Woolworths Vendor Summit fake page

High-Risk Alert: Corporate “Vendor Summit” Phishing Scam

This image displays a classic example of B2B (Business-to-Business) Phishing. Scammers are impersonating the Australian retail giant Woolworths to harvest corporate intelligence and employee data.

How the Scam Works:

  1. Exploiting Professional Authority: By using the Woolworths Vendor Summit 2026 branding, attackers target business partners and suppliers. They exploit the victim’s desire to maintain a good relationship with a major client.
  2. The “Registration” Hook: The page asks for “Company Name,” “Agent Name,” and “Designation.” This is Corporate Reconnaissance. Scammers use this data to perform more convincing Business Email Compromise (BEC) attacks later.
  3. The Image Upload Trap: The request to “Upload Image” is particularly dangerous. It can be used to harvest biometric data (photos) or, more maliciously, to trick users into uploading sensitive corporate ID documents.
  4. Critical Technical Red Flags:
  • Insecure Connection: The browser explicitly marks the site as “Not secure.” Legitimate corporate portals always use encrypted HTTPS.
    • Numerical URL: The website uses a raw IP address (43.225.148.223) instead of an official domain like woolworths.com.au. No major corporation hosts registration forms on an exposed IP address.
    • Non-Standard Port: The use of port :8082 is a common sign of a temporary, malicious server setup.

How to Protect Your Organization:

  • Verify the Source: Official Woolworths communications will only come from verified @woolworths.com.au email addresses and point to official domains.
  • Inspect the URL: Never enter data into a site that uses a raw IP address (numbers only) or displays a “Not secure” warning.
  • Report & Block: If you encounter this specific IP or similar “Registration Forms,” report them to your IT Security department immediately.

Quick Check: Is This Site a Scam?

Before entering any corporate or personal data, look for these 4 Red Flags identified in the recent Woolworths impersonation scam:

  • 🚩 The “Not Secure” Warning: If your browser displays a “Not secure” message in the address bar, stop immediately. Legitimate companies always use HTTPS to encrypt your data.
  • Numbers instead of a Name: Official portals use clear domains (e.g., woolworths.com.au). If the address is just a string of numbers (like 43.225.148.223), it is almost certainly a malicious server.
  • Unusual Data Requests: Be wary of forms asking for “Agent Names,” “Designations,” or especially those requiring you to upload images/files on an unverified site.
  • Poor Visual Quality: Look for “copy-paste” logos, inconsistent fonts, or strange phrasing like “Add Image Like.” Real corporate sites go through strict quality control.

Rule of Thumb: If a registration link doesn’t end in the official company domain, do not click, do not type, and do not upload.

Meine AOK (a major German health insurance provider) fake page detected

This screenshot is a perfect example of a sophisticated phishing landing page. Here is a description of this method in English, designed to inform and warn users:

Phishing Alert: The “Professional Insight” Subscription Trap

This image reveals a deceptive phishing tactic used to harvest personal information under the guise of a professional newsletter subscription.

How the Scam Works:

  1. Impersonation & Trust: The page uses the branding “Meine Aok” (mimicking a major German health insurance provider) to create a false sense of security. It uses a clean, professional layout and promises “Exclusive Content” and “Expert Analysis” to lure targets.
  2. The Hook: It appeals to professionals by offering “Industry Insights” and “Weekly Updates,” claiming that thousands of others have already joined.
  3. Data Harvesting: The form asks for your Full Name and Email Address. While it looks like a standard sign-up, this information is used to build profiles for identity theft or to launch more targeted “spear-phishing” attacks.
  4. Malicious Domain: The URL in the address bar is meine-aok.digital. The official domain for AOK is aok.de. Scammers often use .digital, .info, or hyphenated names to trick users who aren’t looking closely.

