Snapchat phishing page detected

This screenshot shows a phishing page impersonating Snapchat, designed to steal login credentials (username and password). The page is hosted on a suspicious domain unrelated to Snapchat.

Threat Analysis: Snapchat Phishing – Credential Harvesting

How it works:
The victim receives a phishing email, SMS, or social media message claiming a security alert, account issue, or the need to verify their information. The link leads to this page, which mimics the Snapchat login interface. The victim is asked to enter their username and password, then click “LOG IN.” The credentials are captured and sent to the attacker.

The goal:
The attacker steals Snapchat account credentials to:

  • Access private messages, photos, and personal information
  • Post spam or malicious links from a trusted account
  • Use the account to send further phishing messages to the victim’s friends
  • Attempt credential reuse on other platforms (email, banking, etc.)

Red flags to watch for:

  • Suspicious URL: The page is hosted on waingoo.com, not snapchat.com. Legitimate Snapchat login pages are only on official Snapchat domains.
  • Minimal design: The page lacks Snapchat’s full branding, security notices, and two‑factor authentication options.
  • Unsolicited login request: Snapchat does not send links requiring users to log in to resolve account issues.
  • No personalization or “Forgot password?” link: A real login page would include a password recovery option – this simple form may be incomplete.

What to do if you encounter this:

  • Do not enter your username or password.
  • If you have already entered your credentials, change your Snapchat password immediately and enable two‑factor authentication (2FA). Also check for any unauthorized activity.
  • Always access Snapchat by typing snapchat.com directly into your browser or using the official app.

Protective measures:

  • Bookmark the official Snapchat login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate snapchat.com domains.
  • Enable two‑factor authentication on your Snapchat account.
  • Be suspicious of any unsolicited message that asks you to log in via a link.

Preparation to carding with phishing page of income tax credits refund in France detected

These two screenshots show a phishing campaign impersonating the French tax authorities (impôts), offering a fake tax refund (€227.06) to trick victims into providing personal information and full credit card details.



Threat Analysis: French Tax Refund Phishing – Personal & Card Data Harvesting

How the scam works:

Step 1 – Fake Refund Notification (First Screenshot)
The victim receives an email or lands on a page claiming that after the latest tax credit calculations, they are eligible for a refund of €227.06. The page includes steps to follow (click the refund form link) and shows fake news items (e.g., “Avis de CFE”, “Covid-19 – attention aux arnaques par courriel”) copied from the real French tax website to appear legitimate.

Step 2 – Personal Information & Card Details Page (Second Screenshot)
The victim is taken to a page that asks for:

  • Email address
  • Full name
  • Date of birth
  • Postal code and city
  • Phone number (mobile)
  • Bank card details: cardholder name, card number, expiration date, CVV

A message claims this information is needed to issue the refund to the victim’s bank account. Fake security logos (MasterCard SecureCode, Verified by Visa) are added to appear trustworthy.

The goal:
The attacker collects:

  • Personal identity information (name, DOB, address, email, phone) for identity theft
  • Full credit/debit card details (number, expiry, CVV) to make fraudulent purchases or clone the card

No refund is ever issued – the entire offer is fabricated.

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not impots.gouv.fr (the official French tax website).
  • Request for card details for a refund: Legitimate tax refunds are deposited directly to the bank account the tax authorities already have on file – they never ask for your card number, expiration date, or CVV.
  • Fake news section: The “L’ACTUALITÉ EN BREF” section contains old news (dates from 2020) and includes a warning about email scams – ironically placed on a scam page itself.
  • Poor design / inconsistencies: The layout and language have minor inconsistencies compared to the real French tax portal.
  • Unsolicited refund offer: The French tax authorities (DGFiP) do not send unsolicited emails with links to claim refunds. Any such message is a scam.

What to do if you encounter this:

  • Do not enter any personal or card information.
  • If you are a French taxpayer, always access your tax account by typing impots.gouv.fr directly into your browser.
  • If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to the French tax authorities (via their official reporting form) and to the platform hosting the page.

Protective measures:

  • Never click links in unsolicited messages claiming a tax refund.
  • Always type the official government URL directly into your browser.
  • Never provide your card CVV or expiration date to “receive” a refund – refunds do not require this information.
  • Enable two‑factor authentication on your bank account and email.
  • Be suspicious of any message that creates urgency (“claim your refund now”) and asks for sensitive information.

Facebook phishing with fake Apple offer in Arabic

This screenshot shows an Arabic‑language phishing page that promises 10,000 free iPhones to lure victims into logging in with Facebook. The goal is to steal Facebook credentials.

