Credit Agricole Bank phishing page revealed

This screenshot shows a phishing page impersonating a French bank (likely Crédit Agricole or a similar institution). It uses a fake security alert related to the European PSD2 directive to pressure victims into clicking a button that leads to a fraudulent login page.

Threat Analysis: French Bank Phishing – Fake “SécuriPass” Activation Scam

The page claims that account access is restricted due to non‑compliance with security rules and that strong authentication (under PSD2) is required every 90 days. The victim is told to activate “SECURIPASS” by clicking a button. A threat of a “banking ban” is added to create urgency.

How it works:
The victim receives an email or message containing a link to this page. Clicking the activation button leads to a fake bank login page designed to steal online banking credentials and possibly two‑factor authentication codes.

Red flags:

  • Unsolicited activation request: Banks do not send links to activate security features via email or landing pages.
  • Threat of immediate consequences: The warning of a “banking ban” is a classic fear tactic.
  • Misspelling: “SECURIPASS” instead of the correct “SécuriPass” (or similar) is a common phishing error.
  • No personalization: The message does not address the victim by name or reference a specific account.

What to do:

  • Do not click the activation button or any links.
  • Access your bank account by typing the official bank URL directly into your browser.
  • If you have already clicked and entered credentials, contact your bank immediately.

Protective measures:

  • Always type your bank’s website address manually.
  • Enable two‑factor authentication through the bank’s official app, not via web links.
  • Be suspicious of any message that threatens account restrictions and asks you to click a link.

Fake Hongkong Post page in Chinese detected

These two screenshots show a phishing campaign impersonating Hongkong Post (香港郵政). The scam uses a fake delivery notification to trick victims into paying a small fee (HK$30.00) and, in the process, steals personal information and full credit card details.

Threat Analysis: Hongkong Post Phishing – Fake Delivery Fee & Personal/Card Data Harvesting

How it works:

  1. The victim receives an SMS, email, or messaging app alert claiming a package is awaiting delivery and a small fee is required to complete the shipment.
  2. Step 1 – Personal Information Page (First Screenshot)
    The victim is asked to provide:
  • Address, city, phone number, postal code
  • Date of birth
  • Email address
  1. Step 2 – Card Details Page (Second Screenshot)
    The victim is then asked for:
  • Cardholder name
  • Full credit card number
  • Expiration date (MM/YY)
  • CVV / CVC

A fake tracking number and Hongkong Post branding are used to appear legitimate.

The goal:
The attacker collects:

  • Personal information (name, address, DOB, phone, email) for identity theft
  • Full payment card details (number, expiry, CVV) for fraudulent transactions

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not hongkongpost.hk or an official government domain.
  • Request for date of birth and card CVV: A legitimate delivery service does not need your date of birth or card security code to collect a fee.
  • Small fee trick: HK$30 is a trivial amount meant to lower suspicion.
  • Fake tracking number: The tracking code cannot be verified on the official Hongkong Post website.
  • No personalization: The message does not reference a genuine package or tracking number the victim would recognize.

What to do if you encounter this:

  • Do not enter any personal or card information.
  • If you are expecting a package, track it directly on the official Hongkong Post website (hongkongpost.hk) using your real tracking number.
  • If you have already submitted card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Hongkong Post and to the relevant authorities.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never pay a “redelivery fee” via a link. Legitimate fees are collected at the point of delivery or through secure official portals.
  • Check the URL carefully: Look for misspellings, extra words, or unusual top‑level domains.
  • Enable two‑factor authentication on your email and banking accounts to reduce the impact of credential theft.

Fake Royal Mail page detected

These two screenshots show a phishing campaign impersonating Royal Mail, targeting users in the United Kingdom. The scam uses a fake delivery issue and a small redelivery fee to steal full credit card details.

