Nickel phishing page revealed

Thank you for sharing these four screenshots. They show a multi-step phishing campaign impersonating Nickel, a French neobank (a subsidiary of BNP Paribas) that offers fee-based bank accounts typically sold in tobacco shops. The scam is designed to capture the victim’s identifier, access code, SMS verification code, and full card details—enabling full account takeover and card fraud. Here is a detailed English description that avoids exact quotes from the screenshot content to minimize antivirus false positives.

Threat Analysis: Nickel Phishing – Multi-Step Credential, SMS Code & Card Data Harvesting

This phishing campaign impersonates Nickel, a French neobank popular for its accessible accounts. The scam uses a multi-page flow to capture the victim’s identifier, access code, SMS verification code, and full card details (card number, expiration date, CVV). By harvesting all of this information, attackers can gain full access to the victim’s account and use the card for fraudulent transactions.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to the first phishing page.

Step 1 – Fake Login Page (Identifier Entry)
The first page asks for the victim’s identifier (which, according to the page, is found on the back of the physical Nickel card). It also includes a “Remember me” checkbox and options for first-time connection or card opposition.

Step 2 – Fake Access Code Page with Virtual Keyboard
The second page asks for:

  • Identifier (pre-filled or re-entered)
  • Access code (a numeric PIN) using a virtual keyboard

The virtual keyboard is a common security feature in French banking, used to protect against keyloggers. Its presence here is intended to make the page appear legitimate.

Step 3 – Fake SMS Code Page
The third page asks for the SMS code sent to the victim’s mobile phone. This is the two-factor authentication (2FA) code used to verify the login.

Step 4 – Fake Card Details Page
The fourth page requests full card details.

This page is designed to capture all the information needed to use the victim’s card for online purchases or to clone the card.

The goal:
The attacker aims to:

  • Steal the victim’s Nickel account credentials (identifier and access code)
  • Intercept the SMS verification code (2FA)
  • Obtain full card details (number, expiration, CVV)

With this combination, the attacker can:

  • Log into the victim’s Nickel account
  • Make online purchases using the card details
  • Potentially withdraw funds or transfer money
  • Commit identity theft using the victim’s personal information

Red flags to watch for:

  • Suspicious URL: The pages are hosted on domains that are not nickel.eu or any official Nickel domain. Legitimate Nickel online access is through the official website or app. Always check the address bar.
  • Multiple sensitive data requests: A legitimate login process would not ask for identifier, access code, SMS code, and full card details in sequence. This combination is a clear sign of a phishing kit.
  • Unsolicited login request: Nickel does not send emails or messages with links requiring customers to log in and provide this level of information to resolve account issues.
  • Card details page after login: After successfully entering credentials and SMS code, a legitimate bank would not ask for full card details. This is a phishing page designed to capture card data after the victim believes they are already logged in.
  • Virtual keyboard: While real Nickel uses a virtual keyboard for security, phishing pages often replicate this feature to appear legitimate. Its presence alone does not guarantee safety.
  • Generic design: The pages mimic Nickel’s branding but lack the full account-specific information that would appear on a legitimate logged-in session.

What to do if you encounter this:

  • Do not enter your identifier, access code, SMS code, or card details on these pages.
  • If you are a Nickel customer, always access your account by typing nickel.eu directly into your browser or by using the official Nickel mobile app.
  • If you have already entered your credentials and SMS code but not card details, contact Nickel immediately to change your credentials and secure your account. Assume the attacker may have already accessed your account.
  • If you have entered your card details, contact Nickel’s fraud department immediately to block your card and dispute any unauthorized transactions.
  • Report the phishing pages to Nickel’s fraud team.

Why this scam is particularly dangerous:
This is a complete account takeover and card fraud phishing kit. The multi-step flow closely mimics legitimate banking processes (identifier, access code, SMS verification), making it highly convincing. The final request for card details is especially dangerous because victims may believe they need to “re-enter” their card information after a security update. The virtual keyboard adds an extra layer of perceived legitimacy.