Threat Analysis: Fake Apple Giveaway Phishing – Facebook Credential Harvesting

How it works:
The victim sees an ad or link promising a chance to receive a free iPhone (or multiple iPhones). The page claims the offer is limited and urges the victim to log in with Facebook to participate. When the victim enters their Facebook login credentials (email/phone and password) and clicks the login button, the information is captured and sent to the attacker.

The goal:
The attacker steals Facebook account credentials to:

  • Take over the victim’s Facebook account
  • Access personal messages and information
  • Post spam, scams, or malicious links from a trusted account
  • Use the account to spread the same phishing scam to the victim’s friends
  • Attempt credential reuse on other platforms

Red flags to watch for:

  • Too‑good‑to‑be‑true offer: Apple does not give away 10,000 iPhones through random Facebook login pages.
  • Login via Facebook for a giveaway: A legitimate giveaway does not require your Facebook password to claim a prize.
  • Suspicious URL: The page is hosted on a domain that is not facebook.com or apple.com. Legitimate Facebook login pages are only on official Facebook domains.
  • Urgency and limited quantity: Phrases like “before they run out” are classic pressure tactics.
  • Poor design / generic Arabic phrasing: The page lacks official Apple or Facebook branding and contains awkward wording.

What to do if you encounter this:

  • Do not enter your Facebook email/phone or password.
  • If you have already entered your credentials, change your Facebook password immediately and enable two‑factor authentication (2FA).
  • Always log in to Facebook by typing facebook.com directly into your browser.
  • Report the phishing page to Facebook (via their official reporting tools).

Protective measures:

  • Remember: if it sounds too good to be true, it is a scam.
  • Never log in to Facebook via a third‑party page – always use the official website or app.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your Facebook account.

Credit Mutuel Bretagne phishing preparation detected in Abidjan (Cote d’Ivoire)

This screenshot shows a phishing page impersonating Crédit Mutuel de Bretagne, a French bank. The page threatens a “temporary ban on all debit operations” to pressure victims into providing sensitive personal and banking information.

Threat Analysis: Crédit Mutuel de Bretagne Phishing – Full Identity & Banking Credential Harvesting

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert or account restriction. The link leads to this page, which mimics the bank’s client space. The victim is asked to provide:

  • First and last name
  • Email address
  • Identifiant CMB (online banking username)
  • Mot de passe CMB (password)
  • Phone number
  • Date of birth
  • Department of birth

A threat is displayed: ignoring the notice will result in a temporary ban on all debit operations – a classic fear tactic.

The goal:
The attacker collects:

  • Online banking credentials (identifier and password)
  • Full personal identity information (name, DOB, birth department, phone, email)
  • Enough data to potentially answer security questions or commit identity theft

With this information, the attacker can:

  • Log into the victim’s Crédit Mutuel online banking account
  • Authorize fraudulent transfers or payments
  • Use personal details for identity fraud or to impersonate the victim

Red flags to watch for:

  • Suspicious URL: The page is hosted on a subdomain of dynadot.com (a domain registrar), not on creditmutuel.fr or an official Crédit Mutuel domain.
  • Threat of immediate consequences: The warning of a “temporary ban on all debit operations” is a fear tactic to pressure victims into acting without thinking.
  • Excessive data requests: A legitimate bank login does not ask for full name, email, phone, date of birth, and department of birth all on the same page. This is a clear sign of a phishing kit designed to harvest as much personal data as possible.
  • Unsolicited login request: Crédit Mutuel does not send links requiring customers to log in to avoid account restrictions.
  • Poor design / generic layout: The page lacks the full branding, security notices, and two‑factor authentication features of the real Crédit Mutuel portal.

What to do if you encounter this:

  • Do not enter any personal or banking information.
  • If you are a Crédit Mutuel customer, always access your account by typing the official website URL directly (e.g., creditmutuel.fr or your regional branch’s domain).
  • If you have already entered your credentials, contact Crédit Mutuel immediately to change your password and secure your account.
  • Report the phishing page to Crédit Mutuel’s fraud team.

Protective measures:

  • Bookmark the official Crédit Mutuel login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate domains.
  • Enable two‑factor authentication on your bank account if available.
  • Never provide your date of birth, phone number, and banking credentials in response to a threat‑based message.
  • Be suspicious of any unsolicited message that threatens account restrictions and asks you to log in via a link.

Yahoo mail phishing page detected

These two screenshots show a phishing campaign impersonating Yahoo, targeting French-speaking users. The scam uses a fake security alert to trick victims into clicking a button that leads to a fraudulent login page, where their Yahoo username and password are stolen.