Red Flags to Watch For:

  • Mismatched URL: Always check the domain. If the brand is “AOK” but the URL ends in something other than their official .de domain, it is a scam.
  • Generic Language: The text “Stay Ahead with Professional Insights” is very generic and doesn’t align with the actual services a health insurance company provides.
  • Privacy Policy Links: Often, on these fake sites, the “Privacy Policy” links are either broken or lead back to the same page.

How to Stay Safe:

  • Never enter your details on a site reached via a suspicious link in an email or SMS.
  • Manually type the official website address into your browser if you need to access a service.
  • Look for the lock icon, but remember: even scam sites can have SSL certificates. The domain name is your best clue.

Fake Storage Alert – Credential / Payment Harvesting Scam

This screenshot shows a fake “storage alert” phishing page designed to scare victims into believing their device or cloud storage is nearly full. The message threatens data loss, blocked files, and backup suspension unless the user clicks an “UPGRADE NOW” button – which leads to a phishing site.

Threat Analysis: Fake Storage Alert – Credential / Payment Harvesting Scam

How it works:
The victim receives an email, pop‑up, or SMS claiming that their storage is critically low. The message uses urgent language (“URGENT REMINDER”, “Action required”, “Failure to act may result in backup suspension”) to create fear. A button labelled “UPGRADE NOW” is prominently displayed.

Clicking the button leads to a fraudulent website that:

  • Asks for cloud account login credentials (e.g., Google, Microsoft, iCloud, Dropbox)
  • Requests payment information (credit card details) for a fake storage upgrade
  • Installs malware disguised as a “cleanup tool” or “upgrade utility”

The goal:
The attacker aims to:

  • Steal login credentials for cloud or email accounts
  • Capture credit card details for fraudulent transactions
  • Trick the victim into downloading malware

Red flags to watch for:

  • Unsolicited storage alert: Legitimate storage notifications come from within the app or operating system – not via random emails or pop‑ups with a clickable “UPGRADE NOW” button.
  • Threats of immediate data loss: “New files and emails will be blocked”, “Backups will fail silently”, “Important data may be lost permanently” – these are classic fear tactics.
  • Vague system references: The message does not specify which service or device is affected (e.g., no mention of Google Drive, iCloud, Windows, etc.).
  • Generic branding: No company logo or official header is shown.
  • Urgency and pressure: Phrases like “URGENT REMINDER” and “Failure to act” are designed to bypass critical thinking.

What to do if you encounter this:

  • Do not click the “UPGRADE NOW” button or any links.
  • Check your actual storage status through your device’s settings or the official app of your cloud provider.
  • If you have already clicked and entered credentials, change your password immediately and enable two‑factor authentication.
  • If you entered payment details, contact your bank immediately to block your card.
  • Report the phishing page to the legitimate service being impersonated (if identifiable).

Protective measures:

  • Never click links in unsolicited storage alerts. Always check storage directly through official system settings.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on all cloud and email accounts.
  • Be suspicious of any message that creates urgency and threatens data loss.

Poshmark Phishing – Fake Account Restriction & Card Harvesting

This set of screenshots shows a phishing campaign impersonating Poshmark, a popular online marketplace for second‑hand goods. The scam uses a fake “account restricted” notification and a fake support chat to pressure victims into providing full credit/debit card details, personal information, and contact details.

Threat Analysis:

How the scam works (multi‑step flow):

  1. Fake Account Restriction Page – The victim receives a link (via email, SMS, or social media) claiming their Poshmark account is restricted. The page shows a countdown or threat that the account will be deactivated within 24 hours. A “Verify” button is prominently displayed. A fake live chat window appears, with a “support agent” (e.g., “Amelia”) explaining that the victim must provide card details for verification.
  2. Card Details Harvesting Page – The victim is asked to enter card details and billing information. Fake assurances about encryption and GDPR compliance are added:

Fake Order Summary & Submit Page – A final page shows an order summary (often with a small amount or zero) and a “Submit” button. The victim is told that completing this will “validate” their card and restore the account.