Protective measures:

  • Bookmark the official Nickel login page and use that bookmark to access your account—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate nickel.eu domains, not on phishing sites.
  • Never enter your SMS verification code on a page you reached via a link. Legitimate banks only ask for 2FA codes after you have initiated a login on their official site.
  • Never enter your full card details (CVV included) after logging in. This is not a standard banking practice.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your bank account.
  • Check the URL carefully: Legitimate Nickel domains end with nickel.eu. Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact Nickel directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

Banco G&T Continental phishing page detected

Threat Analysis: Banco G&T Continental Phishing – Credential & SMS Token Harvesting

This phishing campaign impersonates Banco G&T Continental, one of the largest banks in Guatemala. The scam uses a multi-page flow to capture the victim’s online banking credentials and then the SMS token (two-factor authentication code) , allowing attackers to bypass security measures and gain full access to the account.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to the first phishing page.

Step 1 – Fake Login Page (First Screenshot)
The first page asks for:

  • Usuario (username)
  • Contraseña (password)

This page captures the victim’s primary online banking credentials.

Step 2 – Fake Loading/Waiting Page (Second Screenshot)
The second page displays a fake loading message, stating that the victim’s credentials are being verified. A countdown timer (20 seconds) creates a sense of legitimate processing while the attacker, in the background, uses the stolen credentials to log into the real bank site and trigger an SMS token to the victim’s phone.

Step 3 – Fake SMS Token Page (Third Screenshot)
The third page asks for the SMS token (the two-factor authentication code sent to the victim’s mobile phone). When the victim enters this code, the attacker captures it and uses it to complete the login on the real Banco G&T Continental site.

The goal:
The attacker aims to:

  • Steal the victim’s online banking credentials (usuario and contraseña)
  • Capture the SMS token (2FA code) in real time
  • Gain full access to the victim’s bank account to transfer funds, pay bills, and commit fraud

Red flags to watch for:

  • Suspicious URL: The pages are hosted on domains that are not gyb.com.gt or any official Banco G&T Continental domain. Legitimate online banking is accessed through the bank’s official website. Always check the address bar.
  • Unsolicited login request: Banco G&T Continental does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access online banking by typing the URL directly or using the official app.
  • Fake loading page with countdown: Legitimate banking sites do not display artificial loading countdown timers during login. This is a classic phishing tactic to buy time for the attacker to use the stolen credentials on the real site.
  • Multi-step design with SMS token request: After entering credentials, the victim is asked for the SMS token. This mirrors the real 2FA flow, making it convincing, but the pages are fake.
  • No personalization or security image: Legitimate Banco G&T Continental login pages may display a security image or personalized greeting. These pages lack such features.
  • Outdated copyright: The footer shows “2022” (the screenshots are from 2023). While not a definitive red flag, outdated copyright notices are common in phishing pages.

What to do if you encounter this:

  • Do not enter your usuario, contraseña, or SMS token on these pages.
  • If you are a Banco G&T Continental customer, always access online banking by typing gyb.com.gt directly into your browser or by using the official mobile app.
  • If you have already entered your credentials but not the SMS token, contact Banco G&T Continental immediately to change your password and secure your account.
  • If you have entered the SMS token as well, the attacker may have already accessed your account. Contact the bank’s fraud department immediately.
  • Report the phishing pages to Banco G&T Continental’s fraud team.

Why this scam is particularly dangerous:
This is a real-time account takeover phishing kit. The attacker uses the stolen username and password immediately to log into the real bank site and trigger an SMS token. The fake loading page buys time for this process. When the victim enters the SMS token on the phishing page, the attacker uses it to complete the login—often within seconds. By the time the victim realizes something is wrong, the attacker may have already transferred funds.

Protective measures:

  • Bookmark the official Banco G&T Continental login page and use that bookmark to access online banking—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate gyb.com.gt domains, not on phishing sites.
  • Never enter your SMS token on a page you reached via a link. Legitimate banks only ask for 2FA codes after you have initiated a login on their official site.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your bank account.
  • Check the URL carefully: Legitimate Banco G&T Continental domains end with gyb.com.gt. Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact Banco G&T Continental directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

The Indiana Department of Workforce Development phishing page detected

Threat Analysis: Indiana DWD Unemployment Benefits Phishing – Fake Uplink CSS Login Page

This phishing campaign impersonates the Indiana Department of Workforce Development (DWD) and its unemployment insurance portal (Uplink CSS). The page is designed to steal claimants’ login credentials—specifically the email address and password used to access unemployment benefits. Scammers target unemployment systems because they contain sensitive personal information and are used to disburse government funds.

How it works:
The victim receives a phishing email, SMS, or other message claiming a problem with their unemployment claim, a need to verify their identity, or a notice about tax documents. The message includes a link to this fake Uplink CSS login page. When the victim enters their email address and password and clicks “Sign In,” the credentials are captured and sent to the attacker.