Threat Analysis: Yahoo Phishing – Fake “Secure Your Account” Scam

How it works:

Step 1 – Fake Security Alert (First Screenshot)
The victim receives a phishing email or lands on a page claiming that they need to “secure” their Yahoo account. A button labelled “Sécuriser votre compte” (Secure your account) is prominently displayed. Clicking the button leads to the next page.

Step 2 – Fake Yahoo Login Page (Second Screenshot)
The victim is taken to a page that mimics the Yahoo Mail login interface. It asks for:

  • Nom d’utilisateur (username)
  • Mot de passe (password)

After the victim enters their credentials and clicks “Connexion” (Sign in), the information is captured and sent to the attacker.

The goal:
The attacker steals Yahoo account credentials to:

  • Access the victim’s Yahoo Mail (searching for sensitive information, password reset links)
  • Compromise other services linked to the Yahoo account
  • Send further phishing messages to the victim’s contacts
  • Attempt credential reuse on other platforms

Red flags to watch for:

  • Suspicious URL: The pages are hosted on domains that are not yahoo.com or yahoo.fr. Legitimate Yahoo login pages are only on official Yahoo domains.
  • Unsolicited security alert: Yahoo does not send emails or messages with links requiring users to click a button to “secure” their account.
  • Generic design / missing security features: The fake login page lacks the full Yahoo branding, security notices, and two‑factor authentication options present on the real site.
  • No personalization: A legitimate Yahoo login may display a profile image or account selection – this page does not.

What to do if you encounter this:

  • Do not click the button or enter your username and password.
  • If you are a Yahoo user, always access your mailbox by typing yahoo.com directly into your browser.
  • If you have already entered your credentials, change your Yahoo password immediately and enable two‑factor authentication (2FA).
  • Report the phishing page to Yahoo’s security team.

Protective measures:

  • Bookmark the official Yahoo login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate yahoo.com domains.
  • Enable two‑factor authentication on your Yahoo account.
  • Be suspicious of any unsolicited message that asks you to click a button to “secure” your account.

Fake Amazon gift card

This screenshot shows a fake Amazon gift card giveaway hosted on a Linktree page (a popular link‑in‑bio service). The page claims a “$500 Amazon Gift Card” is available, but this is a common lure used to direct victims to phishing sites, survey scams, or affiliate fraud pages.

Threat Analysis: Amazon Gift Card Scam – Survey / Phishing Lure on Linktree

How it works:
The victim sees a post or message (often on social media like Instagram, TikTok, or Twitter) with a link to a Linktree profile. The Linktree page displays an image or text promising a high‑value Amazon gift card (e.g., $500). When the victim clicks the link, they are redirected to a fraudulent website that may:

  • Ask for personal information (name, address, email) to “claim” the prize
  • Require completion of paid surveys, app downloads, or subscription offers (affiliate fraud)
  • Lead to a phishing page that steals Amazon or other account credentials
  • Request a small “shipping” or “processing” fee (advance fee fraud)

The goal:
The attacker earns money through:

  • Affiliate commissions – each time a victim signs up for a paid offer or service
  • Lead generation – collecting personal data to sell to marketers
  • Phishing – stealing login credentials if the victim is directed to a fake Amazon login page
  • Advance fees – tricking victims into paying a small fee for a gift card that never arrives

Red flags to watch for:

  • Too‑good‑to‑be‑true offer: Amazon does not give away $500 gift cards through random Linktree pages.
  • No official Amazon branding or verification: The Linktree page is generic and not associated with Amazon.
  • Redirects to unknown websites: The actual gift card claim link does not lead to amazon.com.
  • Unsolicited offer: Receiving a link to a gift card giveaway without entering a legitimate contest is almost always a scam.

What to do if you encounter this:

  • Do not click any links on the Linktree page.
  • Do not provide any personal or payment information.
  • If you have already clicked through and entered sensitive data, contact your bank immediately and change any compromised passwords.
  • Report the Linktree page to Linktree (via their abuse reporting system) and to the social media platform where you saw the post.

Protective measures:

  • Remember: legitimate gift card giveaways do not require you to click through random link‑in‑bio pages.
  • Always check the URL – only trust gift cards from amazon.com or official Amazon communications.
  • Never complete surveys or pay fees to claim a prize.
  • Use an ad blocker and be cautious of “too good to be true” offers on social media.

Arabic Facebook phishing detected

This screenshot shows a phishing page impersonating Facebook, targeting Arabic‑speaking users. The page lures victims with a promise of a Free Fire game reward and asks for their Facebook login credentials (phone number/email and password).

