Thank you for the clarification. The two screenshots are indeed Hebrew‑language phishing pages impersonating a local courier or postal service (likely Israel Post or a similar carrier). The text appeared garbled in the automatic fetch, but the layout matches the classic two‑step delivery scam.
Threat Analysis: Hebrew Delivery Phishing – Personal Info & Card Harvesting
Step 1 – Personal Information Page The victim is asked to provide:
Full name
Address, city, postal code
Phone number
Step 2 – Card Details Page The second page requests:
Cardholder name
Full card number
Expiration date (MM/YY)
CVV security code
A small delivery fee is displayed (typically a few shekels) to make the payment seem trivial and urgent.
The goal: The attacker collects:
Personal identity details for future fraud or identity theft
Full credit/debit card information to make unauthorized purchases or sell the data
Red flags:
Suspicious URL: The page is hosted on a domain that is not the official postal service website.
Request for CVV: A legitimate courier never asks for your card security code to collect a delivery fee.
Small fee trick: A negligible amount is used to lower suspicion.
No trackable package reference: The victim cannot verify the supposed shipment.
What to do:
Do not enter any personal or card information.
If you are expecting a delivery, track it directly by typing the official courier URL into your browser.
If you have already entered card details, contact your bank immediately to block the card.
Protective measures:
Never click links in unsolicited delivery messages.
Always go directly to the official courier website.
This screenshot shows a Hungarian‑language phishing page impersonating a courier service (likely Magyar Posta or a similar carrier). The scam uses a small delivery fee (362.74 HUF) as a pretext to collect full credit card details and personal address information.
Threat Analysis: Hungarian Delivery Phishing – Card & Personal Data Harvesting
How it works: The victim receives an SMS or email claiming a package requires a forwarding or service fee. The link leads to this page, which asks for:
Full card number, expiration date, CVV
Full name
Street address, city, postal code
A fake tracking number and a small amount (362.74 HUF) are displayed to make the request appear legitimate.
The goal: The attacker captures:
Full credit/debit card details for fraudulent transactions
Personal identity information (name, address) for identity theft
Red flags:
Suspicious URL: The page is not on the official courier’s domain.
Request for CVV: Legitimate postal services never ask for your card security code for a delivery fee.
Small fee trick: A trivial amount lowers suspicion.
No trackable package reference: The victim cannot verify the supposed shipment.
What to do:
Do not enter any personal or card information.
Track packages directly by typing the official courier’s URL into your browser.
If you have already entered card details, contact your bank immediately.
Protective measures:
Never click links in unsolicited delivery messages.
Always go directly to the official courier website.
These two screenshots show a Danish‑language phishing campaign impersonating MobilePay, a popular mobile payment service in Denmark. The scam threatens account suspension and demands that the victim provide their phone number, full card details, and CVV under the pretext of “updating” the account.
How it works: The victim receives an SMS, email, or message claiming that their MobilePay account will soon be blocked. To prevent this, they must “confirm” their information by clicking a link that leads to one of these pages.
The pages ask for:
Phone number (linked to the MobilePay account)
Card number
Expiration date (MM/ÅÅ)
CVV (the three‑digit security code on the back of the card)
A “unique user ID” is displayed to make the page appear personalized, but it is the same static number on all pages.
The goal: The attacker collects:
The victim’s phone number (used for SIM‑swapping or further fraud)
Full credit/debit card details (number, expiry, CVV) to make unauthorized purchases or clone the card
Red flags to watch for:
Suspicious URL: The page is hosted on a domain that is not mobilepay.dk. Legitimate MobilePay services are accessed through the official app or website.
Threat of account closure: MobilePay does not send unsolicited links threatening to block accounts.
Request for CVV: MobilePay never asks for your card security code to “update” or “verify” your account.
Static “unique” ID: The displayed ID (1008796817) is identical on both pages – a clear sign of a phishing template.
Poor Danish phrasing: The text contains minor grammatical inconsistencies that would not appear in official communications.
Unsolicited action required: Any legitimate request to update payment information would happen within the app or after logging in, not via a link.
What to do if you encounter this:
Do not enter your phone number, card details, or CVV.
If you are a MobilePay user, always open the official app to check for any notifications or account issues.