The goal:
The attacker aims to steal unemployment benefits account credentials. With these, they can:

  • Access the victim’s unemployment insurance account
  • Redirect benefit payments to their own bank accounts
  • Obtain sensitive personal information (Social Security number, address, etc.)
  • Commit identity theft or sell the information

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not in.gov or any official Indiana state government domain. Legitimate Indiana DWD services are accessed through in.gov subdomains. Always check the address bar.
  • Unsolicited login request: The Indiana DWD does not send emails or messages with links requiring claimants to log in to resolve issues. Claimants should always access Uplink CSS by typing the official URL directly.
  • Generic page design: While the page includes some legitimate-looking content (such as a notice about 1099-G tax documents and the Hoosier Talent Network), these elements are copied from the real DWD website. Their presence does not make the page legitimate.
  • Warning message copied from the real site: The page includes a notice about increased fraud and states that “DWD WILL NOT text you about your unemployment insurance claim.” Ironically, this warning is being displayed on a phishing page—a contradiction that careful users might notice.
  • No personalization or security image: Legitimate Uplink CSS login pages may display personalized security questions or account-specific information after entering credentials. This page lacks such features.
  • Incorrect date context: The page mentions “2021 Tax Documents” and a date of Feb. 1, 2022, which are outdated for a 2023 screenshot. While not a definitive red flag, it suggests copied content.

What to do if you encounter this:

  • Do not enter your email address, password, or any other personal information on this page.
  • If you are an Indiana unemployment insurance claimant, always access Uplink CSS by typing uplink.in.gov directly into your browser or by using the official DWD website (dwd.in.gov).
  • If you have already entered your credentials, contact the Indiana DWD immediately to secure your account and change your password. Report the incident to their fraud department.
  • Report the phishing page to the Indiana DWD and to the appropriate authorities (such as the FBI’s IC3 or the state’s fraud reporting system).

Why this scam is effective:
Unemployment insurance claimants are frequent targets of phishing because these accounts contain sensitive personal information and are directly tied to government benefits. The page closely mimics the look and feel of the legitimate Uplink CSS portal, including real program names (Hoosier Talent Network) and official-sounding fraud warnings. The promise of tax documents (1099-G) adds a layer of perceived legitimacy. Claimants who are eager to access their information may click the link without carefully checking the URL.

Protective measures:

  • Bookmark the official Indiana DWD Uplink CSS login page (uplink.in.gov) and use that bookmark to access your account—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate in.gov domains, not on phishing sites.
  • Enable two-factor authentication (2FA) on your unemployment account if available, to add an extra layer of protection.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your benefits account.
  • Check the URL carefully: Legitimate Indiana government domains end with in.gov. Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact the Indiana DWD directly using a phone number from your official correspondence or the official website—never use contact information provided in a suspicious message.

Banco de Galicia phishing page detected

Threat Analysis: Banco Galicia Phishing – Fake “Acceso” Login Page

This phishing campaign impersonates Banco Galicia, one of the largest banks in Argentina. The page mimics the bank’s login interface to steal customers’ DNI (national identification number), Usuario Galicia (username), and Clave Galicia (password) —the three pieces of information typically required to access online banking.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to this fake Banco Galicia login page. When the victim enters their DNI, Usuario, and Clave and clicks “INICIAR SESIÓN” (the button is truncated but means “Log in”), the credentials are captured and sent to the attacker.

The goal:
The attacker aims to steal the victim’s Banco Galicia online banking credentials. With these, they can log into the victim’s real bank account, view balances, transfer funds, and commit fraud.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not banco-galicia.com.ar or any official Banco Galicia domain. Legitimate Banco Galicia online banking is accessed through the bank’s official website. Always check the address bar.
  • Unsolicited login request: Banco Galicia does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access online banking by typing the URL directly or using the official app.
  • Missing security features: Legitimate Banco Galicia login pages typically include a virtual keyboard (which is mentioned but may not function) and a security image or personalized greeting. This page lacks the full security implementation.
  • Typographical error: The login button reads “INICIAR SESI” (missing the final “ÓN”), which is likely a truncation error in the phishing page design. Official bank interfaces do not have such truncations.
  • Poor grammar and truncated text: The text below the form is garbled and incomplete (“Olvidé o bloqueé n°1” followed by nonsensical Spanish). This is a clear indicator of a hastily assembled phishing page.
  • Generic design: While the page uses the Banco Galicia logo and a simple form, it lacks the full navigation, account-specific information, and professional polish of the real bank website.