The goal:
The attacker collects:

  • Full credit/debit card details (number, expiry, CVV)
  • Personal information (full name, address, email, phone number)

With this data, the attacker can:

  • Make fraudulent online purchases
  • Clone the card or sell the information on criminal markets
  • Use the personal details for identity theft

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain like check0925.sbs, not poshmark.com. Legitimate Poshmark pages are only on official domains.
  • Request for CVV and full card details for “account verification”: Poshmark never asks for your card security code to verify or unblock an account.
  • Fake live chat support: The chat window is not a real support function – it is a scripted message designed to pressure victims. Legitimate customer support does not ask for card details via chat.
  • Threat of account restriction / 24‑hour deadline: Classic urgency and fear tactics.
  • Fake order summary and “Submit” button: There is no actual purchase; this is designed to mimic a checkout process and make the victim believe they are completing a legitimate transaction.
  • Copied branding: The pages use Poshmark’s logos, categories, and footer links, but these are stolen from the real site.
  • Warnings about scams on the page itself: Ironically, the page includes a generic warning about scams – this is copied text and does not make the page legitimate.

What to do if you encounter this:

  • Do not enter any personal or card information.
  • Do not interact with the fake chat or click any buttons.
  • If you are a Poshmark user, always log in directly by typing poshmark.com into your browser. Check your account status from the official dashboard.
  • If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Poshmark’s security team and to the hosting provider.

Protective measures:

  • Never click links in unsolicited messages claiming your account is restricted.
  • Always type the official website URL directly into your browser.
  • Never provide your card CVV or expiration date for “account verification” – legitimate businesses do not need this information to confirm your identity.
  • Enable two‑factor authentication on your Poshmark account and email.
  • Be suspicious of any page with a live chat that immediately asks for card details – this is almost always a scam.
  • Check the URL carefully – look for misspellings, extra words, or unusual top‑level domains (.sbs, .top, .xyz).

dao (Danish Parcel Service) Phishing – Fake Delivery Failure & Address Update Scam

This phishing campaign impersonates dao, a Danish parcel delivery service. The scam uses a fake “delivery failed” notification to trick victims into providing personal information, which can later be used for identity theft or to redirect victims to a payment page where credit card details are stolen.

How it works:

Fake Tracking Page – The victim receives an SMS or email with a link to a fake tracking page. The page displays a fake tracking number and a false status (e.g., “Delivery attempt failed”).

Delivery Failure Notice – The victim is informed that the package could not be delivered because the address was unclear. A button or link (e.g., “Update Address”) is presented.

Address Update Form – The victim is taken to a page that asks for personal details: first name, last name, street address, city, postal code, email, and phone number (with Danish country code +45 pre‑filled).

Potential Next Step (not fully shown) – After submitting the address, the victim may be redirected to a payment page requesting card details (e.g., a small “redelivery fee”). This is a common pattern.

The goal:
The attacker collects:

Full name, address, postal code, city

Email address and phone number

With this information, the attacker can:

Sell the data to other criminals

Use it for identity theft

Target the victim with follow‑up scams (e.g., fake bank calls)

If a payment page follows, also steal credit card details

Red flags to watch for:

Suspicious URL: The pages are hosted on domains that are not dao.dk or the official dao website. The visible fragments (e.g., 135.2.tv, 135.1.tv) suggest a subdomain or odd URL structure.

Unsolicited delivery failure notification: dao does not send links to update addresses via SMS or email. Legitimate delivery issues are handled through the official tracking system or by contacting customer service directly.

Fake tracking number: The tracking number (CP318587863DK) is fabricated and cannot be verified on the real dao website.

Request for personal information before delivery: A legitimate courier already has your address. They will not ask you to re‑enter it via a link in a message.

Generic design / copied content: The pages use dao’s branding, navigation menus, and help section links, but these are copied from the real site. The domain is the giveaway.

What to do if you encounter this:

Do not enter any personal information (name, address, email, phone).

