Credit Agricole phishing page in French revealed

This screenshot shows a phishing landing page impersonating a French bank (likely Crédit Agricole or another institution using the “SécuriPass” security feature). The scam uses a fake security update pretext based on the EU’s PSD2 (second payment services directive) to pressure victims into clicking a malicious link.

Threat Analysis: French Bank Phishing – Fake “SécuriPass” Activation Scam

This phishing message claims that access to the victim’s online account is restricted due to non‑compliance with security rules. It references the EU’s PSD2 directive, stating that strong authentication is required every 90 days. The victim is told to click a button to activate “SECURTPASS” (a misspelling of the legitimate SécuriPass) or face a banking ban.

How it works:
The victim receives this message (likely by email) and is directed to click the activation button. The link leads to a fake bank login page designed to steal the victim’s online banking credentials and possibly two‑factor authentication codes (SMS or SécuriPass codes).

The goal:
The attacker aims to steal online banking credentials to take over the victim’s account, transfer funds, and commit fraud.

Red flags to watch for:

  • Suspicious URL: The link leads to a domain that is not the official bank domain. Legitimate banks do not send activation links in emails.
  • Misspelling: “SECURTPASS” instead of the correct “SécuriPass” (or similar) is a clear sign of a phishing attempt.
  • Threat of banking ban: The warning that ignoring the message will result in a “banking ban” is a classic fear tactic to pressure victims into acting without thinking.
  • Unsolicited activation request: Banks do not require customers to click links in emails to activate security features. Legitimate security updates are handled within the online banking portal or mobile app after the customer logs in normally.
  • Generic greeting: The message does not address the victim by name or reference any specific account details.

What to do if you encounter this:

  • Do not click the activation button or any links in the message.
  • If you are a customer of the bank being impersonated, access your account by typing the official bank URL directly into your browser.
  • If you have already clicked the link and entered any credentials, contact your bank immediately to secure your account.
  • Report the phishing message to the bank’s fraud department.

Protective measures:

  • Never click links in unsolicited emails claiming you need to activate a security feature.
  • Always type your bank’s official website address directly into your browser.
  • Enable two‑factor authentication through your bank’s official app, not via email links.
  • Be suspicious of any message that creates urgency, threatens negative consequences, and asks you to click a link.

Caixa Bank fake page in Spanish detected

These two screenshots show a two‑step phishing campaign impersonating CaixaBank, a major Spanish bank. The scam is designed to first steal the victim’s online banking credentials (Identificador and Contraseña) and then their full card details (card number, expiration date, CVV) under the guise of “card PIN verification.”

Threat Analysis: CaixaBank Phishing – Credential & Card Data Harvesting

This campaign uses a multi‑page flow to collect everything needed to take over a bank account and use the associated payment card.

How it works:

Step 1 – Fake CaixaBankNow Login Page (First Screenshot)
The victim lands on a page that mimics the CaixaBankNow online banking login. It asks for:

  • Identificador (user ID)
  • Contraseña (password)

The page includes options like “virtual keyboard” and “remember my ID” to appear legitimate. When submitted, these credentials are captured.

Step 2 – Fake “Card PIN Verification” Page (Second Screenshot)
After the login credentials are stolen, the victim is taken to a second page that claims to verify the card PIN. It asks for:

  • Card number
  • Expiration date (MM/AA)
  • Security code (CVV)

This is a classic card harvesting page. The attacker now has the full card details needed for online purchases, cloning, or adding to a digital wallet.

The goal:

  • Steal online banking credentials to access the account
  • Capture full card details (number, expiry, CVV) for fraud
  • Use both to drain accounts, make unauthorized payments, or commit identity theft

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not caixabank.com or caixabank.es. Always check the address bar.
  • Illogical flow: After logging in, a legitimate bank would never ask for the card number, expiry, and CVV on a separate page. This is a clear phishing pattern.
  • Outdated copyright: The footer shows “© 2021,” which is outdated for a 2022 campaign.
  • No personalization: Real CaixaBankNow displays a security image or personal greeting after ID entry. This page lacks that.
  • Unsolicited login request: CaixaBank does not send links requiring customers to log in and then “verify” their card.

What to do if you encounter this:

  • Do not enter any credentials or card details on these pages.
  • If you have already entered your login details, contact CaixaBank immediately to change your password.
  • If you entered card details, block your card immediately and dispute any unauthorized charges.
  • Always access CaixaBank by typing caixabank.es directly into your browser.

Protective measures:

  • Bookmark the official CaixaBank login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Never enter your card’s CVV on a page you reached via a link. Legitimate banks do not request this outside a secure, logged‑in session.
  • Enable two‑factor authentication (CaixaBankProtect) through the official app.

UPS fake page detected

These three screenshots show a three‑step UPS phishing campaign designed to harvest personal information, create a new account credential, and steal full credit card details under the guise of a small “verification” fee.

