PayPal phishing page in French detected


These four screenshots show a multi‑step phishing campaign targeting French users, likely impersonating a payment service or online marketplace. The scam uses a fake “pending payment” lure to harvest the victim’s login credentials, full personal details, and credit card information.

Threat Analysis: Fake Payment Pending Phishing – Credential, Personal & Card Data Harvesting

This phishing campaign is built on a simple but effective pretext: the victim is told that a payment is waiting for them. To “receive” the money, they must log in and then “confirm” their identity by providing personal and card details. The pages are hosted on a free website builder (WIX), a common indicator of throwaway phishing sites.

How it works:
The victim receives an email, SMS, or message claiming that a payment is pending and they need to log in to claim it.

Step 1 – Fake Login Page (First Screenshot)
A minimal page asks for an email address and password. No branding is shown, but the promise of a payment makes victims believe they are logging into a legitimate service.

Step 2 – Fake Payment Confirmation Page (Second Screenshot)
After submitting credentials, the victim sees a page stating that the payment has been approved by the bank and they must “confirm” to receive it. This creates a false sense of progress.

Step 3 – Personal & Card Number Page (Third Screenshot)
The victim is asked to “confirm their account” by providing:

  • First name & last name
  • Home address
  • Phone number
  • Full credit/debit card number

Step 4 – Expiration & CVV Page (Fourth Screenshot)
The final page asks for the expiration date and cryptogram (CVV) . With the card number from Step 3, the attacker now has all information needed to make online purchases or clone the card.

The goal:
The attacker aims to:

  • Steal the victim’s email and password (likely for a specific platform or general reuse)
  • Obtain full identity and contact information
  • Capture complete credit card details (number, expiration, CVV) for fraud

Red flags to watch for:

  • Suspicious URL: All pages are hosted on a free WIX subdomain (visible in the browser address bar). Legitimate payment services use their own domains.
  • “WIX.com” banner: The blue “Ce site a été conçu sur la plateforme WIX.com” banner appears on every page, a clear sign this is not a professional or legitimate service.
  • Illogical flow: A platform that already has your login credentials would not ask for your full card details and CVV to “release” a payment.
  • No branding: No company name or logo is shown. The victim is left guessing which service they are logging into.
  • Multiple requests for sensitive data: Asking for full name, address, phone, card number, expiration, and CVV in one flow is a classic carding/phishing pattern.

What to do if you encounter this:

  • Do not enter any information on pages hosted on free website builders (WIX, Weebly, etc.) unless you are absolutely certain they are legitimate (which they almost never are for banking/payment services).
  • If you have already entered your email and password, change that password immediately, especially if you reuse it elsewhere.
  • If you entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to the legitimate company being impersonated (if identifiable) and to the platform hosting the site (WIX has a reporting mechanism for phishing).

Why this scam is effective:
The promise of “money waiting” exploits eagerness and urgency. The multi‑step flow makes the process seem thorough and official. The use of a familiar free website builder can actually lower suspicion for users who associate WIX with small legitimate businesses, but in this case it is being abused for fraud.

Protective measures:

  • Never log in to a service via a link sent in an unsolicited message. Type the official URL directly.
  • Check the address bar carefully. Legitimate payment services do not use free hosting platforms like WIX.
  • Never enter your full card number, expiration, and CVV on a page that claims to be “verifying” or “releasing” funds. This is a standard card‑harvesting tactic.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your email and financial accounts.

Nets fake page in Danish detected

These two screenshots show a phishing campaign impersonating Nets, a major Danish payment service provider. The scam uses a fake “refund” pretext to trick victims into providing their email address, full name, phone number, and full credit/debit card details.

Threat Analysis: Nets Refund Phishing – Card & Personal Data Harvesting

This phishing campaign impersonates Nets, a widely used payment processor in Denmark (and other Nordic countries). The victim is led to believe they are receiving a refund for a debited amount. To “process” the refund, they are asked to provide personal and card information.

