Credit Mutuel Bretagne phishing preparation detected in Abidjan (Cote d’Ivoire)

This screenshot shows a phishing page impersonating Crédit Mutuel de Bretagne, a French bank. The page threatens a “temporary ban on all debit operations” to pressure victims into providing sensitive personal and banking information.

Threat Analysis: Crédit Mutuel de Bretagne Phishing – Full Identity & Banking Credential Harvesting

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert or account restriction. The link leads to this page, which mimics the bank’s client space. The victim is asked to provide:

  • First and last name
  • Email address
  • Identifiant CMB (online banking username)
  • Mot de passe CMB (password)
  • Phone number
  • Date of birth
  • Department of birth

A threat is displayed: ignoring the notice will result in a temporary ban on all debit operations – a classic fear tactic.

The goal:
The attacker collects:

  • Online banking credentials (identifier and password)
  • Full personal identity information (name, DOB, birth department, phone, email)
  • Enough data to potentially answer security questions or commit identity theft

With this information, the attacker can:

  • Log into the victim’s Crédit Mutuel online banking account
  • Authorize fraudulent transfers or payments
  • Use personal details for identity fraud or to impersonate the victim

Red flags to watch for:

  • Suspicious URL: The page is hosted on a subdomain of dynadot.com (a domain registrar), not on creditmutuel.fr or an official Crédit Mutuel domain.
  • Threat of immediate consequences: The warning of a “temporary ban on all debit operations” is a fear tactic to pressure victims into acting without thinking.
  • Excessive data requests: A legitimate bank login does not ask for full name, email, phone, date of birth, and department of birth all on the same page. This is a clear sign of a phishing kit designed to harvest as much personal data as possible.
  • Unsolicited login request: Crédit Mutuel does not send links requiring customers to log in to avoid account restrictions.
  • Poor design / generic layout: The page lacks the full branding, security notices, and two‑factor authentication features of the real Crédit Mutuel portal.

What to do if you encounter this:

  • Do not enter any personal or banking information.
  • If you are a Crédit Mutuel customer, always access your account by typing the official website URL directly (e.g., creditmutuel.fr or your regional branch’s domain).
  • If you have already entered your credentials, contact Crédit Mutuel immediately to change your password and secure your account.
  • Report the phishing page to Crédit Mutuel’s fraud team.

Protective measures:

  • Bookmark the official Crédit Mutuel login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate domains.
  • Enable two‑factor authentication on your bank account if available.
  • Never provide your date of birth, phone number, and banking credentials in response to a threat‑based message.
  • Be suspicious of any unsolicited message that threatens account restrictions and asks you to log in via a link.

Yahoo mail phishing page detected

These two screenshots show a phishing campaign impersonating Yahoo, targeting French-speaking users. The scam uses a fake security alert to trick victims into clicking a button that leads to a fraudulent login page, where their Yahoo username and password are stolen.

Threat Analysis: Yahoo Phishing – Fake “Secure Your Account” Scam

How it works:

Step 1 – Fake Security Alert (First Screenshot)
The victim receives a phishing email or lands on a page claiming that they need to “secure” their Yahoo account. A button labelled “Sécuriser votre compte” (Secure your account) is prominently displayed. Clicking the button leads to the next page.

Step 2 – Fake Yahoo Login Page (Second Screenshot)
The victim is taken to a page that mimics the Yahoo Mail login interface. It asks for:

  • Nom d’utilisateur (username)
  • Mot de passe (password)

After the victim enters their credentials and clicks “Connexion” (Sign in), the information is captured and sent to the attacker.

The goal:
The attacker steals Yahoo account credentials to:

  • Access the victim’s Yahoo Mail (searching for sensitive information, password reset links)
  • Compromise other services linked to the Yahoo account
  • Send further phishing messages to the victim’s contacts
  • Attempt credential reuse on other platforms

Red flags to watch for:

  • Suspicious URL: The pages are hosted on domains that are not yahoo.com or yahoo.fr. Legitimate Yahoo login pages are only on official Yahoo domains.
  • Unsolicited security alert: Yahoo does not send emails or messages with links requiring users to click a button to “secure” their account.
  • Generic design / missing security features: The fake login page lacks the full Yahoo branding, security notices, and two‑factor authentication options present on the real site.
  • No personalization: A legitimate Yahoo login may display a profile image or account selection – this page does not.

What to do if you encounter this:

  • Do not click the button or enter your username and password.
  • If you are a Yahoo user, always access your mailbox by typing yahoo.com directly into your browser.
  • If you have already entered your credentials, change your Yahoo password immediately and enable two‑factor authentication (2FA).
  • Report the phishing page to Yahoo’s security team.

