Correos Express fake page detected

This screenshot shows a Spanish‑language phishing page impersonating a delivery service (such as Correos or another courier). The scam asks the victim to pay a small fee (€1.98) for a “new delivery attempt” and in the process harvests full credit card details.

Threat Analysis: Delivery Phishing – Small Fee & Card Harvesting

How it works:
The victim receives an SMS, email, or messaging app alert claiming a package could not be delivered and that a small fee is required to schedule a new delivery attempt. The link leads to this page, which mimics a courier’s payment interface. The victim is asked to provide:

  • Cardholder name
  • Full card number
  • Expiration date (MM/AA)
  • CVV security code

A total of €1.98 is displayed, with a fake breakdown (VAT, partial total) to appear legitimate. A “secure payment” badge and SSL claim are added to create a false sense of security.

The goal:
The attacker captures complete credit/debit card information to make fraudulent purchases, clone the card, or sell the data.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not the official courier’s website.
  • Request for CVV: A legitimate delivery service never asks for your card security code to collect a redelivery fee.
  • Small fee trick: €1.98 is a trivial amount intended to lower suspicion.
  • No tracking or package reference: The page lacks a verifiable tracking number or any personalization linking it to an actual shipment.
  • Fake security badges: The “SSL protegido” and padlock icons are copied from legitimate sites but do not guarantee authenticity.

What to do if you encounter this:

  • Do not enter any card or personal information.
  • If you are expecting a delivery, track it directly by typing the official courier’s URL into your browser.
  • If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to the legitimate courier service and to the relevant authorities.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never pay a “redelivery fee” via a link. Legitimate fees are handled in person, through the official app, or after logging into your account on the official site.
  • Check the URL carefully: Look for misspellings, extra words, or unusual top‑level domains.
  • Enable transaction alerts on your bank account to catch unauthorized charges early.

Fake Spotify page detected

These two screenshots show a phishing campaign impersonating Spotify, targeting users with a fake subscription renewal alert. The scam threatens that the victim’s subscription will be lost unless they update their payment method, then directs them to a page that steals full credit card details.

Threat Analysis: Spotify Phishing – Fake Subscription Expiration & Card Harvesting

How it works:
The victim receives an email, SMS, or notification claiming their Spotify subscription could not be renewed and will be lost. A link leads to the first page, which repeats the warning and prompts the user to click “UPDATE.” The second page mimics Spotify’s payment interface and asks for:

  • Card number
  • Security code (CVV)
  • Expiration date (MM/YYYY)

The goal:
The attacker collects full credit/debit card details to make fraudulent purchases or sell the information.

Red flags:

  • Suspicious URL: The pages are hosted on a domain that is not spotify.com. Legitimate Spotify payment updates are done within the account settings or official app.
  • Urgent threat: The message claims the subscription will be lost immediately – a classic fear tactic.
  • Request for CVV: Spotify never asks for your card security code via an external link.
  • Generic design: The pages lack personalized account details (e.g., username, plan type, last billing date) that would appear in a genuine notification.
  • Unsolicited request: Spotify does not send links requiring users to update payment methods through a separate web form.

What to do:

  • Do not enter any card details.
  • Open the Spotify app or website directly (type spotify.com) and check your account status under “Subscription.”
  • If you have already entered card details, contact your bank immediately to block the card.

Protective measures:

  • Never click links in unsolicited subscription alerts.
  • Always manage subscriptions through the official app or website.
  • Enable two‑factor authentication on your email and financial accounts.

Sociedad Estatal Correos y Telegrafos (Spain) fake page detected

These two screenshots show a Spanish‑language phishing campaign impersonating Correos (the Spanish postal service). The scam uses a fake delivery fee (€2.64) and an urgent deadline to trick victims into providing full credit card details.

Threat Analysis: Correos Phishing – Fake “New Delivery Attempt” Fee

How it works:
The victim receives an SMS, email, or message claiming that a package is waiting and a fee is required for a new delivery attempt. The first page warns of a “last deadline” and offers a “RECIBIR” (receive) button. Clicking it leads to the second page, which asks for:

  • Cardholder name
  • Full card number
  • Expiration date (month/year)
  • CVV security code

The page displays a total of €2.64, a fake tracking reference, and a checkbox to accept a privacy policy – all designed to appear legitimate.