Threat Analysis: Royal Mail Phishing – Fake Redelivery Fee & Card Harvesting

Step 1 – Fake Tracking Page (First Screenshot)
The victim lands on a page that mimics Royal Mail’s tracking interface. It displays:

  • A fake tracking number
  • A claim that there is an issue with the shipping address
  • Instructions to arrange redelivery

Step 2 – Card Payment Page (Second Screenshot)
The victim is taken to a page that asks for:

  • Full name
  • Card number
  • Expiration date
  • Security code (CVV)

A small redelivery fee (£3.00) is shown to make the payment seem insignificant.

The goal:
The attacker collects complete card details to make fraudulent purchases, clone the card, or sell the information.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not royalmail.com. Legitimate Royal Mail tracking and redelivery are only on official domains.
  • Fake tracking number: The tracking number format may look plausible, but it cannot be verified on the real Royal Mail site.
  • Request for CVV: Royal Mail does not ask for your card security code for redelivery fees. These fees are typically paid through a secure, integrated payment gateway after you log in or confirm your address.
  • Small fee trick: £3.00 is a trivial amount meant to lower suspicion.
  • Copied content: The second page includes real Royal Mail footer links and navigation menus, which are copied from the genuine site to appear authentic.

What to do if you encounter this:

  • Do not enter any card details.
  • If you are expecting a delivery, track it directly by typing royalmail.com into your browser and using your real tracking number.
  • If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Royal Mail (e.g., via their official fraud reporting page).

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never pay a “redelivery fee” via a link. Legitimate redelivery fees are paid through the official site after verifying your tracking number.
  • Check the URL carefully: Legitimate Royal Mail domains end with royalmail.com. Look for misspellings, extra words, or unusual top‑level domains.
  • Enable transaction alerts on your bank account to catch unauthorized charges early.

Fake Zajil Express page in Arabic detected

These two screenshots show a phishing campaign targeting Arabic‑speaking users, likely in Saudi Arabia (based on the country code, phone number format, and references). The scam impersonates a delivery or courier service (“zaiji-express”) and uses a fake delivery confirmation process to harvest personal information and full card details.

Threat Analysis: Delivery Service Phishing – Recipient Information & Card Data Harvesting

Step 1 – Personal Information Page (First Screenshot)
The victim is asked to “confirm recipient information” by providing:

  • First name and surname
  • Email address
  • Address

Step 2 – Card & Identity Details Page (Second Screenshot)
The victim is then asked for:

  • Postal code
  • Phone number
  • National ID or identity card number
  • Full card number
  • Expiration date (month/year)
  • CVV

A “Confirm” button submits the data.

The goal:
The attacker collects:

  • Personal information (name, address, email, phone) for identity theft
  • National ID number (a critical piece of identity in Saudi Arabia)
  • Full credit/debit card details (number, expiry, CVV) for fraudulent transactions

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not the official courier’s website. Legitimate delivery services use their own official domains.
  • Request for national ID and full card details together: No legitimate delivery service needs your national ID and card CVV to complete a delivery.
  • Fake company branding: The footer shows “zaiji-express” with a Saudi address and contact details. These may be fabricated or copied.
  • Unsolicited request: Delivery services do not send links asking for this level of personal and financial information.
  • No tracking number or package details: The victim is not given a way to verify the supposed shipment.

What to do if you encounter this:

  • Do not enter any personal information, national ID, or card details.
  • If you are expecting a delivery, track it directly on the official courier website using your tracking number.
  • If you have already entered card details, contact your bank immediately to block the card.
  • Report the phishing page to the legitimate courier being impersonated and to the relevant authorities.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never provide your national ID or card CVV in response to a delivery notification.
  • Check the URL carefully: Look for misspellings, extra words, or unusual top‑level domains.
  • Enable two‑factor authentication on your bank account and email.

Amazon phishing page in German detected




These four screenshots show a multi‑step phishing campaign targeting German users, impersonating the Amazon.de VISA credit card banking portal (issued by Landesbank Berlin – LBB). The scam is designed to steal online banking credentials, phone number, and SMS two‑factor authentication (2FA) code – allowing full account takeover.