How it works:

  1. The victim receives a phishing email, SMS, or other message claiming a refund is available due to a transaction error or cancellation.
  2. The first page asks for an email address and full name.
  3. The second page, branded with Nets logos, asks for:
  • Phone number (pre‑fixed with +45, the Danish country code)
  • Name on card
  • Card number
  • Expiration date
  • CVV

The button on the second page is labelled “Annuller transaktionen” (Cancel the transaction), which is a deceptive trick—clicking it actually submits the stolen data.

The goal:
The attacker aims to collect:

  • The victim’s full name, email address, and phone number (for identity theft or follow‑up scams)
  • Complete card details (card number, expiry, CVV) to make fraudulent purchases or clone the card

Red flags to watch for:

  • Suspicious URL: The first page is hosted on a subdomain of myclickempurl.host, a domain completely unrelated to nets.eu or nets.dk. Legitimate Nets services are accessed through official domains.
  • Request for full card details for a refund: A legitimate refund does not require the customer to enter their card number, expiry date, and CVV. Refunds are processed automatically to the original payment method.
  • Misleading button text: The button says “Cancel the transaction,” but the page is designed to capture card data. This is a social engineering trick to make victims click without realizing they are submitting their details.
  • Poor design and mismatched branding: While the second page uses Nets logos, the overall design is simple and lacks the security features (e.g., proper SSL certificate, consistent navigation) of the real Nets site.
  • Unsolicited refund offer: Nets does not send unsolicited emails or messages asking customers to enter card details to receive a refund.

What to do if you encounter this:

  • Do not enter your email, name, phone number, or card details on these pages.
  • If you are a Nets user or a customer of a merchant using Nets, always check your transactions through your bank or the official Nets portal—never through links in messages.
  • If you have already entered your card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing pages to Nets’ fraud team and to the relevant authorities (e.g., the Danish police cybercrime unit).

Why this scam is effective:
Nets is a trusted name in Denmark and the Nordic region. Refund scams are common because people expect to receive money back after a transaction error. The multi‑step flow (first personal info, then card details) makes the process seem legitimate. The deceptive “Cancel the transaction” button may actually reassure victims that they are not “confirming” a payment but rather stopping one—while in fact they are handing over their card information.

Protective measures:

  • Never click links in unsolicited messages claiming a refund or payment issue. Instead, log into your bank or the relevant service directly via a bookmarked URL.
  • Check the URL carefully: Legitimate Nets domains end with nets.eu or nets.dk. Look for misspellings, extra words, or unusual top‑level domains.
  • Never enter your card number, expiry, and CVV on a page that claims to be processing a refund. Legitimate refunds happen automatically without re‑entering card details.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your bank and email accounts to add an extra layer of security.

Netflix fake page detected

These four screenshots show a multi‑step Netflix phishing campaign designed to harvest full payment card details, personal information, and the SMS verification code (two‑factor authentication) needed to authorize fraudulent charges or take over an account.

Threat Analysis: Netflix Phishing – Complete Card & 2FA Code Harvesting

This phishing campaign impersonates Netflix’s subscription sign‑up process. The victim is led to believe they need to “complete account configuration” to start a premium subscription. The scam uses a multi‑page flow to collect:

  • Full card details (number, expiration date, CVV)
  • Personal information (name, address, city, state, zip, phone number)
  • SMS verification code (a 2FA code sent to the victim’s phone, presumably by the real bank or card issuer)

How it works:
The victim receives a phishing email, SMS, or social media message claiming their Netflix account needs updating, or they are eligible for a free trial. The link leads to a fake Netflix page.

Step 1 – Introductory Page (First Screenshot)
A simple page claims the victim needs to “complete account configuration” to continue. It provides no details but directs the victim to proceed.

Step 2 – Card Details Page (Second Screenshot)
The victim is asked to enter:

  • First and last name
  • Full card number
  • Expiration date (MM/YY)
  • Security code (CVV)

A monthly fee (USD11.99) is displayed to make the page look like a legitimate subscription checkout.