If you have already entered card details, contact your bank immediately to block the card.
Report the phishing page to MobilePay’s fraud team.
Protective measures:
Never click links in unsolicited messages threatening account closure.
Always use the official MobilePay app to manage your account.
Never provide your card’s CVV outside of a trusted, direct purchase environment.
Enable two‑factor authentication on your bank and email accounts.
This screenshot shows a Spanish‑language phishing page impersonating a delivery service (such as Correos or another courier). The scam asks the victim to pay a small fee (€1.98) for a “new delivery attempt” and in the process harvests full credit card details.
Threat Analysis: Delivery Phishing – Small Fee & Card Harvesting
How it works: The victim receives an SMS, email, or messaging app alert claiming a package could not be delivered and that a small fee is required to schedule a new delivery attempt. The link leads to this page, which mimics a courier’s payment interface. The victim is asked to provide:
Cardholder name
Full card number
Expiration date (MM/AA)
CVV security code
A total of €1.98 is displayed, with a fake breakdown (VAT, partial total) to appear legitimate. A “secure payment” badge and SSL claim are added to create a false sense of security.
The goal: The attacker captures complete credit/debit card information to make fraudulent purchases, clone the card, or sell the data.
Red flags to watch for:
Suspicious URL: The page is hosted on a domain that is not the official courier’s website.
Request for CVV: A legitimate delivery service never asks for your card security code to collect a redelivery fee.
Small fee trick: €1.98 is a trivial amount intended to lower suspicion.
No tracking or package reference: The page lacks a verifiable tracking number or any personalization linking it to an actual shipment.
Fake security badges: The “SSL protegido” and padlock icons are copied from legitimate sites but do not guarantee authenticity.
What to do if you encounter this:
Do not enter any card or personal information.
If you are expecting a delivery, track it directly by typing the official courier’s URL into your browser.
If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
Report the phishing page to the legitimate courier service and to the relevant authorities.
Protective measures:
Never click links in unsolicited delivery messages. Always go directly to the official courier website.
Never pay a “redelivery fee” via a link. Legitimate fees are handled in person, through the official app, or after logging into your account on the official site.
Check the URL carefully: Look for misspellings, extra words, or unusual top‑level domains.
Enable transaction alerts on your bank account to catch unauthorized charges early.
These two screenshots show a phishing campaign impersonating Spotify, targeting users with a fake subscription renewal alert. The scam threatens that the victim’s subscription will be lost unless they update their payment method, then directs them to a page that steals full credit card details.
How it works: The victim receives an email, SMS, or notification claiming their Spotify subscription could not be renewed and will be lost. A link leads to the first page, which repeats the warning and prompts the user to click “UPDATE.” The second page mimics Spotify’s payment interface and asks for:
Card number
Security code (CVV)
Expiration date (MM/YYYY)
The goal: The attacker collects full credit/debit card details to make fraudulent purchases or sell the information.
Red flags:
Suspicious URL: The pages are hosted on a domain that is not spotify.com. Legitimate Spotify payment updates are done within the account settings or official app.
Urgent threat: The message claims the subscription will be lost immediately – a classic fear tactic.
Request for CVV: Spotify never asks for your card security code via an external link.
Generic design: The pages lack personalized account details (e.g., username, plan type, last billing date) that would appear in a genuine notification.
Unsolicited request: Spotify does not send links requiring users to update payment methods through a separate web form.
What to do:
Do not enter any card details.
Open the Spotify app or website directly (type spotify.com) and check your account status under “Subscription.”
If you have already entered card details, contact your bank immediately to block the card.
Protective measures:
Never click links in unsolicited subscription alerts.
Always manage subscriptions through the official app or website.
Enable two‑factor authentication on your email and financial accounts.
These two screenshots show a Spanish‑language phishing campaign impersonating Correos (the Spanish postal service). The scam uses a fake delivery fee (€2.64) and an urgent deadline to trick victims into providing full credit card details.
How it works: The victim receives an SMS, email, or message claiming that a package is waiting and a fee is required for a new delivery attempt. The first page warns of a “last deadline” and offers a “RECIBIR” (receive) button. Clicking it leads to the second page, which asks for:
Cardholder name
Full card number
Expiration date (month/year)
CVV security code
The page displays a total of €2.64, a fake tracking reference, and a checkbox to accept a privacy policy – all designed to appear legitimate.