Threat Analysis: Amazon VISA / LBB Phishing – Credential & 2FA Code Harvesting

Step 1 – Fake Login Page (Screenshots 1 & 2)
The victim lands on a page that mimics the LBB / Amazon VISA banking login. It asks for:

  • Benutzername (username)
  • Passwort (password)

The page includes copied branding, login fields, and links to appear legitimate.

Step 2 – Phone Number Page (Screenshot 3)
After submitting credentials, the victim is asked to provide a phone number to “verify” the account. A message claims that an SMS code will be sent.

Step 3 – SMS Code Page (Screenshot 4)
The final page asks for the SMS code received on the phone. This is the two‑factor authentication (2FA) code that the real bank sends when logging in from an unrecognized device or after a password change.

The goal:
The attacker captures:

  • The victim’s online banking credentials (username and password)
  • The phone number (used to intercept future 2FA messages)
  • The current SMS 2FA code – allowing them to immediately log into the real account and authorize transactions

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not lbb.de, amazon.de, or any official banking domain. The URL contains random characters and subdomains.
  • Unsolicited login request: LBB / Amazon VISA does not send links requiring customers to log in and then “verify” their phone number via SMS.
  • Multi‑step flow with SMS code request: A legitimate login does not ask for a phone number and SMS code immediately after password entry. This is a classic phishing kit that harvests 2FA.
  • Copied content: The pages use real LBB and Amazon branding, but the layout and phrasing contain inconsistencies.

What to do if you encounter this:

  • Do not enter your username, password, phone number, or SMS code on these pages.
  • If you are an Amazon VISA / LBB customer, always access your credit card banking by typing lbb.de directly into your browser or using the official app.
  • If you have already entered your credentials but not the SMS code, change your password immediately and contact LBB.
  • If you have entered the SMS code, the attacker may already have accessed your account. Contact LBB’s fraud department immediately.
  • Report the phishing pages to LBB and Amazon.

Protective measures:

  • Bookmark the official LBB login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Never enter an SMS code on a page you reached via a link. Legitimate banks only ask for 2FA after you have initiated a login on their official site.
  • Enable two‑factor authentication using an authenticator app instead of SMS where possible.
  • Be suspicious of any unsolicited message that asks you to log in and then “verify” your phone number.

Credit Agricole phishing page in French detected

This screenshot shows a phishing page impersonating Crédit Agricole, a major French bank. The page uses the pretext of mandatory SécuriPass activation (a legitimate security feature) to pressure victims into clicking a malicious link that leads to a fake login page.

Threat Analysis: Crédit Agricole Phishing – Fake SécuriPass Activation Deadline

The page claims that SécuriPass will become mandatory by a specific date (December 31, 2022) and urges the victim to click a button to “activate” it. A threat of a “banking ban” is added to create urgency.

How it works:
The victim receives an email or message containing a link to this page. Clicking the activation button leads to a fraudulent Crédit Agricole login page designed to steal online banking credentials and possibly two‑factor authentication codes.

The goal:
The attacker aims to capture the victim’s Crédit Agricole login credentials to access the account, transfer funds, and commit fraud.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not credit-agricole.fr. Legitimate bank communications are on official domains.
  • Unsolicited activation request: Crédit Agricole does not send links requiring customers to “activate” SécuriPass via external pages.
  • Threat of immediate consequences: The warning of a “banking ban” is a classic fear tactic.
  • No personalization: The message does not address the victim by name or reference a specific account.
  • Vague deadline: The mention of a specific date (31 December 2022) is used to create a false sense of urgency, but legitimate security updates are communicated through official channels, not unsolicited emails.