If you have already entered such information, be aware that it may be used for identity theft or follow‑up scams.

If you were redirected to a card payment page and entered card details, contact your bank immediately to block your card.

Always track packages by typing the official courier URL directly (e.g., dao.dk) and entering your real tracking number.

Report the phishing page to dao’s customer service.

Protective measures:

Never click links in unsolicited delivery messages. Always go directly to the official courier website.

Never provide your address, email, or phone number in response to a delivery notification link.

Check the URL carefully: Official dao domains end with dao.dk. Look for misspellings, extra words, or unusual top‑level domains (e.g., .tv, .th).

Enable two‑factor authentication on your email and banking accounts.

Cross-Border B2B Fraud: The “Atoms.dev” Phishing Wave

HIGH RISK / SCAM

A sophisticated phishing campaign originated in Algeria, targeting the French business sector. Scammers used Google Share links to bypass email security filters, redirecting victims to a temporary Atoms.dev deployment. The site impersonated a fake Spanish trade entity, “Pro Lite Stock,” offering fraudulent import/export services for premium Algerian products.

Technical Breakdown

  • Vector: Google Share Redirects (share.google)
  • Hosting: Atoms.dev (Serverless Phishing)
  • Identity Theft: Fake Spanish entity “Pro Lite Stock” (Non-existent in Spanish Mercantil Registry).
  • Goal: B2B Credential Harvesting and Invoice Fraud.

Key Facts Table

  • Attacker Origin: Algeria (DZ)
  • Traffic Target: France (FR)
  • Infrastructure: Obfuscated deployment on atoms.dev
  • Status: Neutralized (Domain and IP Cluster Blacklisted)

Expert Advice for French Businesses (Conseil aux Entreprises)

Scammers often impersonate European entities to gain trust. Before interacting with any “Trade Offer” or “Logistics Portal,” take these three steps:

  1. Verify NIF/CIF (Spain) or SIRET/SIREN (France): Any legitimate European company must display its official registration number. The “Pro Lite Stock” entity failed to provide a valid CIF (Código de Identificación Fiscal). You can verify Spanish companies for free via the Registro Mercantil Central.
  2. Inspect the Hosting Infrastructure: No established international trade firm hosts its official portal on developer subdomains like *.atoms.dev or *.vercel.app. These are red flags for temporary, throwaway infrastructure.
  3. Cross-Check the Domain History: Use tools like WHOIS to check the domain age. If a company claims to be a “Trusted Global Partner” but their website was created 14 days ago, it is 100% a scam.

Case Study: Intercontinental Crypto-Scam Uncovered

Our system just neutralized a sophisticated Pump & Dump scheme targeting the Singaporean market using North African infrastructure.
The Technical Anatomy of the Attack:

  • Target Audience: Users in Singapore.
  • Traffic Vector: Paid advertisements on TikTok.
  • Infrastructure: Managed from Morocco (IP cluster 154.144.253.x).

Deep Dive into TikTok Ads Metadata:
Our engine intercepted the link containing specific tracking parameters used by professional fraud-arbitrageurs:

  • utm_source=tiktok & utm_medium=paid: Confirmed high-budget bypass of organic content filters.
  • utm_id=CAMPAIGN_ID: A dynamic macro used in TikTok Ads Manager, indicating a template-based, scalable attack.
  • utm_campaign=CAMPAIGN_NAME: Evidence of an automated “industrial” approach to scam distribution.

The Fraud Mechanism:
Scammers use paid TikTok ads to target affluent regions (Singapore) with “get-rich-quick” narratives. The traffic is funneled to a private Telegram channel “Better Call Ton”, where organizers manipulate TON-based memecoins. Our Covariance Matrix flagged the 10/10 risk score due to the extreme geographical mismatch and the use of automated advertising macros to promote market manipulation.
The Verdict:
The link is Permanently Blocked. The author’s IP is Blacklisted.
By analyzing metadata patterns, Antiphishing.biz stops fraudulent campaigns before they reach their peak.