The goal:
The attacker captures full credit/debit card details to make fraudulent purchases or sell the information.

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not correos.es – the official Correos domain.
  • Request for CVV: Correos never asks for your card security code to collect a redelivery fee.
  • Small fee trick: €2.64 is a trivial amount intended to lower suspicion.
  • Fake tracking reference: The “Código de envío : ES/” is incomplete and cannot be verified on the real Correos site.
  • Urgent deadline: The mention of a “last deadline” pressures victims to act without thinking.
  • Copied branding: The pages use the Correos logo, app store badges, and footer links copied from the real website to appear authentic.

What to do if you encounter this:

  • Do not enter any card or personal information.
  • If you are expecting a delivery, track it directly by typing correos.es into your browser and using your real tracking number.
  • If you have already entered card details, contact your bank immediately to block the card.
  • Report the phishing page to Correos (e.g., via their official fraud reporting page).

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never pay a “redelivery fee” via a link. Legitimate fees are handled in person, through the official app, or after logging into your account.
  • Check the URL carefully: Official Correos domains end with correos.es. Look for misspellings, extra words, or unusual top‑level domains.
  • Enable transaction alerts on your bank account.

Santander bank phishing page revealed

Yet one example:

These six screenshots show a multi‑step phishing campaign impersonating Santander Bank, targeting Spanish‑speaking customers. The attack is designed to harvest:

  • Online banking credentials (documento and clave)
  • Electronic signature coordinates (a second factor used in Spanish banking)
  • Full card details (number, expiration, CVV)
  • PIN (likely the card’s ATM PIN)

The flow mimics real Santander security steps, making it particularly convincing.

Threat Analysis: Santander Phishing – Credential, Electronic Signature & Card Data Harvesting

Step 1 – Fake Login Page (Screenshots 1 & 4)
The victim lands on a page that looks like Santander’s online banking login. It asks for:

  • Documento (NIF – national ID)
  • Clave de acceso (password)

“Recordar usuario” and links to recover credentials are included to appear legitimate.

Step 2 – Fake Electronic Signature Page (Screenshots 2 & 5)
After submitting credentials, the victim is asked to enter the positions of their “electronic signature” – a real second‑factor authentication method used by Spanish banks. The page typically asks for specific digits from a pre‑established grid. This step captures the second factor needed to authorize transactions.

Step 3 – Fake Card & PIN Verification Page (Screenshots 3 & 6)
The final step asks for:

  • Card number
  • Expiration date (MM/YY)
  • CVV
  • PIN (the card’s ATM or security PIN)

A message claims this is to “verify the cardholder” and that an SMS will be sent – a common tactic to make the victim believe this is a normal security check.

The goal:
The attacker captures:

  • Online banking credentials (documento + password)
  • Electronic signature coordinates (second factor)
  • Full card details (number, expiry, CVV)
  • ATM or card PIN

With this combination, the attacker can log into the victim’s bank account, authorize transactions, and use the card for ATM withdrawals or online purchases.

Red flags to watch for:

  • Suspicious URL: All pages are hosted on a domain that is not santander.es or the official Santander domain.
  • Multi‑step flow with excessive requests: A legitimate bank login does not require entering electronic signature positions and full card details + PIN in a single session.
  • PIN request on a web page: Banks never ask for your ATM PIN on a website.
  • Unsolicited login request: Santander does not send links requiring customers to log in and complete multiple verification steps.
  • Copied branding: The pages use Santander’s logo, color scheme, and terminology, but the design has inconsistencies compared to the real site.

What to do if you encounter this:

  • Do not enter any information on these pages.
  • If you are a Santander customer, always access online banking by typing the official URL directly (e.g., santander.es).
  • If you have already entered your credentials, electronic signature positions, or card details, contact Santander immediately to block your account, card, and change all credentials.
  • Report the phishing pages to Santander’s fraud team.