What to do if you encounter this:

  • Do not enter your DNI, Usuario, Clave, or any other personal information on this page.
  • If you are a Banco Galicia customer, always access online banking by typing banco-galicia.com.ar directly into your browser or by using the official Banco Galicia mobile app.
  • If you have already entered your credentials, contact Banco Galicia immediately through their official customer service hotline to secure your account and change your password.
  • Report the phishing page to Banco Galicia’s fraud department.

Why this scam is effective:
Banco Galicia has millions of online banking customers in Argentina. The page uses the bank’s logo and familiar terminology (“DNI,” “Usuario Galicia,” “Clave Galicia”), which are standard for the bank’s login process. The mention of a virtual keyboard (a real security feature used by the bank) adds a layer of perceived legitimacy. However, the truncation errors and garbled text are red flags that attentive users might notice.

Protective measures:

  • Bookmark the official Banco Galicia login page and use that bookmark to access online banking—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate banco-galicia.com.ar domains, not on phishing sites.
  • Enable two-factor authentication (2FA) on your Banco Galicia account if available, to add an extra layer of protection.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your bank account.
  • Check the URL carefully: Legitimate Banco Galicia domains end with banco-galicia.com.ar. Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact Banco Galicia directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

NiCKEL phishing page detected

Threat Analysis: Nickel Phishing – Fake “Sponsorship” Offer Stealing Card Details

This phishing campaign impersonates Nickel, a French neobank (a subsidiary of BNP Paribas). The scam uses a fake “parrainage” (referral/sponsorship) offer to lure victims into providing their personal information and full card details under the guise of participating in a rewards program.

How it works:
The victim encounters this page via a phishing email, SMS, social media post, or other message promoting a lucrative “sponsorship” offer from Nickel. The page claims to offer a reward for referring a friend. To participate, the victim is asked to enter:

  • First name and last name
  • Email address
  • Cardholder name
  • Full card number
  • Expiration date (MM/YY)

The goal:
The attacker aims to:

  • Steal the victim’s full card details (card number, cardholder name, expiration date)
  • Obtain the victim’s email address and full name for identity theft or further attacks

With the card details, the attacker can make unauthorized online purchases, create cloned cards, or sell the information on criminal marketplaces.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not nickel.eu or any official Nickel domain. The presence of “WIX.com” website builder branding at the top indicates this is a cheap, quickly created phishing page, not an official bank site.
  • Request for full card details for a sponsorship program: A legitimate referral program would never require the participant’s full card number and expiration date. This is a clear indicator of a phishing attempt.
  • Too good to be true offer: Fake “sponsorship” or “referral” offers are commonly used to trick victims into providing personal information under the promise of easy rewards.
  • Missing security features: The page lacks any of the security indicators expected on a legitimate banking site (SSL certificate details, official domain, padlock icon in the address bar).
  • Unprofessional design: The page is extremely simple and lacks the full branding, navigation, and legal information that would appear on the legitimate Nickel website.
  • No account login required: A legitimate referral program would require the user to log into their existing Nickel account—not enter card details directly on a promotional page.

What to do if you encounter this:

  • Do not enter your name, email address, card number, expiration date, or any other personal information on this page.
  • If you are a Nickel customer, always access official promotions and your account by typing nickel.eu directly into your browser or by using the official Nickel mobile app.
  • If you have already entered your card details, contact Nickel immediately through their official customer service hotline to block your card and dispute any unauthorized transactions.
  • Report the phishing page to Nickel’s fraud department.

Why this scam is effective:
Nickel accounts are often used by individuals who appreciate the simplicity and accessibility of the service. “Parrainage” (referral) programs are common in French banking and often offer real rewards, so users may be familiar with the concept. The promise of an easy reward can prompt users to enter information without carefully scrutinizing the URL or the legitimacy of the page. The request for card details may not raise immediate suspicion if the victim believes it’s required to “verify” their account for the reward.

Protective measures:

  • Always type the official bank URL directly into your browser—never click links in emails or messages claiming to offer rewards or promotions.
  • Never enter your full card number, expiration date, or CVV in response to a promotional offer. Legitimate banks do not require this information for referral programs.
  • Be suspicious of any unsolicited message that offers easy rewards in exchange for personal information.
  • Check the URL carefully: Legitimate Nickel domains end with nickel.eu. Look for misspellings, extra words, or unusual top-level domains. Also be wary of pages hosted on free website builders like WIX, Weebly, or similar platforms.
  • If in doubt, contact Nickel directly using a phone number from your bank statement or the official website—never use contact information provided in the suspicious message.