Step 3 – Billing Address & Phone Page (Third Screenshot)
The third page requests:

  • First and last name (again)
  • Address, city, state, zip code
  • Phone number

This completes the personal and contact information needed for identity theft.

Step 4 – SMS Code Page (Fourth Screenshot)
The final page claims a code has been sent “to the phone number linked to your bank card.” The victim is asked to enter that code to “verify” the payment method. This is a classic 2FA code capture step. The attacker, having the card details, has likely already initiated a real transaction or attempted to add the card to a digital wallet, triggering the SMS code from the actual bank or card provider. When the victim enters the code, the attacker uses it to authorize the fraudulent transaction.

The goal:
The attacker aims to:

  • Steal full credit/debit card details (number, expiry, CVV)
  • Obtain the victim’s full identity (name, address, phone)
  • Capture the SMS two‑factor authentication code to complete an unauthorized transaction or add the card to a payment service

With this data, the attacker can make online purchases, create cloned cards, or use the card for fraud.

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not netflix.com. Legitimate Netflix billing is always handled on official Netflix domains.
  • Unusual setup flow: Netflix does not ask new subscribers for card details, billing address, and SMS codes in a four‑step manual process. Account creation is done in one or two simple screens.
  • SMS code request: A legitimate Netflix subscription does not require entering a code sent by your bank. This is a clear sign of a phishing kit attempting to intercept 2FA.
  • Inconsistent branding: While the pages use the Netflix logo and red theme, the layout and phrasing differ from the official Netflix interface.
  • Excessive data collection: Asking for both card details and a separate billing address, plus phone, is redundant for a real subscription.
  • Unsolicited offer: Netflix does not send emails or messages with links to “complete configuration” or “update payment” without prior notification through the official account dashboard.

What to do if you encounter this:

  • Do not enter any card details, personal information, or SMS codes on these pages.
  • If you have already entered your card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • If you have entered an SMS code, the attacker may have already used it. Contact your bank’s fraud department immediately.
  • Always access Netflix by typing netflix.com directly into your browser and checking your account status from the official dashboard.
  • Report the phishing pages to Netflix’s security team (e.g., by forwarding the original message to [email protected]).

Why this scam is particularly dangerous:
This is a full payment card and 2FA harvesting kit. The multi‑step flow mimics a real subscription process, making it convincing. The final SMS code page is especially dangerous because it allows the attacker to bypass two‑factor authentication on the victim’s card or bank account. Victims often assume the code is a normal part of signing up for Netflix and enter it without suspicion.

Protective measures:

  • Bookmark the official Netflix login page and never click links in emails or messages claiming account issues.
  • Use a password manager: It will not autofill on fake domains.
  • Never enter your card’s CVV or an SMS verification code on a page you reached via a link.
  • Enable two‑factor authentication on your Netflix account (available in some regions) and on your email account.
  • Check the URL carefully: Legitimate Netflix domains end with netflix.com. Look for misspellings, extra words, or unusual top‑level domains.
  • If in doubt, contact Netflix support directly via the official website—never use contact information from a suspicious message.

Microsoft phishing page in Spanish detected

This screenshot shows a phishing page impersonating Microsoft, targeting Spanish-speaking users. The page uses a “reactivate” pretext to pressure victims into entering their email address and password.

Threat Analysis: Microsoft Phishing – Fake “Reactivate” Login Page

This phishing campaign impersonates Microsoft (likely Outlook, Hotmail, or Office 365). The page claims the victim needs to “reactivate” their account, creating a sense of urgency. When the victim enters their email and password and clicks “Iniciar sesión,” the credentials are captured and sent to the attacker.

The goal:
The attacker aims to steal Microsoft account credentials. With these, they can access the victim’s email, reset passwords for other services, and spread further phishing attacks.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not microsoft.com, outlook.com, or live.com. Always check the address bar before entering credentials.
  • Unsolicited “reactivation” request: Microsoft does not send emails or messages with links requiring users to “reactivate” accounts by logging in.
  • Generic, minimal design: The page lacks the full Microsoft branding, security notices, and two‑factor authentication options found on legitimate login pages.
  • No personalization: The page does not display a security image, account name, or any personalized element that would appear on a real Microsoft login after initial identification.

