A sophisticated phishing campaign impersonating the United States Postal Service (USPS) is targeting residents with fraudulent SMS and emails claiming an “incomplete address” for package delivery. Victims are directed to a cloned website that steals personal information and credit card details, including CVV and 3D-Secure codes, by prompting for a small re-delivery fee.
This phishing scam uses SMS or email impersonating DHL or USPS to lure victims with fake “delivery issues” or “small fees” into entering personal data, credit card details, and 3D-secure codes. The attackers create high-fidelity clones of tracking pages to steal financial credentials and use stolen SMS codes for fraudulent purchases. To stay safe, ignore links in messages, use official company apps for tracking, and never provide a CVV code for shipping address verification.
This logistics phishing case, targeting both DHL and USPS, uses “micro-payment” baiting, where attackers request a small fee to trick victims into providing full credit card details and 3D-Secure codes. The attack exploits high shipping volumes by sending SMS messages for fake “address errors” and collecting personal data on fraudulent sites designed to steal financial credentials.
Expert Security Tip: To avoid this threat, never click links in delivery text messages, but manually enter tracking numbers on official websites and carefully read bank SMS alerts for discrepancies in transaction amounts.
A Turkish-language phishing campaign targeting Instagram creators uses fake “Copyright Infringement” notifications to steal account credentials and bypass two-factor authentication. Victims are coerced through “legal scaring” tactics to enter credentials on a fake site that immediately harvests usernames, passwords, and 2FA codes.
This Turkish-language Instagram phishing attack uses a “Copyright Infringement” threat via DMs to deceive users into providing their account credentials, email passwords, and 2FA codes. The attack relies on urgent, fraudulent “appeal forms” that mimic official Meta branding to steal login information, and it is a high-risk scam targeting content creators. To protect yourself, always verify the URL, utilize the “Emails from Instagram” tool in the app, and never provide email credentials or login details in response to a DM.
An Instagram phishing campaign uses “Photo of the Day” contests as a social engineering lure to steal user credentials and bypass two-factor authentication (2FA). Attackers use deceptive URLs to direct victims to fake login pages designed to harvest usernames, passwords, and 2FA codes, often capitalizing on the victim’s desire for social validation.
Instagram users are being targeted by phishing campaigns, including Turkish-language copyright violations and English-language “Photo of the Day” scams, designed to steal credentials and bypass 2FA. These phishing sites mimic the official Instagram login page to harvest usernames, passwords, and real-time security codes, enabling attackers to take over accounts and change recovery methods. To avoid these scams, users should never log in via external links, check the “Emails from Instagram” section in the app, and use authenticator apps for 2FA.
These attacks use Social Engineering to create panic or excitement:
The Copyright Trap (Turkish Case): Users receive a DM or email claiming their account will be deleted in 24-48 hours due to a “Copyright Infringement.” They are told to click a link to “Appeal” or “Object” to the complaint.
The Reward Trap (Photo Contest): Users are told they have been nominated for “Photo of the Day” or a contest. They are urged to click a link to “Vote” or “Claim a badge.”
Both links lead to a fake Instagram login page. The phishing kit is designed to harvest:
Username and Password.
Linked Email and Password (to prevent the user from recovering their account).
Two-Factor Authentication (2FA) Codes: The fake site intercepts the 6-digit code in real-time, allowing the attacker to log in and immediately change the account’s associated email and phone number.
Red Flags to Watch For
Deceptive URLs: Instagram only uses instagram.com or facebook.com for official notices. Phishing sites use copyright-instagram-help.com, photooftheday-click.net, or free subdomains like instagram-support.web.app.
Communications via DM: Instagram never sends Direct Messages (DMs) about copyright or security. Official notices appear in Settings > Security > Emails from Instagram.
Grammar & Urgency: Phishing messages often contain subtle spelling errors and use aggressive countdown timers to force an impulsive login.
Expert Security Tip: The “App-Based 2FA” Shield
The Method: These cases highlight a Credential & Session Hijacking attack. Scammers are not just after your password; they are waiting to intercept your 2FA code to lock you out of your account permanently. The Trap: When you enter your 2FA code on a phishing site, the attacker uses it on the real Instagram app to log you out of all devices and change your recovery email. In many cases, they then use your account to spread the scam to your followers or demand a ransom. How to Protect Yourself:
Use Authentication Apps: Switch from SMS-based 2FA to an app like Google Authenticator or Duo. SMS codes are easier to intercept via phishing or SIM swapping.