Threat Analysis: UPS Phishing – Personal Info, Account Creation & Card Harvesting

This scam impersonates UPS (United Parcel Service) . The victim is told that a package is waiting and they must update their shipping information to receive it. The campaign is structured in three steps:

Step 1 – Personal & Password Page (First Screenshot)
The victim is asked to provide:

  • Full name, address, city, ZIP code
  • Phone number, email address
  • A new password (and confirmation)

This page captures personal identity information and creates a new credential that the attacker can use later.

Step 2 – Fake Processing Page (Second Screenshot)
A waiting screen claims the request is being processed. This creates a sense of legitimacy and buys time while the attacker prepares the next step.

Step 3 – Card Verification Page (Third Screenshot)
The victim is told to “verify” their credit card with a small fee (VAT 0.99) to complete the delivery. The page asks for:

  • Cardholder name
  • Full card number
  • Expiration date
  • CVV

The goal:
The attacker collects:

  • Personal information (name, address, phone, email)
  • A new password (likely for a fake account they create)
  • Complete card details (number, expiry, CVV) for fraud

With this data, they can make unauthorized purchases, clone the card, or sell the information.

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not ups.com. Always check the address bar.
  • Request for a password: UPS does not require you to create a new password just to update shipping information.
  • Request for card details to “verify” a package: A legitimate courier never asks for your credit card CVV to release a package.
  • Fake processing page: Real shipping updates do not include artificial loading screens.
  • Outdated copyright (1994‑2021): The footer date is inconsistent with a 2022 campaign.

What to do if you encounter this:

  • Do not enter any personal information, passwords, or card details.
  • If you are expecting a UPS delivery, track it directly by typing ups.com into your browser and using your tracking number.
  • If you have already entered card details, contact your bank immediately to block the card.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never pay a “small fee” via a link to receive a package. Legitimate couriers handle fees through their official site or upon delivery.
  • Use a password manager – it will not autofill on fake domains.

Ørsted power company fake page in Danish detected

This screenshot shows a phishing page impersonating Ørsted, a Danish energy company. The scam uses a fake refund offer to harvest card details, phone number, and date of birth—sensitive personal and financial information.

Threat Analysis: Ørsted Refund Phishing – Card & Identity Data Harvesting

The page claims a refund is available (1,060 DKK) and asks the victim to provide:

  • Cardholder name
  • Full card number
  • Expiration date and CVV
  • Phone number (with Danish country code)
  • Date of birth

How it works:
The victim receives an email, SMS, or other message claiming a refund from Ørsted. The link leads to this page. By entering the requested details, the victim unknowingly hands over everything needed to make fraudulent transactions or commit identity theft.

The goal:

  • Steal credit/debit card details for unauthorized purchases
  • Obtain date of birth and phone number for identity theft or SIM swapping

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not orsted.com. Legitimate refunds are handled through official channels, not via a link.
  • Request for full card details, CVV, and birth date for a refund: A legitimate refund does not require this information. Refunds are automatically processed to the original payment method.
  • Unsolicited refund offer: Ørsted does not send unsolicited emails or messages asking customers to enter card details to receive a refund.
  • Poor design: The page uses generic layout and lacks official branding beyond the Ørsted logo.

What to do if you encounter this:

  • Do not enter any personal or card information.
  • If you are an Ørsted customer, log into your official account directly to check for any legitimate refunds.
  • If you have already entered your card details, contact your bank immediately to block the card and dispute any unauthorized transactions.
  • Report the phishing page to Ørsted’s security team.

Protective measures:

  • Never click links in unsolicited messages claiming refunds or payments.
  • Always type the official company URL directly into your browser.
  • Never provide your card CVV or date of birth to “receive” a refund.
  • Enable two‑factor authentication on your bank and email accounts.

Santander bank phishing page detected

These two screenshots show a two‑step phishing campaign impersonating Santander Bank, targeting Spanish‑speaking customers. The scam is designed to first capture online banking credentials (document number and password) and then harvest full card details and the ATM PIN.

Threat Analysis: Santander Phishing – Credential & Full Card Data Harvesting

Step 1 – Fake Login Page (First Screenshot)
The page mimics Santander’s online banking login, asking for:

  • Document number (national ID)
  • Clave de acceso (password)

Step 2 – Card Verification Page (Second Screenshot)
After submitting credentials, the victim is told to “verify” their account by entering:

  • Card number
  • Expiration date (MM/YY)
  • Security code (CVV)
  • ATM PIN

The page claims an SMS verification will follow.