What to do if you encounter this:

  • Do not enter your email and password on this page.
  • If you are a Microsoft user, always access your account by typing outlook.com or microsoft.com directly into your browser.
  • If you have already entered your credentials, change your Microsoft password immediately and enable two‑factor authentication (2FA) to protect your account.

Protective measures:

  • Bookmark the official Microsoft login page and use that bookmark to access your account.
  • Use a password manager – it will autofill only on legitimate Microsoft domains.
  • Enable two‑factor authentication on your Microsoft account.
  • Be suspicious of any unsolicited message that asks you to “reactivate” or “verify” your account via a link.

Bank of America phishing page in Spanish detected

Threat Analysis: Bank of America Phishing – Complete Identity & Card Harvesting

This campaign uses a fake Spanish‑language Bank of America interface in three steps to steal:

  1. Online banking credentials (Online ID and Password)
  2. Email credentials and ATM PIN
  3. Full card details (card number, expiration date, CVV)

How it works:

Step 1 – Fake Login Page
The victim lands on a page that mimics Bank of America’s online banking login. It asks for Online ID and Password. The page includes real promotional content copied from the bank to appear legitimate.

Step 2 – Fake “Verify Your Identity” – Email & PIN Page
After submitting login credentials, the victim is asked to provide:

  • Email address and email password
  • ATM or debit card PIN

This step captures the victim’s email account and banking PIN.

Step 3 – Fake “Protect Your Identity” – Card Details Page
The final page asks for:

  • Card number
  • Expiration date
  • 3‑ or 4‑digit security code (CVV)

This page claims the information is needed to “protect your identity against fraud.”

The goal:
The attacker collects:

  • Bank login credentials to access the account
  • Email credentials to intercept alerts and reset passwords
  • ATM PIN and full card details to make withdrawals, online purchases, or clone the card

With this data, the attacker can fully compromise the victim’s bank account, email, and payment card.

Red flags (all pages):

  • Suspicious URL: The pages are hosted on a domain that is not bankofamerica.com. Legitimate Bank of America login is only on official bank domains.
  • Excessive and illogical requests: A legitimate bank never asks for email password, ATM PIN, or full card details during a single login/verification flow.
  • No personalization or security image: Real Bank of America login pages show a security image after you enter your Online ID.
  • Outdated copyright (2021): The footer date is incorrect for a 2022‑2023 campaign.

What to do if you encounter this:

  • Do not enter any information on these pages.
  • If you have already entered your credentials, contact Bank of America immediately to change your password, block your card, and secure your account.
  • If you entered your email password, change it immediately and enable two‑factor authentication. Check for unauthorized forwarding rules.
  • Report the phishing pages to Bank of America ([email protected]).

Protective measures:

  • Always type bankofamerica.com directly into your browser to log in—never click links.
  • Use a password manager – it will only autofill on the real bank domain.
  • Never provide your email password, ATM PIN, or CVV on a page you reached via a link.
  • Enable two‑factor authentication on both your bank and email accounts.

Posteitaliane phishing page detected

This screenshot shows a phishing page impersonating Poste Italiane (PostePay) , targeting Italian customers. The page asks for an unusual combination of information—username, password, phone number, and even an “approximate balance”—which is a clear sign of a scam designed to steal account credentials and gather intelligence for fraud.

Threat Analysis: Poste Italiane Phishing – Credential & Account Data Harvesting

This phishing campaign impersonates Poste Italiane, specifically its PostePay service (a popular prepaid card and digital payment system in Italy). The page mimics the login interface but adds extra fields to collect more sensitive information.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The link leads to this fake PostePay login page. The victim is asked to enter:

  • Username
  • Password
  • Phone number
  • “Saldo approssimativo” (approximate balance)

After filling in these fields and clicking “AVANTI” (Next), all the data is captured and sent to the attacker.