Naranja X phishing page detected

Threat Analysis: Naranja X Phishing – Fake Login Page Stealing Email and Password

This phishing campaign impersonates Naranja X, a popular digital financial platform in Argentina that offers credit cards, loans, and digital accounts. The page mimics the platform’s login interface to steal customers’ email address and password.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to this fake Naranja X login page. When the victim enters their email and password and clicks “Iniciar sesión” (Log in), the credentials are captured and sent to the attacker.

The goal:
The attacker aims to steal the victim’s Naranja X account credentials. With these, they can:

  • Log into the victim’s Naranja X account
  • Access linked credit cards and financial services
  • Make unauthorized purchases or transfers
  • Obtain personal information for identity theft

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not naranjax.com.ar or any official Naranja X domain. Legitimate Naranja X online access is through the bank’s official website or mobile app. Always check the address bar.
  • Unsolicited login request: Naranja X does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access their accounts by typing the official URL directly or using the official app.
  • Minimal design: While the page includes the Naranja X logo, it lacks the full branding, navigation menus, security notices, and personalized elements present on the legitimate login page.
  • Missing security features: Legitimate Naranja X login pages typically include additional security elements such as a virtual keyboard, CAPTCHA, or multi-factor authentication prompts. This page has only a basic form.
  • Generic form: The page asks only for email and password without any account-specific personalization or security verification.

What to do if you encounter this:

  • Do not enter your email, password, or any other personal information on this page.
  • If you are a Naranja X customer, always access your account by typing naranjax.com.ar directly into your browser or by using the official Naranja X mobile app.
  • If you have already entered your credentials, contact Naranja X immediately through their official customer service hotline to secure your account and change your password.
  • Report the phishing page to Naranja X’s fraud department.

Why this scam is effective:
Naranja X has millions of users in Argentina, and its digital-first approach means many customers are accustomed to logging in via email and password. The page uses the brand’s recognizable logo and simple, clean design. The straightforward login form mirrors the actual Naranja X interface, making it easy for a distracted user to enter credentials without checking the URL.

Protective measures:

  • Bookmark the official Naranja X login page and use that bookmark to access your account—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate naranjax.com.ar domains, not on phishing sites.
  • Enable two-factor authentication (2FA) on your Naranja X account if available, to add an extra layer of protection.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your account.
  • Check the URL carefully: Legitimate Naranja X domains end with naranjax.com.ar. Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact Naranja X directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

Daviplata phishing page detected

Threat Analysis: Daviplata Phishing – Credential & SMS Code Harvesting

This phishing campaign impersonates Daviplata, a widely used digital wallet and mobile payment platform in Colombia, operated by Davivienda Bank. The scam uses a multi-page flow to capture the victim’s document number, Daviplata password, and the SMS verification code—the three elements needed to access the account and authorize transactions.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to the first phishing page.

Step 1 – Fake Login Page (First Screenshot)
The first page asks for:

  • Número de documento (Document number – typically the Colombian national ID, “cédula”)
  • Clave Daviplata (Daviplata password)

This page captures the victim’s primary account credentials.

Step 2 – Fake Waiting/Loading Page (Second Screenshot)
The second page displays a fake loading message with a countdown timer (23 seconds), claiming that a code is being sent to the victim’s phone. This page serves two purposes:

  • It creates a sense of legitimate processing
  • It buys time for the attacker to use the stolen credentials to log into the real Daviplata platform and trigger an SMS code to the victim’s phone

Step 3 – Fake SMS Code Page (Third Screenshot)
The third page asks for the SMS verification code sent to the victim’s mobile phone. When the victim enters this code, the attacker captures it and uses it to complete the login on the real Daviplata platform.