The “In-App Only” Rule: If you receive a security or copyright alert, do not click the link. Open your Instagram app, go to Settings > Security > Emails from Instagram. If the email isn’t listed there, it is 100% a scam.
Zero Trust for DMs: Treat every DM from an unknown account (even with a “verified” badge, as these can be stolen accounts) as a potential threat.
Check the URL on the 2FA Screen: If you are prompted for a 2FA code, double-check the browser’s address bar. If it doesn’t say instagram.com, do not enter the code.
A phishing campaign targeting Banco Ripley in Chile uses smishing and email, directing users to a cloned website that mimics the official login portal to steal RUT numbers, passwords, and dynamic tokens. This Man-in-the-Middle (MitM) attack specifically aims to bypass security measures by harvesting real-time OTP codes to facilitate unauthorized transactions.
A Banco Ripley (Chile) phishing campaign targets users via smishing and email, directing them to a cloned website to steal credentials, Tax IDs (RUT), and real-time security codes. Attackers use urgent, fraudulent “security update” alerts to hijack Multipass/Soft Token codes to authorize illicit transfers, utilizing lookalike domains like bancoripley-cl-seguridad.com. Protect Yourself: Access Banco Ripley only via the official app or website, never click links in unexpected messages, and remember that banks never ask for full security codes to log in or update profiles.
The Banco Ripley case exemplifies a real-time proxy attack designed to bypass Multi-Factor Authentication (MFA) by hijacking dynamic tokens (MultiPass/Soft Token) in real time. Victims are tricked into providing authorization codes on a fake site, allowing attackers to immediately take over accounts or register new devices. Protect yourself by recognizing that banks never request these codes to “update data,” and always verify the URL strictly matches the bank’s domain.
A phishing campaign targeting Arabic-speaking Snapchat users in the MENA region uses fake password reset pages to steal credentials and bypass two-factor authentication (2FA). Attackers utilize high-fidelity clones of the Snapchat login portal and real-time credential relay tactics to hijack user sessions and private data.
This case highlights a Real-Time Proxy Attack targeting Snapchat, where attackers use fake Arabic-language “Security Breach” notices to intercept user credentials and live 2FA codes, allowing immediate account takeover. The key security tip is the “Initiator” Rule: never enter a 2FA code on a page reached via a link; only provide codes on sites you accessed by manually typing the official URL.
A phishing campaign targeting Comcast Xfinity customers uses deceptive emails claiming billing failures to harvest login credentials, credit card details, and Social Security numbers. The attack leverages fraudulent links and high-fidelity clones of the official login page to steal comprehensive personal and financial data.
This phishing method uses urgent, fake security alerts via email or SMS to trick users into visiting fraudulent websites, aiming to steal credentials and 2FA codes. Attackers frequently impersonate official services, creating a false sense of security risk to bypass critical thinking and harvest sensitive information. To avoid this scam, verify all requests directly through official apps or websites, and never click on unsolicited links.
A phishing campaign targeting residents in Saudi Arabia impersonates Saudi Post (SPL) via SMS to steal personal information and credit card data through a fake “address correction” page. The attack uses realistic clones of the official SPL portal to harvest credentials and intercept one-time passwords (OTPs) for fraudulent transactions.
These phishing cases highlight attackers’ use of urgent, fake alerts to steal credentials and financial data through compromised “password reset,” billing, and parcel delivery scenarios. Key protections include ignoring unexpected links, verifying URLs against official domains, and using app-based 2FA to prevent account takeovers.
Recent phishing campaigns are exploiting trusted brands through urgent, fake security or billing notifications designed to harvest account credentials and financial data. Attackers are using real-time interception of 2FA codes and small, fake “delivery fees” to bypass security and steal sensitive personal information, including SSNs and CVVs. Always verify alerts directly through official apps rather than links in SMS or email messages.
Threat Analysis: Emirates Post Phishing – Small Fee & Card Harvesting
How it works: The victim receives an SMS, email, or messaging app alert claiming a package requires a small delivery fee or customs payment. The link leads to this page, which mimics the Emirates Post payment interface. The victim is asked to provide:
Cardholder name
Full card number
Expiration date (MM/YY)
CVV security code
Logos for Verified by Visa, MasterCard SecureCode, and PayPal are displayed to create a false sense of security. A small amount (AED 12.15) is shown to make the payment seem trivial.