The goal:
The attacker aims to:

  • Steal the victim’s PostePay login credentials (username and password)
  • Obtain the victim’s phone number for SMS‑based fraud (SIM swapping, intercepting 2FA codes)
  • Learn the approximate account balance to assess the victim’s value and tailor further scams

With this information, the attacker can log into the victim’s PostePay account, transfer funds, make purchases, or use the phone number for identity theft.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not poste.it or any official Poste Italiane domain. Legitimate PostePay login is accessed through the official website or app. Always check the address bar.
  • Request for phone number and balance: A legitimate login page never asks for your phone number or account balance. These are internal data that the bank already knows. Their presence on a login form is a strong indicator of a phishing page.
  • Poor design and unprofessional layout: The page has a simplistic design, inconsistent spacing, and lacks the full navigation, security notices, and personalization found on the real PostePay portal.
  • Unsolicited login request: Poste Italiane does not send emails or messages with links requiring customers to log in to resolve account issues.

What to do if you encounter this:

  • Do not enter your username, password, phone number, or balance on this page.
  • If you are a Poste Italiane customer, always access PostePay by typing poste.it directly into your browser or by using the official PostePay mobile app.
  • If you have already entered your credentials, change your PostePay password immediately and enable two‑factor authentication (2FA) if available. Contact Poste Italiane’s fraud department to secure your account.
  • Report the phishing page to Poste Italiane (e.g., by forwarding the original message to [email protected]).

Why this scam is effective:
PostePay is widely used in Italy, and many customers are familiar with its login interface. The extra fields (phone number, balance) may seem like additional “security” or “verification” steps to unsuspecting users. The threat of account suspension or a security issue creates urgency, making victims more likely to enter the requested information without carefully checking the URL.

Protective measures:

  • Bookmark the official Poste Italiane login page and use that bookmark to access your account—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate poste.it domains, not on phishing sites.
  • Never provide your phone number or account balance on a login page. The bank already has this information.
  • Enable two‑factor authentication (2FA) on your PostePay account if available, to add an extra layer of protection.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your account.
  • Check the URL carefully: Legitimate Poste Italiane domains end with poste.it. Look for misspellings, extra words, or unusual top‑level domains.
  • If in doubt, contact Poste Italiane directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

La Banque Postale fake page in French detected

These two screenshots show a phishing campaign impersonating La Banque Postale, a major French bank. The scam uses a fake “Certicode Plus” activation pretext to trick victims into clicking a link that leads to a fraudulent login page designed to steal their online banking credentials (identifiant and mot de passe).

Threat Analysis: La Banque Postale Phishing – Fake “Certicode Plus” Activation

This campaign targets La Banque Postale customers by claiming that their security devices are obsolete and that they must activate Certicode Plus (a legitimate security feature) to continue using online services.

How it works:

  1. Fake Alert Page (First Screenshot)
    The victim receives an email or lands on a page stating that security devices are outdated due to a new update. The page urges the victim to click a button to activate Certicode Plus. The link leads to the next phishing page.
  2. Fake Login Page (Second Screenshot)
    This page mimics the official La Banque Postale online banking portal. It includes:
  • Fields for identifiant (identifier) and mot de passe (password)
  • A virtual keyboard (a real security feature used by the bank)
  • Legitimate-looking menus, COVID-19 notices, and fraud warnings copied from the genuine site

When the victim enters their credentials and clicks “VALIDER,” the information is sent to the attacker.

The goal:
The attacker aims to steal La Banque Postale online banking credentials. With these, they can log into the victim’s account, view balances, transfer funds, and commit fraud.

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not labanquepostale.fr. Legitimate La Banque Postale login is only on the official domain.
  • Unsolicited activation request: La Banque Postale does not send emails or messages with links requiring customers to “activate” Certicode Plus. Legitimate activation happens within the app or after logging in.
  • Virtual keyboard out of context: While the real bank uses a virtual keyboard, its presence on a fake page does not make the page legitimate.
  • Copied content: The second page contains real La Banque Postale branding, menus, and security notices. Attackers copy these to appear authentic.
  • No personalization: The page does not display a security image, account name, or any personalized element that would appear on a legitimate login after initial identification.

