
• Use a password manager: It will autofill only on legitimate credit-agricole.fr domains.
• Never enter an SMS or email code on a page you reached via a link. Legitimate banks only ask for 2FA codes after you initiate a login on their official site.
• Activate SécuriPass through the official mobile app, not via web links.
• Be suspicious of any message that creates urgency and asks you to “activate” security features through a link.
• Check the URL carefully: Legitimate Crédit Agricole domains end with credit-agricole.fr. Look for misspellings or unusual top‑level domains.
• If in doubt, contact Crédit Agricole directly using a phone number from your bank statement or the official website—never use contact information from a suspicious message.

---

---

Threat Analysis: BAC Credomatic Phishing – Fake “Banca en Línea” Login Page

This phishing campaign impersonates BAC Credomatic, one of the largest banks in Central America. The page mimics the bank’s “Banca en Línea” (Online Banking) login interface to steal customers’ username and password. It also includes a “Usar Token” option, suggesting the attacker may attempt to capture two‑factor authentication codes in a subsequent step.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to this fake BAC Credomatic login page. When the victim enters their Usuario and Contraseña and clicks the login button (likely labeled “Ingresar” or similar), the credentials are captured and sent to the attacker.

The goal:
The attacker aims to steal the victim’s BAC Credomatic online banking credentials. With these, they can log into the victim’s real bank account, view balances, transfer funds, pay bills, and commit fraud.

Red flags to watch for:

• Suspicious URL: The page is hosted on a domain that is not baccredomatic.com or any official BAC domain. Legitimate BAC online banking is accessed through the bank’s official website. Always check the address bar.
• Unsolicited login request: BAC Credomatic does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access online banking by typing the official URL directly or using the official mobile app.
• Typographical errors: The page contains a typo: “Recorzar Usuario” instead of “Recordar Usuario”. Official bank interfaces do not contain such errors.
• Unusual or out-of-place text: The page includes a promotion about auto loans (“Listo para estrenar auto?”) and credit cards that may appear plausible but can be copied from the real website. The presence of such content does not make the page legitimate.
• No personalization or security image: Legitimate BAC login pages often display a security image or personalized greeting. This page lacks those features.
• “Usar Token” option: While the real bank uses tokens for two‑factor authentication, the inclusion of this option on a fake page is intended to make the flow appear authentic. However, the page itself is not the genuine login portal.

What to do if you encounter this:

• Do not enter your username, password, or any other personal information on this page.
• If you are a BAC Credomatic customer, always access online banking by typing the official BAC website URL for your country directly into your browser (e.g., baccredomatic.com) or by using the official BAC mobile app.
• If you have already entered your credentials, contact BAC Credomatic immediately through their official customer service hotline to secure your account and change your password.
• Report the phishing page to BAC Credomatic’s fraud department.

Why this scam is effective:
BAC Credomatic has millions of customers across Central America. The page uses the bank’s logo, familiar branding, and a layout that resembles the real login page. The inclusion of product promotions and a token option adds to the illusion of legitimacy. The typo “Recorzar” is a subtle red flag that careful users might notice.

Protective measures:

• Bookmark the official BAC Credomatic login page for your country and use that bookmark to access online banking—never click links in emails or messages.
• Use a password manager: It will autofill only on legitimate baccredomatic.com domains, not on phishing sites.
• Enable two‑factor authentication (token or mobile app) on your BAC account if available, to add an extra layer of protection.
• Be suspicious of any unsolicited message that creates urgency and asks you to log in to your bank account.
• Check the URL carefully: Legitimate BAC domains end with baccredomatic.com or country‑specific subdomains (e.g., bac.gt for Guatemala). Look for misspellings, extra words, or unusual top‑level domains.
• If in doubt, contact BAC Credomatic directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

---

Thank you for sharing these three screenshots. They show a multi-step phishing campaign impersonating Banreservas (Banco de Reservas de la República Dominicana) , the largest bank in the Dominican Republic. The scam is designed to capture the victim’s online banking username, password, and then their email credentials along with the numeric code from their “tarjeta de códigos” (codes card) —a two‑factor authentication (2FA) tool used by the bank. This combination gives attackers full access to the victim’s account.