The goal:
The attacker collects:

  • Online banking credentials to access the account
  • Full card details (number, expiry, CVV) for fraudulent purchases
  • ATM PIN to enable cash withdrawals or additional fraud

Red flags:

  • Suspicious URL: The pages are not on santander.com or the official bank domain.
  • ATM PIN request: A legitimate bank never asks for your ATM PIN on a website.
  • Illogical flow: After logging in, a bank does not require you to re‑enter your card details and PIN to “verify” your account.
  • No personalization: Real Santander login pages display a security image or personal greeting after ID entry.

What to do if you encounter this:

  • Do not enter any credentials, card details, or PIN.
  • If you have already entered them, contact Santander immediately to block your card and secure your account.
  • Always access Santander by typing santander.com (or your country’s official domain) directly.

Protective measures:

  • Bookmark the official Santander login page and use it exclusively.
  • Never provide your card’s CVV or ATM PIN on a page you reached via a link.
  • Enable two‑factor authentication through the bank’s official app.

Credit Agricole fake page detected

This screenshot shows a phishing page hosted on Google Sites impersonating Crédit Agricole, a major French bank. The page uses a fake “SécuriPass activation” pretext to trick victims into clicking a malicious link.

Threat Analysis: Crédit Agricole Phishing – Fake SécuriPass Activation on Google Sites

The page claims that security devices are obsolete due to a new update and urges the victim to click a button to activate “SÉCURIPASS.” The link leads to a fake Crédit Agricole login page designed to steal online banking credentials.

How it works:
The victim receives an email, SMS, or other message directing them to this Google Sites page. The page mimics official Crédit Agricole communication, warning of outdated security devices. Clicking the activation button takes the victim to a fraudulent login page (not shown in this screenshot) where they are asked for their online banking identifier and password.

The goal:
The attacker aims to steal Crédit Agricole online banking credentials to access accounts and commit fraud.

Red flags to watch for:

  • Suspicious URL: The page is hosted on sites.google.com/view/higee. Official Crédit Agricole pages are on credit-agricole.fr domains, not on a free Google Sites subdomain.
  • Unsolicited activation request: Crédit Agricole does not send links requiring customers to “activate” SécuriPass via third‑party sites.
  • Generic, copied content: The text is a variation of standard phishing templates used against multiple French banks.
  • Threat of negative consequences: The message implies that ignoring the activation will leave the account unprotected, creating urgency.

What to do if you encounter this:

  • Do not click any button or link on this page.
  • If you are a Crédit Agricole customer, access online banking by typing credit-agricole.fr directly into your browser.
  • Report the Google Sites phishing page to Google and to Crédit Agricole’s fraud team ([email protected]).

Why this scam is effective:
Google Sites is a legitimate platform, and some users may not realize that anyone can create a page there. The page closely mimics Crédit Agricole’s visual style and uses real security terminology (“SécuriPass,” “DSP2”), making it appear credible at first glance.

Protective measures:

  • Always check the full URL. Official bank pages do not use free hosting services like Google Sites, WIX, or Weebly.
  • Never activate security features via links in unsolicited messages. Go directly to the bank’s official website or app.
  • Bookmark your bank’s official login page and use that bookmark exclusively.
  • Enable two‑factor authentication (SécuriPass) through the official app, not through web links.

Fake Israel mail page in Hebrew detected

Threat Analysis: Israeli Package Delivery Phishing – Small Fee & Card Harvesting

Step 1 – Fake Delivery Notice (First Screenshot)
The victim receives a message claiming a package is waiting. It includes a fake tracking number and states a small fee (ILS 6.21) is required to complete delivery. The text references EMS / ECO POST to appear legitimate.

Step 2 – Payment & Card Details Page (Second Screenshot)
The victim is directed to a page that asks for:

  • Identity document number (תעודת זהות)
  • Email address
  • Full name
  • Card number
  • Expiration date
  • CVV code

The button is labelled “Pay & Next.”

The goal:
The attacker collects:

  • National ID number (for identity theft)
  • Email address and full name
  • Complete credit card details (number, expiry, CVV)

With these, they can make fraudulent purchases, clone the card, or commit identity theft.

Red flags:

  • Suspicious URL: The page is hosted on a domain that is not an official postal service (EMS, Israel Post, etc.).
  • Small fee trick: Scammers use a tiny amount (ILS 6.21) to make the payment seem trivial and lower suspicion.
  • Request for national ID + card details together: A legitimate delivery service never asks for both.
  • Unsolicited message: Postal services do not send links asking for payment via SMS or email.

What to do if you encounter this:

  • Do not click the link or enter any personal or card information.
  • If you are expecting a package, track it directly by typing the official courier website (e.g., israelpost.co.il) into your browser.
  • If you have already entered card details, contact your bank immediately to block the card.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never pay a “redelivery fee” via a link. Legitimate fees are handled in person or through the official site after logging in.
  • Enable two‑factor authentication on your bank account and email.