What to do if you encounter this:

  • Do not click the activation link or enter any credentials.
  • If you are a La Banque Postale customer, always access online banking by typing labanquepostale.fr directly into your browser or using the official mobile app.
  • If you have already entered your credentials, contact La Banque Postale immediately to change your password and secure your account.
  • Report the phishing pages to La Banque Postale (e.g., [email protected]).

Why this scam is effective:
Certicode Plus is a well-known security feature, so a request to activate it can seem plausible. The fake login page is highly convincing because it copies the bank’s layout, including the virtual keyboard and official-looking fraud warnings. The urgency of “obsolete security devices” pressures victims to act without verifying the URL.

Protective measures:

  • Bookmark the official La Banque Postale login page and use that bookmark to access your account.
  • Use a password manager – it will autofill only on the legitimate domain.
  • Never activate security features via a link in an email. Always go directly to the official site or app.
  • Enable two‑factor authentication (Certicode Plus) through the official app, not through a web link.
  • Check the URL carefully: Legitimate La Banque Postale domains end with labanquepostale.fr. Look for misspellings, extra words, or unusual top‑level domains.

Credit Agricole phishing page in French revealed

This screenshot shows a phishing landing page impersonating a French bank (likely Crédit Agricole or another institution using the “SécuriPass” security feature). The scam uses a fake security update pretext based on the EU’s PSD2 (second payment services directive) to pressure victims into clicking a malicious link.

Threat Analysis: French Bank Phishing – Fake “SécuriPass” Activation Scam

This phishing message claims that access to the victim’s online account is restricted due to non‑compliance with security rules. It references the EU’s PSD2 directive, stating that strong authentication is required every 90 days. The victim is told to click a button to activate “SECURTPASS” (a misspelling of the legitimate SécuriPass) or face a banking ban.

How it works:
The victim receives this message (likely by email) and is directed to click the activation button. The link leads to a fake bank login page designed to steal the victim’s online banking credentials and possibly two‑factor authentication codes (SMS or SécuriPass codes).

The goal:
The attacker aims to steal online banking credentials to take over the victim’s account, transfer funds, and commit fraud.

Red flags to watch for:

  • Suspicious URL: The link leads to a domain that is not the official bank domain. Legitimate banks do not send activation links in emails.
  • Misspelling: “SECURTPASS” instead of the correct “SécuriPass” (or similar) is a clear sign of a phishing attempt.
  • Threat of banking ban: The warning that ignoring the message will result in a “banking ban” is a classic fear tactic to pressure victims into acting without thinking.
  • Unsolicited activation request: Banks do not require customers to click links in emails to activate security features. Legitimate security updates are handled within the online banking portal or mobile app after the customer logs in normally.
  • Generic greeting: The message does not address the victim by name or reference any specific account details.

What to do if you encounter this:

  • Do not click the activation button or any links in the message.
  • If you are a customer of the bank being impersonated, access your account by typing the official bank URL directly into your browser.
  • If you have already clicked the link and entered any credentials, contact your bank immediately to secure your account.
  • Report the phishing message to the bank’s fraud department.

Protective measures:

  • Never click links in unsolicited emails claiming you need to activate a security feature.
  • Always type your bank’s official website address directly into your browser.
  • Enable two‑factor authentication through your bank’s official app, not via email links.
  • Be suspicious of any message that creates urgency, threatens negative consequences, and asks you to click a link.

Caixa Bank fake page in Spanish detected

These two screenshots show a two‑step phishing campaign impersonating CaixaBank, a major Spanish bank. The scam is designed to first steal the victim’s online banking credentials (Identificador and Contraseña) and then their full card details (card number, expiration date, CVV) under the guise of “card PIN verification.”

Threat Analysis: CaixaBank Phishing – Credential & Card Data Harvesting

This campaign uses a multi‑page flow to collect everything needed to take over a bank account and use the associated payment card.