The goal:
The attacker aims to:

  • Steal the victim’s Daviplata credentials (document number and password)
  • Capture the SMS verification code (2FA) in real time
  • Gain full access to the victim’s Daviplata account to transfer funds, make payments, and commit fraud

Red flags to watch for:

  • Suspicious URL: The pages are hosted on domains that are not daviplata.com or any official Davivienda/Daviplata domain. Legitimate Daviplata access is through the official mobile app or website. Always check the address bar.
  • Unsolicited login request: Daviplata does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access their accounts by opening the official app or typing the official URL directly.
  • Fake loading page with countdown: Legitimate banking apps and platforms do not display artificial countdown timers during login. This is a classic phishing tactic to buy time for the attacker to use stolen credentials on the real site.
  • Multi-step design with SMS code request: After entering credentials, the victim is asked for an SMS code. This mirrors the real 2FA flow, making it convincing, but the pages are fake.
  • Minimal design: The pages lack the full branding, security notices, and personalized elements present on the legitimate Daviplata interface.

What to do if you encounter this:

  • Do not enter your document number, password, or SMS verification code on these pages.
  • If you are a Daviplata user, always access your account by opening the official Daviplata mobile app or by typing the official website URL directly into your browser.
  • If you have already entered your credentials but not the SMS code, change your Daviplata password immediately and contact Davivienda’s customer service to secure your account.
  • If you have entered the SMS code as well, the attacker may have already accessed your account. Contact Davivienda’s fraud department immediately to block your account and reverse any unauthorized transactions.
  • Report the phishing pages to Davivienda’s fraud team.

Why this scam is particularly dangerous:
This is a real-time account takeover phishing kit. The attacker uses the stolen document number and password immediately to log into the real Daviplata platform and trigger an SMS code. The fake loading page buys time for this process. When the victim enters the SMS code on the phishing page, the attacker uses it to complete the login—often within seconds. Daviplata is a popular digital wallet in Colombia, and many users keep significant balances or link their accounts to bank cards, making successful attacks financially damaging.

Protective measures:

  • Always access Daviplata through the official mobile app or by typing the official website URL directly—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate domains, not on phishing sites.
  • Never enter your SMS verification code on a page you reached via a link. Legitimate platforms only ask for 2FA codes after you have initiated a login on their official app or website.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your account.
  • Check the URL carefully: Legitimate Daviplata domains are associated with daviplata.com and davivienda.com. Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact Davivienda directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

AOL phishing page detected

Threat Analysis: AOL Phishing – Fake Login Page Stealing Email Credentials

This phishing campaign impersonates AOL (America Online) , an email and online service provider. The page is designed to steal victims’ username, email address, or mobile number and password used to access AOL accounts.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to this fake AOL login page. When the victim enters their username/email/mobile and password and clicks “Sign in,” the credentials are captured and sent to the attacker.

The goal:
The attacker aims to steal AOL account credentials. With these, they can:

  • Access the victim’s email account
  • Search for sensitive information (banking, personal documents, password reset emails)
  • Use the compromised email to reset passwords for other accounts (social media, banking, etc.)
  • Send further phishing messages to the victim’s contacts

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not aol.com or any official AOL domain. The presence of “WIX.com” website builder branding at the top indicates this is a quickly created phishing page, not a legitimate AOL site.
  • Unsolicited login request: AOL does not send emails or messages with links requiring users to log in to resolve account issues. Users should always access AOL by typing the official URL directly.
  • Generic design: While the page uses the AOL logo, it lacks the full navigation, security notices, and personalized elements present on the legitimate AOL login page.
  • “Let’s Chat” button: The presence of a “Let’s Chat” button is unusual for the AOL login page and suggests the page was assembled from a template.
  • Missing security features: Legitimate AOL login pages include SSL certificates and proper domain verification. This page lacks those indicators.
  • WIX.com branding: The “designed with WIX.com” notice is a strong indicator that this page is not an official AOL page. Official AOL is not built on a free website builder.

What to do if you encounter this:

  • Do not enter your username, email, mobile number, or password on this page.
  • If you are an AOL user, always access your account by typing aol.com directly into your browser or by using the official AOL mobile app.
  • If you have already entered your credentials, change your AOL password immediately. If you use the same password for other accounts, change those as well.
  • Enable two-factor authentication (2FA) on your AOL account if available.
  • Report the phishing page to AOL’s abuse team.

Why this scam is effective:
AOL still has millions of users, particularly among those who have used the service for many years. The simple, clean design of the page resembles AOL’s actual login interface. The “Stay signed in” and “Forgot username?” options are familiar elements that add to the illusion of legitimacy. The inclusion of social login options (“G” for Google, “yahoo?”) is unusual for AOL but may confuse some users into thinking the page is legitimate.