The goal: The attacker captures complete credit/debit card information (number, expiry, CVV) along with the cardholder’s name to make fraudulent purchases or sell the data.
Red flags to watch for:
Suspicious URL: The page is hosted on kaeru.happyspotclub.org, not emiratespost.com or any official Emirates Post domain.
Request for CVV: A legitimate postal service never asks for your card security code to collect a delivery fee.
Small fee trick: AED 12.15 is a trivial amount intended to lower suspicion.
No tracking or package reference: The victim cannot verify the supposed shipment.
Copied payment logos: The Visa, MasterCard, and PayPal badges are used to appear legitimate but do not guarantee safety.
What to do if you encounter this:
Do not enter any card or personal information.
If you are expecting a delivery, track it directly by typing emiratespost.com into your browser.
If you have already entered card details, contact your bank immediately to block the card.
Report the phishing page to Emirates Post Group and to the relevant authorities.
Protective measures:
Never click links in unsolicited delivery messages. Always go directly to the official courier website.
Never pay a “redelivery fee” via a link. Legitimate fees are handled in person, through the official app, or after logging into your account.
Check the URL carefully: Official Emirates Post domains end with emiratespost.com. Look for misspellings, extra words, or unusual top‑level domains.
This phishing campaign against Carrefour uses a “reward survey” scheme to steal credit card data and register victims for hidden subscriptions, often promoted via social media. The multi-stage attack involves fake surveys and “lucky” games, designed to trick users into paying a small shipping fee, which is actually a pretext to capture sensitive banking information.
Screenshot 1 (Landing Page): Uses legitimate branding and fake social proof (comments) to establish credibility.
Screenshot 2 (Survey): Simple questions are used to boost engagement and reduce suspicion.
Screenshot 3 (Prize Game): A rigged box-opening game creates a false sense of winning to entice further action.
Screenshot 4 (Payment Form): Steals full credit card details (Number, Expiry, CVV) for fraudulent charges and subscriptions.
Protection Measures: Verify the Domain: Official promotions only occur on the retailer’s official website. Too Good to Be True: Large prizes for simple surveys are guaranteed scams. Never Pay for Prizes: Legitimate companies do not charge fees to receive gifts. Monitor Accounts: Check bank statements for fraudulent charges or unexpected subscriptions.
This screenshot shows a Spanish‑language phishing page designed to steal email credentials (correo electrónico and contraseña). The page is minimal and generic, making it adaptable to impersonate various services (Microsoft, Google, a bank, or an email provider).
Threat Analysis: Generic “Inicio de seguridad” Phishing – Credential Harvesting
How it works: The victim receives a phishing email, SMS, or message claiming a security alert, account suspension, or the need to verify their information. The link leads to this page, which asks for:
Email address
Password
The “Siguiente” (Next) button suggests a multi‑step flow, where the victim would be taken to another fake page (e.g., for two‑factor authentication or additional personal data).
The goal: The attacker steals the victim’s email credentials to:
Access the email account (search for sensitive information, reset passwords for other services)
Send further phishing messages to the victim’s contacts
Use the credentials to compromise other accounts where the same password is reused
Red flags to watch for:
Suspicious URL: The page is hosted on a domain like sc-445678-sss.c1.biz, which is not an official domain for any legitimate service (e.g., google.com, microsoft.com, outlook.com).
Generic design: The page has no logo, no company branding, and no personalized elements – a strong indicator of a broad phishing campaign.
“Inicio de seguridad” pretext: This vague “security start” phrase is meant to create a false sense of urgency but lacks the professionalism of a real security alert.
Unsolicited login request: No legitimate service sends links requiring users to log in to resolve “security” issues.
What to do if you encounter this:
Do not enter your email or password.
If you have already entered credentials, change your password immediately for that email account and for any other accounts using the same password. Enable two‑factor authentication (2FA) on your email account.
Always access your email or online services by typing the official URL directly into your browser.
Protective measures:
Never click links in unsolicited messages claiming security issues.
Use a password manager – it will not autofill on fake domains.
Enable two‑factor authentication on your email and other critical accounts.
Check the URL carefully: Look for misspellings, extra words, or unusual top‑level domains.
Manage Cookie Consent
We use cookies to optimize our website and our service.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