Here is a detailed English description that avoids exact quotes from the screenshots to minimize antivirus false positives.

---

Threat Analysis: Banreservas Phishing – Credential, Email & 2FA Code Harvesting

This phishing campaign impersonates Banreservas, the leading bank in the Dominican Republic. The scam uses a multi‑page flow to capture:

• Usuario (online banking username)
• Contraseña (password)
• Email address and email password
• Numerical code from the “tarjeta de códigos” (a physical or digital two‑factor authentication card)

By harvesting both the banking credentials and the 2FA codes, attackers can bypass security measures and take over the account.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to update their information. The message includes a link to the first phishing page.

Step 1 – Fake Username Page (First Screenshot)
The first page mimics the Banreservas “TUB@nco Personas” login interface. It asks for the victim’s username and has a “Continuar” (Continue) button. The page includes the bank’s logo and familiar branding.

Step 2 – Fake Password Page (Second Screenshot)
After entering the username, the victim is taken to a second page that asks for the password. A “virtual keyboard” option is presented, which is a real security feature of the bank, making the page appear legitimate.

Step 3 – Fake Email & “Tarjeta de Códigos” Page (Third Screenshot)
The third page asks for:

• Correo electrónico (email address)
• Contraseña de Correo (email password)
• A selection of a “tarjeta de códigos” (codes card) – a numbered card used to generate one‑time codes for two‑factor authentication.

The victim is prompted to enter the code from the card after selecting the appropriate card. This step captures both the email credentials and the 2FA codes needed to authorize transactions.

The goal:
The attacker aims to:

• Steal the victim’s Banreservas online banking username and password
• Capture the victim’s email address and password to intercept communications, reset passwords, and maintain persistent access
• Obtain the “tarjeta de códigos” 2FA codes, which are required to perform transactions or log in

With all this information, the attacker can log into the victim’s bank account, transfer funds, and also take over the associated email account.

Red flags to watch for:

• Suspicious URL: The pages are hosted on domains that are not banreservas.com or any official Banreservas domain. Legitimate Banreservas online banking is accessed through the bank’s official website. Always check the address bar.
• Request for email password: A legitimate bank never asks for your email account password. This is a clear sign of a phishing attack designed to compromise your email.
• Request for “tarjeta de códigos” codes without context: The bank’s 2FA card is used to verify specific transactions or logins. Asking for it in a generic “update” flow is suspicious and indicates credential theft.
• Unsolicited login request: Banreservas does not send emails or messages with links requiring customers to log in and then provide email passwords and 2FA codes.
• Multi‑step design with unrelated requests: The flow moves from banking username/password to email credentials to 2FA codes. No legitimate banking process combines these in a single session.
• Copied legitimate content: The pages use the bank’s logo, color scheme, and terminology (“TUB@nco Personas”, “tarjeta de códigos”) to appear authentic, but they are hosted on fraudulent domains.

What to do if you encounter this:

• Do not enter your banking username, password, email credentials, or 2FA codes on these pages.
• If you are a Banreservas customer, always access online banking by typing banreservas.com directly into your browser or by using the official Banreservas mobile app.
• If you have already entered your banking credentials but not the email or 2FA codes, contact Banreservas immediately to change your password and secure your account.
• If you have entered your email password, change that password immediately, enable two‑factor authentication on your email account, and check for unauthorized forwarding rules.
• If you have entered 2FA codes from your “tarjeta de códigos”, the attacker may have already used them. Contact Banreservas’ fraud department immediately.
• Report the phishing pages to Banreservas’ security team.

Why this scam is particularly dangerous:
This is a complete account takeover phishing kit targeting both the bank account and the associated email. By capturing the “tarjeta de códigos” 2FA codes, the attacker can authorize transactions without needing additional verification. The email credentials allow them to intercept alerts, delete evidence, and reset passwords for other services. This level of compromise can lead to significant financial loss and identity theft.