How it works:

Step 1 – Fake CaixaBankNow Login Page (First Screenshot)
The victim lands on a page that mimics the CaixaBankNow online banking login. It asks for:

  • Identificador (user ID)
  • Contraseña (password)

The page includes options like “virtual keyboard” and “remember my ID” to appear legitimate. When submitted, these credentials are captured.

Step 2 – Fake “Card PIN Verification” Page (Second Screenshot)
After the login credentials are stolen, the victim is taken to a second page that claims to verify the card PIN. It asks for:

  • Card number
  • Expiration date (MM/AA)
  • Security code (CVV)

This is a classic card harvesting page. The attacker now has the full card details needed for online purchases, cloning, or adding to a digital wallet.

The goal:

  • Steal online banking credentials to access the account
  • Capture full card details (number, expiry, CVV) for fraud
  • Use both to drain accounts, make unauthorized payments, or commit identity theft

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not caixabank.com or caixabank.es. Always check the address bar.
  • Illogical flow: After logging in, a legitimate bank would never ask for the card number, expiry, and CVV on a separate page. This is a clear phishing pattern.
  • Outdated copyright: The footer shows “© 2021,” which is outdated for a 2022 campaign.
  • No personalization: Real CaixaBankNow displays a security image or personal greeting after ID entry. This page lacks that.
  • Unsolicited login request: CaixaBank does not send links requiring customers to log in and then “verify” their card.

What to do if you encounter this:

  • Do not enter any credentials or card details on these pages.
  • If you have already entered your login details, contact CaixaBank immediately to change your password.
  • If you entered card details, block your card immediately and dispute any unauthorized charges.
  • Always access CaixaBank by typing caixabank.es directly into your browser.

Protective measures:

  • Bookmark the official CaixaBank login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Never enter your card’s CVV on a page you reached via a link. Legitimate banks do not request this outside a secure, logged‑in session.
  • Enable two‑factor authentication (CaixaBankProtect) through the official app.

UPS fake page detected

These three screenshots show a three‑step UPS phishing campaign designed to harvest personal information, create a new account credential, and steal full credit card details under the guise of a small “verification” fee.

Threat Analysis: UPS Phishing – Personal Info, Account Creation & Card Harvesting

This scam impersonates UPS (United Parcel Service) . The victim is told that a package is waiting and they must update their shipping information to receive it. The campaign is structured in three steps:

Step 1 – Personal & Password Page (First Screenshot)
The victim is asked to provide:

  • Full name, address, city, ZIP code
  • Phone number, email address
  • A new password (and confirmation)

This page captures personal identity information and creates a new credential that the attacker can use later.

Step 2 – Fake Processing Page (Second Screenshot)
A waiting screen claims the request is being processed. This creates a sense of legitimacy and buys time while the attacker prepares the next step.

Step 3 – Card Verification Page (Third Screenshot)
The victim is told to “verify” their credit card with a small fee (VAT 0.99) to complete the delivery. The page asks for:

  • Cardholder name
  • Full card number
  • Expiration date
  • CVV

The goal:
The attacker collects:

  • Personal information (name, address, phone, email)
  • A new password (likely for a fake account they create)
  • Complete card details (number, expiry, CVV) for fraud

With this data, they can make unauthorized purchases, clone the card, or sell the information.

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not ups.com. Always check the address bar.
  • Request for a password: UPS does not require you to create a new password just to update shipping information.
  • Request for card details to “verify” a package: A legitimate courier never asks for your credit card CVV to release a package.
  • Fake processing page: Real shipping updates do not include artificial loading screens.
  • Outdated copyright (1994‑2021): The footer date is inconsistent with a 2022 campaign.

What to do if you encounter this:

  • Do not enter any personal information, passwords, or card details.
  • If you are expecting a UPS delivery, track it directly by typing ups.com into your browser and using your tracking number.
  • If you have already entered card details, contact your bank immediately to block the card.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never pay a “small fee” via a link to receive a package. Legitimate couriers handle fees through their official site or upon delivery.
  • Use a password manager – it will not autofill on fake domains.