Protective measures:

  • Never click links in unsolicited messages claiming bank issues.
  • Use a password manager – it will not autofill on fake domains.
  • Never provide your card PIN or CVV on a page reached via a link.
  • Enable two‑factor authentication through the bank’s official app, not via web links.
  • Check the URL carefully: Legitimate Santander domains end with santander.es (or .com for other countries). Look for misspellings, extra words, or unusual top‑level domains.

Fake USPS tracking page has been detected

A sophisticated phishing campaign impersonating the United States Postal Service (USPS) is targeting residents with fraudulent SMS and emails claiming an “incomplete address” for package delivery. Victims are directed to a cloned website that steals personal information and credit card details, including CVV and 3D-Secure codes, by prompting for a small re-delivery fee.

This phishing scam uses SMS or email impersonating DHL or USPS to lure victims with fake “delivery issues” or “small fees” into entering personal data, credit card details, and 3D-secure codes. The attackers create high-fidelity clones of tracking pages to steal financial credentials and use stolen SMS codes for fraudulent purchases. To stay safe, ignore links in messages, use official company apps for tracking, and never provide a CVV code for shipping address verification.

This logistics phishing case, targeting both DHL and USPS, uses “micro-payment” baiting, where attackers request a small fee to trick victims into providing full credit card details and 3D-Secure codes. The attack exploits high shipping volumes by sending SMS messages for fake “address errors” and collecting personal data on fraudulent sites designed to steal financial credentials.

Expert Security Tip: To avoid this threat, never click links in delivery text messages, but manually enter tracking numbers on official websites and carefully read bank SMS alerts for discrepancies in transaction amounts.

A fake Instagram page about copyright infringement in Turkish has been identified.

A Turkish-language phishing campaign targeting Instagram creators uses fake “Copyright Infringement” notifications to steal account credentials and bypass two-factor authentication. Victims are coerced through “legal scaring” tactics to enter credentials on a fake site that immediately harvests usernames, passwords, and 2FA codes.

This Turkish-language Instagram phishing attack uses a “Copyright Infringement” threat via DMs to deceive users into providing their account credentials, email passwords, and 2FA codes. The attack relies on urgent, fraudulent “appeal forms” that mimic official Meta branding to steal login information, and it is a high-risk scam targeting content creators. To protect yourself, always verify the URL, utilize the “Emails from Instagram” tool in the app, and never provide email credentials or login details in response to a DM.

Instagram phishing page revealed: photooftheday.click

An Instagram phishing campaign uses “Photo of the Day” contests as a social engineering lure to steal user credentials and bypass two-factor authentication (2FA). Attackers use deceptive URLs to direct victims to fake login pages designed to harvest usernames, passwords, and 2FA codes, often capitalizing on the victim’s desire for social validation.

Instagram users are being targeted by phishing campaigns, including Turkish-language copyright violations and English-language “Photo of the Day” scams, designed to steal credentials and bypass 2FA. These phishing sites mimic the official Instagram login page to harvest usernames, passwords, and real-time security codes, enabling attackers to take over accounts and change recovery methods. To avoid these scams, users should never log in via external links, check the “Emails from Instagram” section in the app, and use authenticator apps for 2FA.

📸 Instagram “Copyright Infringement” & “Photo Contest” Phishing

Target: Instagram Users and Influencers Worldwide
Threat Level: Critical (Account Takeover & Identity Theft)

Phishing Method Description

These attacks use Social Engineering to create panic or excitement:

  1. The Copyright Trap (Turkish Case): Users receive a DM or email claiming their account will be deleted in 24-48 hours due to a “Copyright Infringement.” They are told to click a link to “Appeal” or “Object” to the complaint.
  2. The Reward Trap (Photo Contest): Users are told they have been nominated for “Photo of the Day” or a contest. They are urged to click a link to “Vote” or “Claim a badge.”

Both links lead to a fake Instagram login page. The phishing kit is designed to harvest:

  • Username and Password.
  • Linked Email and Password (to prevent the user from recovering their account).
  • Two-Factor Authentication (2FA) Codes: The fake site intercepts the 6-digit code in real-time, allowing the attacker to log in and immediately change the account’s associated email and phone number.