Protective measures:

• Bookmark the official Banreservas login page and use that bookmark to access online banking—never click links in emails or messages.
• Use a password manager: It will autofill only on legitimate banreservas.com domains, not on phishing sites.
• Never provide your email password or 2FA card codes on a page you reached via a link. The bank already has this information and will not ask for it in an unsolicited login flow.
• Enable two‑factor authentication on your email account using an authenticator app (not SMS) to reduce the risk of account takeover.
• Be suspicious of any unsolicited message that creates urgency and asks you to log in to your bank account.
• Check the URL carefully: Legitimate Banreservas domains end with banreservas.com. Look for misspellings, extra words, or unusual top‑level domains.
• If in doubt, contact Banreservas directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

---

---

Threat Analysis: Bam (Banco Agrícola) Phishing – Username Harvesting (First Stage)

This phishing campaign targets customers of Bam – Banco Agrícola, a major bank in Central America (particularly El Salvador). The page mimics the bank’s “Bamvirtual Personas” login interface. It only asks for a username at this stage, but the captured username will be used in subsequent fake pages to request the password and potentially a second factor (such as a token or SMS code).

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to this fake Bamvirtual login page. After entering their username and clicking “CONTINUAR”, the victim is taken to a second fake page (not shown in these screenshots) that asks for their password. In many such kits, a third page then captures a two‑factor authentication code, giving the attacker full access.

The goal:
The attacker aims to steal the victim’s online banking credentials (username and password) and, if applicable, any two‑factor authentication codes. With these, they can log into the victim’s real bank account, view balances, transfer funds, and commit fraud.

Red flags to watch for:

• Suspicious URL: The pages are hosted on domains that are not the official bank domain. Legitimate Bamvirtual login is accessed through the bank’s official website (e.g., bancoagricola.com). Always check the address bar.
• Unsolicited login request: Banco Agrícola does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access online banking by typing the official URL directly or using the official mobile app.
• Inconsistent design elements: While the pages use the bank’s logo and color scheme, the layout and text contain small inconsistencies (e.g., the repeated headers, slightly different phrasing in each screenshot) that are not present on the legitimate site.
• Multi‑page flow with only username first: Legitimate banking portals often combine username and password on a single page or use a security image after username entry. This separate, sequential flow is a common phishing‑kit pattern.
• “Grupo Bancolombia” copyright: The footer mentions Grupo Bancolombia, which is correct for Banco Agrícola, but the presence of this copied text does not make the page legitimate.

What to do if you encounter this:

• Do not enter your username on this page. If you have already done so, do not proceed to enter your password on any subsequent page.
• If you are a Banco Agrícola customer, always access online banking by typing the official bank URL directly into your browser (e.g., bancoagricola.com) or by using the official mobile app.
• If you have already entered your username and suspect you may have been phished, contact Banco Agrícola immediately through their official customer service to change your password and secure your account.
• Report the phishing pages to the bank’s fraud department.

Why this scam is effective:
Banco Agrícola (Bam) is a well‑known bank in Central America, and “Bamvirtual” is its standard online banking platform. The page uses the bank’s logo and familiar branding, and the two‑stage process (username first, then password) mirrors the real login flow used by many banks. The footer with “Grupo Bancolombia” adds an extra layer of perceived legitimacy. Victims who are not paying close attention to the URL may enter their username without suspicion.

Protective measures:

• Bookmark the official Bamvirtual login page and use that bookmark to access online banking—never click links in emails or messages.
• Use a password manager: It will autofill only on legitimate bank domains, not on phishing sites.
• Enable two‑factor authentication (2FA) on your bank account if available, to add an extra layer of protection.
• Be suspicious of any unsolicited message that creates urgency and asks you to log in to your bank account.
• Check the URL carefully: Legitimate Banco Agrícola domains end with bancoagricola.com (or country‑specific variations). Look for misspellings, extra words, or unusual top‑level domains.
• If in doubt, contact Banco Agrícola directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

---