What to do if you encounter this:

  • Do not click the activation button or any links.
  • Access your Crédit Agricole account by typing credit-agricole.fr directly into your browser or using the official mobile app.
  • If you have already clicked and entered credentials, contact Crédit Agricole immediately to secure your account.
  • Report the phishing page to Crédit Agricole’s fraud team ([email protected]).

Protective measures:

  • Always type your bank’s website address manually. Never click links in unsolicited emails or messages.
  • Enable SécuriPass through the official app – legitimate activation happens within the app or after logging in, not via email links.
  • Be suspicious of any message that creates urgency, threatens negative consequences, and asks you to click a link.

SEUR delivery fake page detected

This screenshot shows a phishing page impersonating SEUR, a Spanish courier company. The scam asks the victim to enter an SMS code under the pretext of confirming a delivery or paying a small fee (€2.99). In reality, this code is likely a two‑factor authentication (2FA) code sent by the victim’s bank or card issuer – entering it gives the attacker full access to the victim’s financial account.

Threat Analysis: SEUR Phishing – SMS Code Harvesting (2FA Bypass)

How it works:
The victim receives an SMS or email claiming a package requires a small fee or delivery confirmation. The link leads to this page, which mimics SEUR’s interface. The victim is asked to enter an SMS code, often after having entered card details on a previous page (not shown here). The code is actually a 2FA code from the victim’s bank or card provider. By entering it, the victim allows the attacker to complete a fraudulent transaction or login.

The goal:
The attacker aims to:

  • Steal an SMS-based two‑factor authentication code
  • Use it together with previously stolen card or banking details to authorize unauthorized payments or account access

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not seur.com.
  • SMS code request without context: SEUR does not ask for SMS codes in this manner for a delivery fee.
  • Small fee shown: €2.99 is a tiny amount intended to lower suspicion.
  • Copied branding: The page uses SEUR’s logo and navigation, but the underlying domain is fake.

What to do:

  • Do not enter any SMS code.
  • If you are expecting a SEUR delivery, track it directly by typing seur.com into your browser.
  • If you have already entered a code, contact your bank immediately – the attacker may have already used it to authorize a transaction.
  • Report the phishing page to SEUR and to the relevant authorities.

Protective measures:

  • Never enter an SMS code on a page you reached via a link. Legitimate services only ask for 2FA codes after you have initiated a login on their official site.
  • Always type the courier’s official URL directly.
  • Enable two‑factor authentication using an authenticator app instead of SMS where possible, to reduce this type of attack.

USPS fake page revealed

This screenshot shows a phishing page impersonating USPS (United States Postal Service) , using a small fee ($2.99) as a pretext to steal credit card details. The page claims the victim has been transferred to a “secure payment environment” and displays a Visa logo, but the actual card entry form is likely on a subsequent page or may have been omitted from the screenshot.

Threat Analysis: USPS Phishing – Small Fee & Card Harvesting

How it works:
The victim receives an SMS or email claiming a package requires a redelivery fee, customs payment, or address confirmation. The link leads to a fake USPS tracking page, then redirects to this “secure payment” page. The victim is asked to enter credit card details (full number, expiration, CVV) to pay the $2.99 fee.

The goal:
The attacker captures full credit/debit card information to make fraudulent purchases or sell the data.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not usps.com. Legitimate USPS payment pages are only on official domains.
  • Small fee trick: $2.99 is a trivial amount designed to lower suspicion.
  • Fake “secure payment environment” claim: Real USPS payments are integrated into the official site, not presented on a generic page like this.
  • No tracking number or personalized information: The page lacks any details that would tie it to an actual package.

What to do if you encounter this:

  • Do not enter any card details.
  • If you are expecting a USPS delivery, track it directly by typing usps.com into your browser.
  • If you have already entered card details, contact your bank immediately to block the card.
  • Report the phishing page to USPS (e.g., via their official fraud reporting page).

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never pay a “redelivery fee” via a link. Legitimate fees are collected through the official site after logging in or upon delivery.
  • Enable transaction alerts on your bank account to catch unauthorized charges early.