#CyberSecurity #TikTokAds #MarTech #CryptoScam #TON

GitHub Pages Abused for French Banking Fraud

Phishing Alert: The “Agency Complaint Matrix” Trap## Target: Customers and Employees of French Banking Groups (Crédit Agricole)

Our AI-engine, Miniban, has detected a highly sophisticated spear-phishing campaign hosted on GitHub Pages. This attack mimics internal banking tools to bypass standard security filters and steal sensitive financial data.

1. The “Trusted Host” Camouflage

Scammers are using the domain github.io to host their landing pages.

  • The Deception: Because GitHub is a legitimate platform used by developers worldwide, many corporate firewalls do not block these links by default.
  • The Tactic: The URL lumialous.github.io/matrice_reclamations_agences/ is designed to look like a professional internal resource for handling “Agency Complaints” (Réclamations Agences).

2. How the Attack Works (The “Complaint” Hook)

Unlike common phishing that offers “prizes,” this campaign uses negative social engineering.

  • The Hook: Victims are contacted via SMS or Email regarding a “filed complaint” or a “security issue” with their account.
  • The Trap: Users are directed to this fake “Matrix” page to “verify” their identity or “cancel” a fraudulent transaction.
  • The Theft: The page features a perfect clone of the bank’s login interface. Once you enter your credentials, attackers gain full access to your online banking, including the ability to intercept 3-D Secure codes.

3. Why it is Sophisticated

This is part of a Multi-Stage Attack. We have linked this specific GitHub page to recent fraudulent activity involving high-risk 3DS relay intercepts. By using terms like “Matrice” and “Réclamations,” scammers target the victim’s sense of urgency and professional duty.

How to Protect Yourself:

  • Check the Domain: A real bank will never host its login or complaint forms on github.io, vercel.app, or other free hosting providers. Official banking services only operate on their verified private domains (e.g., credit-agricole.fr).
  • Verify the Source: If you receive a link about a “complaint” you didn’t file, do not click it. Log in to your bank’s official app or website directly.
  • Look for SSL Details: While the site may have a green lock (HTTPS), clicking it will show the certificate belongs to “GitHub, Inc.,” not your bank.

Technical Analysis for Pros:

  • Incident ID: PH-FR-8842
  • Threat Type: Credential Harvesting / Spear Phishing
  • Platform Abuse: GitHub Pages
  • Miniban Risk Score: 10/10 (Critical)

___________________________________

Alerte au Phishing : Le piège de la “Matrice de Réclamations”## Cible : Clients et employés des groupes bancaires français (Crédit Agricole)

Notre moteur d’intelligence artificielle, Miniban, a détecté une campagne de phishing (hameçonnage) sophistiquée hébergée sur GitHub Pages. Cette attaque imite les outils internes de gestion bancaire pour contourner les filtres de sécurité classiques et voler des données financières sensibles.

1. Le camouflage sur un hôte de confiance

Les escrocs utilisent le domaine github.io pour héberger leurs pages de destination.

  • La tromperie : GitHub étant une plateforme légitime utilisée par les développeurs du monde entier, de nombreux pare-feu d’entreprise ne bloquent pas ces liens par défaut.
  • La tactique : L’URL matrice_reclamations_agences est conçue pour ressembler à une ressource professionnelle interne dédiée à la gestion des “Réclamations Agences”.

2. Fonctionnement de l’attaque (L’appât de la “Réclamation”)

Contrairement au phishing classique qui promet des “cadeaux”, cette campagne utilise une ingénierie sociale basée sur l’urgence.

  • L’accroche : Les victimes sont contactées par SMS ou e-mail concernant une “réclamation déposée” ou un “problème de sécurité” sur leur compte.
  • Le piège : L’utilisateur est dirigé vers cette fausse page de “Matrice” pour “vérifier” son identité ou “annuler” une transaction frauduleuse.
  • Le vol : La page contient un clone parfait de l’interface de connexion de la banque. Une fois vos identifiants saisis, les attaquants accèdent à votre compte et peuvent intercepter les codes 3-D Secure.