Protective measures:

  • Bookmark the official AOL login page and use that bookmark to access your account—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate aol.com domains, not on phishing sites.
  • Enable two-factor authentication (2FA) on your email account to add an extra layer of protection.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your email or other account.
  • Check the URL carefully: Legitimate AOL domains end with aol.com. Look for misspellings, extra words, or unusual top-level domains. Also be wary of pages hosted on free website builders like WIX, Weebly, or similar platforms.
  • If in doubt, contact AOL support directly through the official website—never use contact information provided in a suspicious message.

Bancolombia phishing page revealed

Threat Analysis: Generic Banking Phishing – Credential & SMS Code Harvesting

This phishing campaign impersonates a financial institution (likely a bank or digital wallet in Latin America, based on the Spanish language and the “reactivar” – reactivate – pretext). The scam uses a multi-page flow to capture the victim’s username, password, and SMS verification code (two-factor authentication), enabling full account takeover.

How it works:
The victim receives a phishing email, SMS, or other message claiming that their account has been deactivated or requires verification to “reactivate” it. The message includes a link to the first phishing page.

Step 1 – Fake Credentials Page (First Screenshot)
The first page asks for:

  • Usuario (username)
  • Clave (password)

This page captures the victim’s primary account credentials. The pretext of “reactivating” the account creates urgency.

Step 2 – Fake Waiting/Loading Page (Second Screenshot)
The second page displays a fake loading message with a countdown timer (24 seconds), claiming that the victim’s information is being verified. This page serves two purposes:

  • It creates a sense of legitimate processing
  • It buys time for the attacker to use the stolen credentials to log into the real bank/platform and trigger an SMS code to the victim’s phone

Step 3 – Fake SMS Code Page (Third Screenshot)
The third page asks for the SMS verification code sent to the victim’s mobile phone. When the victim enters this code, the attacker captures it and uses it to complete the login on the real platform.

The goal:
The attacker aims to:

  • Steal the victim’s account credentials (username and password)
  • Capture the SMS verification code (2FA) in real time
  • Gain full access to the victim’s account to transfer funds, make payments, or commit fraud

Red flags to watch for:

  • Suspicious URL: The pages are hosted on domains that are not the official domain of the legitimate financial institution. Always check the address bar before entering credentials.
  • Unsolicited “reactivation” request: Legitimate banks do not send emails or messages with links requiring customers to log in to “reactivate” accounts.
  • Fake loading page with countdown: Legitimate banking sites do not display artificial countdown timers during login. This is a classic phishing tactic to buy time for the attacker.
  • Multi-step design with SMS code request: After entering credentials, the victim is asked for an SMS code. While this mirrors the real 2FA flow, the pages themselves are fake.
  • Generic branding: The pages lack the specific logos, security notices, and personalized elements that would appear on a legitimate bank’s login interface.
  • “Reactivate” pretext: The claim that the account needs to be reactivated is a common fear-based tactic to pressure victims into acting without thinking.

What to do if you encounter this:

  • Do not enter your username, password, or SMS verification code on these pages.
  • If you are a customer of any financial institution, always access your account by typing the official website URL directly into your browser or by using the official mobile app.
  • If you have already entered your credentials but not the SMS code, contact your bank immediately to change your password and secure your account.
  • If you have entered the SMS code as well, the attacker may have already accessed your account. Contact your bank’s fraud department immediately.
  • Report the phishing pages to the legitimate institution being impersonated.

Why this scam is particularly dangerous:
This is a real-time account takeover phishing kit. The attacker uses the stolen username and password immediately to log into the real platform and trigger an SMS code. The fake loading page buys time for this process. When the victim enters the SMS code on the phishing page, the attacker uses it to complete the login—often within seconds. The “reactivation” pretext is effective because it creates urgency and implies that the account is at risk if no action is taken.

Protective measures:

  • Never click links in unsolicited messages claiming your account needs to be reactivated or verified. Instead, type the official website URL directly into your browser.
  • Use a password manager: It will autofill only on legitimate domains, not on phishing sites.
  • Never enter your SMS verification code on a page you reached via a link. Legitimate banks only ask for 2FA codes after you have initiated a login on their official site.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in to your account.
  • Check the URL carefully: Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact your bank directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.

Citizens Bank phishing page detected

Then visitor will be redirected to the official website of Citizens Bank.