The goal: The attacker captures full credit/debit card details to make fraudulent purchases or sell the information.
Red flags to watch for:
Suspicious URL: The pages are hosted on a domain that is not correos.es – the official Correos domain.
Request for CVV: Correos never asks for your card security code to collect a redelivery fee.
Small fee trick: €2.64 is a trivial amount intended to lower suspicion.
Fake tracking reference: The “Código de envío : ES/” is incomplete and cannot be verified on the real Correos site.
Urgent deadline: The mention of a “last deadline” pressures victims to act without thinking.
Copied branding: The pages use the Correos logo, app store badges, and footer links copied from the real website to appear authentic.
What to do if you encounter this:
Do not enter any card or personal information.
If you are expecting a delivery, track it directly by typing correos.es into your browser and using your real tracking number.
If you have already entered card details, contact your bank immediately to block the card.
Report the phishing page to Correos (e.g., via their official fraud reporting page).
Protective measures:
Never click links in unsolicited delivery messages. Always go directly to the official courier website.
Never pay a “redelivery fee” via a link. Legitimate fees are handled in person, through the official app, or after logging into your account.
Check the URL carefully: Official Correos domains end with correos.es. Look for misspellings, extra words, or unusual top‑level domains.
These six screenshots show a multi‑step phishing campaign impersonating Santander Bank, targeting Spanish‑speaking customers. The attack is designed to harvest:
Online banking credentials (documento and clave)
Electronic signature coordinates (a second factor used in Spanish banking)
Full card details (number, expiration, CVV)
PIN (likely the card’s ATM PIN)
The flow mimics real Santander security steps, making it particularly convincing.
Step 1 – Fake Login Page (Screenshots 1 & 4) The victim lands on a page that looks like Santander’s online banking login. It asks for:
Documento (NIF – national ID)
Clave de acceso (password)
“Recordar usuario” and links to recover credentials are included to appear legitimate.
Step 2 – Fake Electronic Signature Page (Screenshots 2 & 5) After submitting credentials, the victim is asked to enter the positions of their “electronic signature” – a real second‑factor authentication method used by Spanish banks. The page typically asks for specific digits from a pre‑established grid. This step captures the second factor needed to authorize transactions.
Step 3 – Fake Card & PIN Verification Page (Screenshots 3 & 6) The final step asks for:
Card number
Expiration date (MM/YY)
CVV
PIN (the card’s ATM or security PIN)
A message claims this is to “verify the cardholder” and that an SMS will be sent – a common tactic to make the victim believe this is a normal security check.
The goal: The attacker captures:
Online banking credentials (documento + password)
Electronic signature coordinates (second factor)
Full card details (number, expiry, CVV)
ATM or card PIN
With this combination, the attacker can log into the victim’s bank account, authorize transactions, and use the card for ATM withdrawals or online purchases.
Red flags to watch for:
Suspicious URL: All pages are hosted on a domain that is not santander.es or the official Santander domain.
Multi‑step flow with excessive requests: A legitimate bank login does not require entering electronic signature positions and full card details + PIN in a single session.
PIN request on a web page: Banks never ask for your ATM PIN on a website.
Unsolicited login request: Santander does not send links requiring customers to log in and complete multiple verification steps.
Copied branding: The pages use Santander’s logo, color scheme, and terminology, but the design has inconsistencies compared to the real site.
What to do if you encounter this:
Do not enter any information on these pages.
If you are a Santander customer, always access online banking by typing the official URL directly (e.g., santander.es).
If you have already entered your credentials, electronic signature positions, or card details, contact Santander immediately to block your account, card, and change all credentials.
Report the phishing pages to Santander’s fraud team.
Protective measures:
Never click links in unsolicited messages claiming bank issues.
Use a password manager – it will not autofill on fake domains.
Never provide your card PIN or CVV on a page reached via a link.
Enable two‑factor authentication through the bank’s official app, not via web links.
Check the URL carefully: Legitimate Santander domains end with santander.es (or .com for other countries). Look for misspellings, extra words, or unusual top‑level domains.
We use cookies to optimize our website and our service.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