Microsoft phishing page in Spanish detected

This screenshot shows a phishing page impersonating Microsoft (Outlook / Hotmail / Office 365), targeting Spanish‑speaking users. The page is designed to steal the victim’s email address, phone number, or Skype name as the first step in a credential‑harvesting flow.

Threat Analysis: Microsoft Phishing – First‑Step Login Page

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The link leads to this page, which mimics the Microsoft login interface. After entering their email/phone/Skype and clicking “Siguiente” (Next), the victim would be taken to a second fake page asking for their password.

The goal:
The attacker captures the victim’s Microsoft account credentials (email and password) to gain access to email, OneDrive, and any services linked to the account.

Red flags:

  • Suspicious URL: The page is hosted on microfite.c.t.biz, not microsoft.com or outlook.com.
  • Generic design with “key” icon: While the page copies Microsoft’s look, the URL is the clearest indicator of fraud.
  • Unsolicited login request: Microsoft does not send links requiring users to log in to resolve account issues.

What to do:

  • Do not enter your email or any credentials on this page.
  • If you have already entered information, close the page and do not proceed to any next step. Change your Microsoft password immediately and enable two‑factor authentication.
  • Always access Microsoft services by typing outlook.com or microsoft.com directly.

Protective measures:

  • Bookmark the official Microsoft login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your Microsoft account.

Fake Correos Mail page detected

This screenshot shows a package delivery phishing page targeting Spanish‑speaking users. The scam claims a delivery attempt failed and asks the victim to pay a small fee (€1.99) to reschedule, capturing full credit card details in the process.

Threat Analysis: Package Delivery Phishing – Small Fee & Card Harvesting

How it works:
The victim receives an SMS or email claiming a package could not be delivered. A link leads to this page, which asks for:

  • Card number
  • Expiration date (MM/AA)
  • Security code (CVV)

The page shows a fake delivery code and a total of €1.99 – a tiny amount designed to lower suspicion. The “Pagar” button submits the stolen card data to the attacker.

The goal:
The attacker collects full credit/debit card details to make unauthorized purchases, clone the card, or sell the information.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not an official postal or courier service.
  • Small fee trick: Scammers use a negligible amount so victims pay without thinking.
  • Request for CVV for a simple redelivery fee: Legitimate delivery services do not ask for CVV codes to reschedule a delivery.
  • No tracking number that can be verified independently: The “E5/2938456” is fake.
  • SSL badge: The “secure payment” badge is fake – phishing pages often add such graphics to appear trustworthy.

What to do if you encounter this:

  • Do not enter any card details.
  • If you are expecting a package, track it directly on the official courier website using your real tracking number.
  • If you have already entered your card details, contact your bank immediately to block the card and dispute any fraudulent charges.
  • Report the phishing page to the legitimate courier company being impersonated.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the courier’s official website.
  • Never pay a “redelivery fee” via a link. Legitimate fees are handled in person or through the official site after logging in.
  • Check the URL carefully. Look for misspellings, unusual domains, or free hosting services.
  • Enable transaction alerts on your bank account to catch unauthorized charges early.

Microsoft phishing page in Spanish detected

This screenshot shows a Spanish‑language phishing page impersonating Microsoft, asking for an unusual combination of credentials: email/phone/Skype, password, and a 4‑digit PIN.

Threat Analysis: Microsoft Phishing – Credential & PIN Harvesting

The page mimics Microsoft’s login interface but adds a 4‑digit PIN field, which is not part of a standard Microsoft login flow. This extra field may be intended to capture a SIM PIN, banking PIN, or a secondary security code that the victim uses elsewhere.

How it works:
The victim receives a phishing email or message claiming a security alert or account issue. The link leads to this page. After entering the email, password, and a 4‑digit PIN, the data is sent to the attacker.

The goal:

  • Steal Microsoft account credentials (email and password) to access email and linked services
  • Capture a 4‑digit PIN that the victim may reuse for banking, phone, or other sensitive accounts

Red flags:

  • Suspicious URL: The page is hosted on a domain that is not microsoft.com or outlook.com.
  • Extra PIN field: A legitimate Microsoft login does not ask for a 4‑digit PIN at this stage.
  • No security image or personalization: Real Microsoft login pages show security phrases or alternate verification methods.
  • Unsolicited login request: Microsoft does not send links requiring users to log in to resolve issues.

What to do:

  • Do not enter any credentials or PIN.
  • If you have already submitted information, change your Microsoft password immediately and enable two‑factor authentication. If you used the same PIN elsewhere (e.g., bank card), contact the relevant institutions.
  • Always access Microsoft services by typing outlook.com or microsoft.com directly.

Protective measures:

  • Bookmark the official Microsoft login page and use it exclusively.
  • Use a password manager – it will not autofill on fake domains.
  • Never reuse PINs across different services.
  • Enable two‑factor authentication on your Microsoft account.