SPL Post fake page in Arabic detected

This screenshot shows a phishing page impersonating Saudi Post (SPL – البريد السعودي سبل) , targeting Arabic‑speaking users in Saudi Arabia. The scam asks for a small fee (4.98 SAR) as a pretext to collect full name, phone number, and complete credit/debit card details.

Threat Analysis: Saudi Post Phishing – Small Fee & Card Harvesting

How it works:
The victim receives an SMS or email claiming a package requires a delivery fee, customs payment, or address confirmation. The link leads to this page, which mimics the Saudi Post payment interface. The victim is asked to provide:

  • Full name
  • Phone number
  • Card number
  • Expiration date
  • CVV

The small amount (4.98 SAR) is intended to lower suspicion.

The goal:
The attacker captures full credit/debit card information (number, expiry, CVV) along with personal details (name, phone) to make fraudulent purchases, clone the card, or sell the information.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not sp.post.gov.sa or any official Saudi Post domain.
  • Request for CVV for a small fee: Legitimate postal services do not ask for your card security code to collect a delivery fee.
  • Small fee trick: A trivial amount (4.98 SAR) is used to make the payment seem insignificant.
  • No tracking number or personalization: The page does not reference a specific package or tracking number that the victim can verify independently.
  • Fake payment branding: Logos for Visa, mada, and Mastercard are displayed to appear legitimate, but they are simply copied.

What to do if you encounter this:

  • Do not enter any personal or card information.
  • If you are expecting a package from Saudi Post, track it directly by typing sp.post.gov.sa into your browser.
  • If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Saudi Post and to the relevant authorities.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never pay a “redelivery fee” via a link. Legitimate fees are collected in person, through the official app, or after logging into your account on the official site.
  • Check the URL carefully: Look for misspellings, extra words, or unusual top‑level domains.
  • Enable two‑factor authentication on your bank account and email.

La Poste fake page in French detected

These two screenshots show a two‑step phishing campaign impersonating La Poste (the French postal service). The scam uses a small fee (€3.00) as a pretext to harvest personal information and full credit card details.

Threat Analysis: La Poste Phishing – Personal Info & Card Harvesting

Step 1 – Personal Information Page (First Screenshot)
The victim is asked to provide:

  • First name, last name
  • Email address
  • Street address, city, postal code
  • Phone number

A total of €3.00 is displayed, and logos for Visa, PayPal, and “secured payment” are shown to appear legitimate.

Step 2 – Card Details Page (Second Screenshot)
After submitting personal information, the victim is taken to a page asking for:

  • Full card number
  • Expiration date (MM/YY)
  • CVV

A “Valider et payer” (validate and pay) button submits the data.

The goal:
The attacker collects:

  • Personal identity details (name, address, email, phone) for identity theft
  • Full credit/debit card information (number, expiry, CVV) for fraudulent purchases

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not laposte.fr. Legitimate La Poste services use official domains.
  • Small fee trick: €3.00 is a trivial amount meant to lower suspicion.
  • No tracking or package reference: The victim is not given any tracking number or shipment details to verify.
  • Request for CVV: A legitimate postal service does not ask for your card security code to collect a small fee.
  • Copied branding: The pages use La Poste’s logo, slogans (“Livraison gratuite,” “Proche de vous”), and payment icons, but these are copied from the real site.

What to do if you encounter this:

  • Do not enter any personal or card information.
  • If you are expecting a delivery, track it directly by typing laposte.fr into your browser.
  • If you have already entered card details, contact your bank immediately to block the card.
  • Report the phishing page to La Poste’s fraud team.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never pay a “redelivery fee” via a link. Legitimate fees are collected through the official site after logging in or upon delivery.
  • Check the URL carefully: Legitimate La Poste domains end with laposte.fr. Look for misspellings, extra words, or unusual top‑level domains.
  • Enable transaction alerts on your bank account to catch unauthorized charges early.