Threat Analysis: Facebook / Free Fire Phishing – Credential Harvesting (Arabic Variant)

How it works:
The victim receives a link via social media, SMS, or messaging app promising a free reward or bonus for the game Free Fire (e.g., diamonds, skins, or in‑game currency). The link leads to this page, which mimics the Facebook login interface. The Arabic text instructs the victim to log in with their Facebook account to claim the reward. When the victim enters their phone number or email and password and clicks “تسجيل دخول” (Login), the credentials are captured and sent to the attacker.

The goal:
The attacker steals Facebook credentials to:

  • Take over the victim’s Facebook account
  • Access the linked Free Fire (Garena) account
  • Post spam or malicious links from a trusted account
  • Use the same email/password combination to compromise other accounts (credential stuffing)
  • Sell the account or its data on criminal markets

Red flags to watch for:

  • Suspicious URL: The page is hosted on fashiongarkh.com, not facebook.com. Legitimate Facebook login pages are only on official Facebook domains.
  • Free Fire reward lure: Facebook does not offer Free Fire rewards through third‑party login pages. This is a common gaming scam tactic.
  • Poor Arabic phrasing / typo: The text contains a possible typo (“حضارة” instead of “حسابك” or similar), which would not appear on an official Facebook page.
  • Unsolicited login request: Facebook never asks you to log in via an external site to claim game rewards.
  • No personalization or security indicators: The page lacks Facebook’s full branding, language selection, and two‑factor authentication prompts.

What to do if you encounter this:

  • Do not enter your Facebook email/phone or password.
  • If you have already entered your credentials, change your Facebook password immediately and enable two‑factor authentication (2FA). Also check for any unauthorized activity or connected apps.
  • Always access Facebook by typing facebook.com directly into your browser.
  • Claim Free Fire rewards only through the official Garena app or website – never through external links.

Protective measures:

  • Bookmark the official Facebook login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your Facebook account.
  • Be suspicious of any unsolicited message that asks you to log in to claim a game reward.
  • Never log in to Facebook via a link sent in a message or posted on social media.

A phishing attack on Amazon.de is being prepared

This screenshot shows a fake reCAPTCHA page impersonating Amazon.de. The page claims the victim must prove they are “not a robot” by entering characters from an image – a classic tactic used to trick victims into completing a “verification” step that often leads to malware or credential theft.

Threat Analysis: Amazon Fake reCAPTCHA Phishing – “I’m not a robot” Scam

How it works:
The victim receives a link (often via email, SMS, or malicious ad) that leads to this page. The page mimics a legitimate Amazon security check, displaying a fake CAPTCHA image with characters (“ACXJPVU”) and a checkbox “I’m not a robot.” The victim is instructed to enter the characters and click “Fortsetzen” (Continue). After submission, the victim is typically:

  • Redirected to a phishing page asking for Amazon login credentials
  • Prompted to download malware disguised as a “security update”
  • Taken to a survey or offer wall (affiliate fraud)

The goal:
The attacker aims to:

  • Trick the victim into entering information that can be used to bypass security measures
  • Lead the victim to a subsequent phishing page where Amazon credentials are stolen
  • Generate affiliate revenue through fake surveys or downloads

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not amazon.de. Legitimate Amazon CAPTCHA challenges appear on official Amazon domains.
  • Generic design / missing Amazon branding: While the page uses the Amazon logo, the layout is minimal and lacks the full navigation, security notices, and footer links of the real Amazon site.
  • Fake CAPTCHA image: The image text is simple and appears to be a static image, not a dynamically generated CAPTCHA. Real reCAPTCHA is more complex and interactive.
  • Unsolicited verification request: Amazon does not require you to complete a CAPTCHA via an external link to “prove you’re not a robot.”

What to do if you encounter this:

  • Do not enter any characters or click “Fortsetzen.”
  • Do not click any links or download any files from such pages.
  • If you have already entered information and were redirected to a login page, do not enter your Amazon credentials. Change your Amazon password immediately if you suspect you may have been tricked.
  • Always access Amazon by typing amazon.de directly into your browser.

Protective measures:

  • Never complete a CAPTCHA on a page you reached via a link. Legitimate CAPTCHA challenges appear only on the official site you are already visiting.
  • Check the URL carefully – Amazon.de domains end with amazon.de. Look for misspellings, extra words, or unusual top‑level domains.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your Amazon account.

Revealed carding using fake General Directorate of Public Finance of France pages (Direction générale des Finances publiques )

This screenshot shows a phishing page impersonating the official French tax website (impots.gouv.fr) . The page claims the victim needs to “confirm their bank card details” to receive a tax refund – a classic pretext to steal full credit card information.