3. Pourquoi cette attaque est-elle redoutable ?

Elle fait partie d’une attaque en plusieurs étapes. Nous avons lié cette page GitHub à des activités frauduleuses récentes impliquant l’interception de relais 3DS. En utilisant des termes techniques comme “Matrice” et “Réclamations”, les fraudeurs exploitent le sens du devoir professionnel et l’inquiétude de la victime.

Comment vous protéger :

  • Vérifiez le domaine : Une banque ne demandera jamais de vous connecter via des plateformes comme github.io, vercel.app ou d’autres hébergeurs gratuits. Les services officiels n’opèrent que sur leurs domaines privés vérifiés (ex: credit-agricole.fr).
  • Vérifiez la source : Si vous recevez un lien concernant une “réclamation” que vous n’avez pas déposée, ne cliquez pas. Connectez-vous directement via l’application officielle ou le site web de votre banque.
  • Inspectez le certificat SSL : Même si le site affiche un cadenas (HTTPS), un clic sur celui-ci révélera que le certificat appartient à “GitHub, Inc.” et non à votre banque.

Analyse technique :

  • ID de l’incident : PH-FR-8842
  • Type de menace : Vol d’identifiants / Spear Phishing
  • Abus de plateforme : GitHub Pages
  • Score de risque Miniban : 10/10 (Critique)

Norwegian BankID phishing revealed

Below is a description of the Norwegian BankID phishing campaign shown in the screenshots. The attack attempts to harvest multiple layers of authentication data.

Threat Analysis: BankID Phishing – Full Credential & 2FA Harvesting (Norwegian Variant)

This multi‑step phishing campaign impersonates BankID, the common Norwegian electronic identification system used by most banks. The attacker’s goal is to collect enough information to log into the victim’s online bank and authorise fraudulent transactions.

How the attack works (six‑step flow):

  1. Fødselsnummer (national ID) – The victim’s 11‑digit personal identification number is requested.
  2. Phone number – The victim is asked to enter their phone number (linked to BankID).
  3. Choice of BankID method – The victim selects between using the BankID app or a kodebrikke (physical code generator).
  4. If “app” is chosen – The victim sees a page stating “Godkjenn med din BankID‑app” (Approve with your BankID app). This is a waiting step, while the attacker uses the previously collected data to trigger a real push notification in the official app.
  5. If “kodebrikke” is chosen – The victim is asked for their BankID password (the one used with the physical code generator).
  6. Additional steps – Depending on the variant, the attacker may also ask for a response from the code generator or for an SMS‑code, all captured in real time.

The goal:
The attacker collects:

  • Phone number (used to identify the victim in the banking system)
  • National ID number (fødselsnummer)
  • BankID password (if the code generator method is used)
  • In the case of the app method, the attacker will also capture the push‑notification approval (by tricking the victim into approving a fraudulent login or transaction).

With this information, the attacker can:

  • Log into the victim’s bank account
  • Authorise payments or money transfers
  • Commit identity theft or sell the data

Red flags to watch for:

  • Suspicious URL: The pages are hosted on myntro-gebyr.com (and subdomains), not on any official Norwegian bank or BankID domain (e.g., bankid.no).
  • Unsolicited request: You should never receive a link to enter your BankID credentials. Real BankID authentication always starts from the bank’s official website or app, not from an external link in a message.
  • Multiple steps with increasing sensitivity: A legitimate BankID login asks for either a single push notification or a one‑time code, not for phone number, national ID, password, and choice of method all in one session.
  • Mixed Norwegian / English wording: Official BankID pages are consistently in Norwegian (Bokmål or Nynorsk). The presence of “ID‑porten” (the national authentication portal) is real, but the URL gives it away.
  • No personalisation: Legitimate BankID steps show a partially masked name or a known device – this page does not.