⚠️ Red Flags to Watch For

  • Deceptive URLs: Instagram only uses instagram.com or facebook.com for official notices. Phishing sites use copyright-instagram-help.com, photooftheday-click.net, or free subdomains like instagram-support.web.app.
  • Communications via DM: Instagram never sends Direct Messages (DMs) about copyright or security. Official notices appear in Settings > Security > Emails from Instagram.
  • Grammar & Urgency: Phishing messages often contain subtle spelling errors and use aggressive countdown timers to force an impulsive login.

💡 Expert Security Tip: The “App-Based 2FA” Shield

The Method:
These cases highlight a Credential & Session Hijacking attack. Scammers are not just after your password; they are waiting to intercept your 2FA code to lock you out of your account permanently.
The Trap:
When you enter your 2FA code on a phishing site, the attacker uses it on the real Instagram app to log you out of all devices and change your recovery email. In many cases, they then use your account to spread the scam to your followers or demand a ransom.
How to Protect Yourself:

  • Use Authentication Apps: Switch from SMS-based 2FA to an app like Google Authenticator or Duo. SMS codes are easier to intercept via phishing or SIM swapping.
  • The “In-App Only” Rule: If you receive a security or copyright alert, do not click the link. Open your Instagram app, go to Settings > Security > Emails from Instagram. If the email isn’t listed there, it is 100% a scam.
  • Zero Trust for DMs: Treat every DM from an unknown account (even with a “verified” badge, as these can be stolen accounts) as a potential threat.
  • Check the URL on the 2FA Screen: If you are prompted for a 2FA code, double-check the browser’s address bar. If it doesn’t say instagram.com, do not enter the code.

Banco Ripley (Chile) phishing page detected

A phishing campaign targeting Banco Ripley in Chile uses smishing and email, directing users to a cloned website that mimics the official login portal to steal RUT numbers, passwords, and dynamic tokens. This Man-in-the-Middle (MitM) attack specifically aims to bypass security measures by harvesting real-time OTP codes to facilitate unauthorized transactions.

A Banco Ripley (Chile) phishing campaign targets users via smishing and email, directing them to a cloned website to steal credentials, Tax IDs (RUT), and real-time security codes. Attackers use urgent, fraudulent “security update” alerts to hijack Multipass/Soft Token codes to authorize illicit transfers, utilizing lookalike domains like bancoripley-cl-seguridad.com.
Protect Yourself: Access Banco Ripley only via the official app or website, never click links in unexpected messages, and remember that banks never ask for full security codes to log in or update profiles.

The Banco Ripley case exemplifies a real-time proxy attack designed to bypass Multi-Factor Authentication (MFA) by hijacking dynamic tokens (MultiPass/Soft Token) in real time. Victims are tricked into providing authorization codes on a fake site, allowing attackers to immediately take over accounts or register new devices. Protect yourself by recognizing that banks never request these codes to “update data,” and always verify the URL strictly matches the bank’s domain.

Fake Snapchat password reset page in Arabic detected

A phishing campaign targeting Arabic-speaking Snapchat users in the MENA region uses fake password reset pages to steal credentials and bypass two-factor authentication (2FA). Attackers utilize high-fidelity clones of the Snapchat login portal and real-time credential relay tactics to hijack user sessions and private data.

This case highlights a Real-Time Proxy Attack targeting Snapchat, where attackers use fake Arabic-language “Security Breach” notices to intercept user credentials and live 2FA codes, allowing immediate account takeover. The key security tip is the “Initiator” Rule: never enter a 2FA code on a page reached via a link; only provide codes on sites you accessed by manually typing the official URL.

Comcast Xfinity phishing page detected

A phishing campaign targeting Comcast Xfinity customers uses deceptive emails claiming billing failures to harvest login credentials, credit card details, and Social Security numbers. The attack leverages fraudulent links and high-fidelity clones of the official login page to steal comprehensive personal and financial data.

This phishing method uses urgent, fake security alerts via email or SMS to trick users into visiting fraudulent websites, aiming to steal credentials and 2FA codes. Attackers frequently impersonate official services, creating a false sense of security risk to bypass critical thinking and harvest sensitive information. To avoid this scam, verify all requests directly through official apps or websites, and never click on unsolicited links.