Threat Analysis: Citizens Bank Phishing – Full Identity & Financial Data Harvesting

This phishing campaign impersonates Citizens Bank, a prominent bank in the United States. The scam uses a multi-page flow to capture:

  • Online banking credentials (User ID and Password)
  • Full personal identification information (full name, SSN, address, date of birth, phone number)
  • Full card details (cardholder name, card number, expiration date, CVV)

This combination of data enables attackers to commit identity theft, open fraudulent accounts, and drain victims’ financial accounts.

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The message includes a link to the first phishing page.

Step 1 – Fake Online Banking Login Page (First Screenshot)
The first page mimics Citizens Bank’s online banking login interface, asking for:

  • Online User ID
  • Password

This page captures the victim’s primary banking credentials.

Step 2 – Intermediate Page(s) (Screenshots 2 and 3 – failed to load)
While the second and third screenshots are not available, the pattern suggests they may have been fake loading/waiting pages or additional information requests, designed to make the process appear legitimate and to buy time for the attacker.

Step 3 – Fake “Verify Your Banking Information” – Personal Details Page (Fourth Screenshot)
The fourth page asks for:

  • Full name
  • Social Security Number (SSN)
  • Address, state, city, zip code
  • Date of birth
  • Phone number

This information is used for identity theft and to answer security questions for account takeover.

Step 4 – Fake “Verify Your Banking Information” – Card Details Page (Fifth Screenshot)
The fifth page asks for:

  • Cardholder name
  • Full card number
  • Expiration date
  • Card Security Code (CVV)

This captures the victim’s credit or debit card details for fraudulent purchases.

The goal:
The attacker aims to:

  • Gain full access to the victim’s Citizens Bank online banking account
  • Steal the victim’s identity (SSN, DOB, address, phone) to open new accounts, apply for loans, or commit tax fraud
  • Use the captured card details for unauthorized purchases or to create cloned cards

Red flags to watch for:

  • Suspicious URL: The pages are hosted on domains that are not citizensbank.com or any official Citizens Bank domain. Legitimate Citizens Bank online banking is accessed through the bank’s official website. Always check the address bar.
  • Unsolicited login request: Citizens Bank does not send emails or messages with links requiring customers to log in and then provide extensive personal and card information.
  • Excessive data requests: A legitimate bank would never ask for SSN, full card details, and CVV in a single “verification” flow after login. This combination is a clear indicator of a phishing and identity theft operation.
  • Inconsistent page flow: After entering online banking credentials, the victim is taken to pages asking for personal and card details—something that never happens on the real bank site.
  • Copied content: The pages include help sections, navigation menus, and footer content copied from the legitimate Citizens Bank website. Attackers use such content to appear credible, but its presence does not make the pages legitimate.
  • No personalization or security indicators: Legitimate banking portals display account-specific information, security images, or other personalized elements. These pages lack such features.

What to do if you encounter this:

  • Do not enter any information on these pages—neither banking credentials, nor personal details, nor card details.
  • If you are a Citizens Bank customer, always access online banking by typing citizensbank.com directly into your browser or by using the official mobile app.
  • If you have already entered your banking credentials, contact Citizens Bank immediately to change your password and secure your account.
  • If you have entered your SSN, card details, or other personal information, contact your bank’s fraud department, the major credit bureaus (Equifax, Experian, TransUnion) to place a fraud alert or credit freeze, and file a report with the FTC (IdentityTheft.gov) and local authorities.
  • Report the phishing pages to Citizens Bank’s fraud team.

Why this scam is particularly dangerous:
This is a comprehensive identity theft phishing kit. It does not just target banking credentials—it aims to collect enough information for the attacker to impersonate the victim fully. With the victim’s SSN, date of birth, address, and card details, the attacker can:

  • Drain the victim’s bank account
  • Open new credit cards or loans in the victim’s name
  • File fraudulent tax returns to steal refunds
  • Take over other accounts using the stolen personal information

Protective measures:

  • Bookmark the official Citizens Bank login page and use that bookmark to access online banking—never click links in emails or messages.
  • Use a password manager: It will autofill only on legitimate citizensbank.com domains, not on phishing sites.
  • Never provide your SSN, full card details, or CVV on a page you reached via a link. Legitimate banks already have this information on file and will not ask for it in an unauthenticated flow.
  • Enable two-factor authentication (2FA) on your bank account to add an extra layer of protection.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in and then provide extensive personal information.
  • Check the URL carefully: Legitimate Citizens Bank domains end with citizensbank.com. Look for misspellings, extra words, or unusual top-level domains.
  • If in doubt, contact Citizens Bank directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.