What to do if you encounter this:

  • Do not enter any personal information, BankID password, or approve any request from your BankID app.
  • If you have already entered your phone number and fødselsnummer, contact your bank immediately to block your BankID.
  • If you have entered your BankID password, change it immediately (through the official bank website, not via any link).
  • If you approved a push notification from your BankID app, call your bank’s fraud department immediately – the attacker may already have authorised a transaction.
  • Always access BankID by typing your bank’s official URL directly or by using the official BankID‑app without any external link.

Protective measures:

  • Never click links in unsolicited messages claiming payment issues, package delivery, or account problems – especially if they ask for BankID.
  • Use a password manager – it will not autofill on fake domains.
  • Enable BankID with push notifications (app) – and never approve a request unless you have just initiated a login yourself.
  • Check the URL carefully – legitimate BankID pages are on bankid.no or your bank’s domain.
  • If in doubt, contact your bank directly using a phone number from your bank card or official website – never use numbers from a suspicious message.

Posti Phishing – Fake “Key Number” Authentication Scam

Below is a description of this phishing campaign targeting Posti (the Finnish postal service) and using a fake bank authentication page to steal avainluku (key number) credentials.

Threat Analysis: Posti Phishing – Fake “Key Number” Authentication Scam (Finnish Bank Credential Theft)

This phishing campaign impersonates Posti, the Finnish postal service. The scam uses a fake “key number list” (avainlukulista) authentication page – a method commonly used by Finnish banks – to steal the victim’s online banking credentials.

How it works:

Step 1 – Fake Key Number Request Page (First Screenshot)


The victim receives a phishing email, SMS, or other message claiming a package is waiting, a delivery fee is required, or a payment needs to be confirmed. The link leads to a page that mimics the Posti website. The page asks the victim to enter a specific key number from their bank’s key number list – in this case, “208. avainluku” (key number 208). This is a direct attempt to capture one of the one‑time codes used to authenticate banking transactions.

Step 2 – Fake “Processing” Waiting Page (Second Screenshot)


After the victim submits the key number, they are taken to a page claiming that their information is being processed and that they should not leave the page. A waiting time of up to 15 minutes is displayed. This page is designed to:

  • Buy time for the attacker to use the stolen key number to log into the victim’s real bank account
  • Reduce suspicion – the victim believes the process is legitimate and ongoing

The goal:
The attacker aims to:

  • Steal a specific key number (one‑time code) from the victim’s bank key number list
  • Use that code, together with other information (possibly captured in earlier steps not shown), to log into the victim’s bank account
  • Transfer funds or commit fraud

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not posti.fi – the official Posti domain.
  • Request for bank key number on a postal service page: Posti does not ask for your bank’s avainluku numbers. This is a clear sign of a phishing page trying to harvest banking credentials.
  • Unsolicited request: Posti does not send links requiring customers to enter bank authentication codes to release a package or confirm a payment.
  • Generic waiting page with a timer: A legitimate postal service does not display such a page after you submit a code. This is a classic stalling tactic used by phishing kits.
  • Copied content: The pages use Posti’s logos, navigation menus, and social media links, but these are stolen from the real site.

What to do if you encounter this:

  • Do not enter any key numbers or other banking codes.
  • If you have already entered a key number, contact your bank immediately – the code may have already been used to authorise a fraudulent transaction.
  • Always access Posti services by typing posti.fi directly into your browser.
  • Never enter bank authentication codes on a site that is not your bank’s official website.

Protective measures:

  • Bookmark the official Posti website and use that bookmark.
  • Never enter your bank’s key numbers (avainluku) on any third‑party site – not even if the site looks like a familiar postal service.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication through your bank’s official mobile app instead of relying solely on key number lists if possible.
  • Be suspicious of any unsolicited message that asks you to log in or enter a key number via a link.