Threat Analysis: French Tax Refund Phishing – Card Data Harvesting

How it works:
The victim receives a phishing email, SMS, or other message claiming they are eligible for a tax refund. The link leads to this page, which mimics the official French tax portal (impots.gouv.fr). The page asks the victim to provide:

  • Cardholder name (as printed on the card)
  • Expiration date (MM/AAAA)
  • Full card number
  • Visual cryptogram (CVV)

A button labelled “Valider mon remboursement” (Confirm my refund) submits the data to the attacker.

The goal:
The attacker collects full credit/debit card details to make fraudulent purchases, clone the card, or sell the information. No tax refund exists – the entire offer is fabricated.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not impots.gouv.fr. The official French tax website uses only government domains.
  • Request for full card details for a refund: Legitimate tax refunds are deposited directly to the bank account the tax authorities already have on file – they never ask for your card number, expiration date, or CVV.
  • “Cryptogramme visuel” (CVV) request: No legitimate tax authority asks for your card security code.
  • Poor design / missing official elements: While the page copies the official logo and footer, the layout and the specific request for card details are not part of the real tax refund process.
  • Unsolicited refund notification: The French tax authorities (DGFiP) do not send unsolicited emails with links to claim refunds. Any such message is a scam.

What to do if you encounter this:

  • Do not enter any card or personal information.
  • If you are a French taxpayer, always access your tax account by typing impots.gouv.fr directly into your browser.
  • If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to the French tax authorities via their official reporting form.

Protective measures:

  • Never click links in unsolicited messages claiming a tax refund.
  • Always type the official government URL directly into your browser.
  • Never provide your card CVV or expiration date to “receive” a refund – refunds do not require this information.
  • Enable two‑factor authentication on your bank account and email.
  • Be suspicious of any message that creates urgency and asks for sensitive financial information.

Scam: 2008 Mercedes-Benz Rapido 999M

This screenshot shows a classified ad for a luxury vehicle (Mercedes-Benz Rapido motorhome) with a suspiciously low price (£7,800), urgent tone, and a request to contact the seller directly via email. This is a common setup for vehicle sale scams, often leading to advance fee fraud or phishing.

Threat Analysis: Vehicle Sale Scam – Fake Ad / Advance Fee Fraud

How the scam works:
The victim sees an ad (on a classified site, social media, or marketplace) for a high‑value vehicle at an extremely low price. The ad includes an urgent message (“FINAL PRICE – URGENT”) and a request to contact the seller directly via email. When the victim responds, the scammer typically:

  • Claims the vehicle is located abroad (or far away) and can be shipped
  • Asks for a deposit or full payment via bank transfer, PayPal (Friends & Family), or gift cards
  • Sends fake invoices, shipping documents, or escrow service links that are actually fraudulent
  • May ask for personal information (name, address, ID) for “paperwork”

After the victim sends money, the vehicle never arrives, and the scammer disappears.

The goal:
The attacker aims to:

  • Collect an upfront payment (deposit or full amount) that is never returned
  • Obtain personal information for identity theft
  • Redirect the victim to a phishing page disguised as an escrow or payment service

Red flags to watch for:

  • Too‑good‑to‑be‑true price: A 2008 Mercedes-Benz motorhome with low mileage (£7,800) is far below market value. Legitimate vehicles of this type cost £20,000–£50,000 or more.
  • Urgency (“URGENT”, “FINAL PRICE”): Classic pressure tactic to prevent the victim from researching or thinking critically.
  • Request to contact via email directly: Legitimate classified platforms encourage communication through the platform to protect buyers. Sellers who insist on direct email are often scammers.
  • Generic email address: [email protected] is a free email service, not a business domain. A legitimate seller would use a professional or platform‑linked contact method.
  • No verifiable details: The ad lacks specific location, VIN, service history, or other verifiable information that a real seller would provide.

What to do if you encounter this:

  • Do not reply to the email or send any money.
  • Do not provide any personal or financial information.
  • If you are looking to buy a vehicle, always:
  • Inspect it in person
  • Use secure payment methods (e.g., escrow, credit card with buyer protection)
  • Avoid paying deposits for vehicles you have not seen
  • Report the ad to the platform where it was posted (e.g., Facebook Marketplace, Gumtree, eBay).

Protective measures:

  • If the price seems too good to be true, it is a scam.
  • Never send money for a vehicle you have not seen in person.
  • Use reverse image search on the vehicle photos – scammers often reuse images from real ads.
  • Verify the seller’s identity – ask for video call, local registration, or meet in a public place.
  • Be suspicious of any urgent sale that requires payment before delivery.