Protective measures:

  • Bookmark the official Yahoo login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate yahoo.com domains.
  • Enable two‑factor authentication on your Yahoo account.
  • Be suspicious of any unsolicited message that asks you to click a button to “secure” your account.

Fake Amazon gift card

This screenshot shows a fake Amazon gift card giveaway hosted on a Linktree page (a popular link‑in‑bio service). The page claims a “$500 Amazon Gift Card” is available, but this is a common lure used to direct victims to phishing sites, survey scams, or affiliate fraud pages.

Threat Analysis: Amazon Gift Card Scam – Survey / Phishing Lure on Linktree

How it works:
The victim sees a post or message (often on social media like Instagram, TikTok, or Twitter) with a link to a Linktree profile. The Linktree page displays an image or text promising a high‑value Amazon gift card (e.g., $500). When the victim clicks the link, they are redirected to a fraudulent website that may:

  • Ask for personal information (name, address, email) to “claim” the prize
  • Require completion of paid surveys, app downloads, or subscription offers (affiliate fraud)
  • Lead to a phishing page that steals Amazon or other account credentials
  • Request a small “shipping” or “processing” fee (advance fee fraud)

The goal:
The attacker earns money through:

  • Affiliate commissions – each time a victim signs up for a paid offer or service
  • Lead generation – collecting personal data to sell to marketers
  • Phishing – stealing login credentials if the victim is directed to a fake Amazon login page
  • Advance fees – tricking victims into paying a small fee for a gift card that never arrives

Red flags to watch for:

  • Too‑good‑to‑be‑true offer: Amazon does not give away $500 gift cards through random Linktree pages.
  • No official Amazon branding or verification: The Linktree page is generic and not associated with Amazon.
  • Redirects to unknown websites: The actual gift card claim link does not lead to amazon.com.
  • Unsolicited offer: Receiving a link to a gift card giveaway without entering a legitimate contest is almost always a scam.

What to do if you encounter this:

  • Do not click any links on the Linktree page.
  • Do not provide any personal or payment information.
  • If you have already clicked through and entered sensitive data, contact your bank immediately and change any compromised passwords.
  • Report the Linktree page to Linktree (via their abuse reporting system) and to the social media platform where you saw the post.

Protective measures:

  • Remember: legitimate gift card giveaways do not require you to click through random link‑in‑bio pages.
  • Always check the URL – only trust gift cards from amazon.com or official Amazon communications.
  • Never complete surveys or pay fees to claim a prize.
  • Use an ad blocker and be cautious of “too good to be true” offers on social media.

Arabic Facebook phishing detected

This screenshot shows a phishing page impersonating Facebook, targeting Arabic‑speaking users. The page lures victims with a promise of a Free Fire game reward and asks for their Facebook login credentials (phone number/email and password).

Threat Analysis: Facebook / Free Fire Phishing – Credential Harvesting (Arabic Variant)

How it works:
The victim receives a link via social media, SMS, or messaging app promising a free reward or bonus for the game Free Fire (e.g., diamonds, skins, or in‑game currency). The link leads to this page, which mimics the Facebook login interface. The Arabic text instructs the victim to log in with their Facebook account to claim the reward. When the victim enters their phone number or email and password and clicks “تسجيل دخول” (Login), the credentials are captured and sent to the attacker.

The goal:
The attacker steals Facebook credentials to:

  • Take over the victim’s Facebook account
  • Access the linked Free Fire (Garena) account
  • Post spam or malicious links from a trusted account
  • Use the same email/password combination to compromise other accounts (credential stuffing)
  • Sell the account or its data on criminal markets

Red flags to watch for:

  • Suspicious URL: The page is hosted on fashiongarkh.com, not facebook.com. Legitimate Facebook login pages are only on official Facebook domains.
  • Free Fire reward lure: Facebook does not offer Free Fire rewards through third‑party login pages. This is a common gaming scam tactic.
  • Poor Arabic phrasing / typo: The text contains a possible typo (“حضارة” instead of “حسابك” or similar), which would not appear on an official Facebook page.
  • Unsolicited login request: Facebook never asks you to log in via an external site to claim game rewards.
  • No personalization or security indicators: The page lacks Facebook’s full branding, language selection, and two‑factor authentication prompts.

What to do if you encounter this:

  • Do not enter your Facebook email/phone or password.
  • If you have already entered your credentials, change your Facebook password immediately and enable two‑factor authentication (2FA). Also check for any unauthorized activity or connected apps.
  • Always access Facebook by typing facebook.com directly into your browser.
  • Claim Free Fire rewards only through the official Garena app or website – never through external links.

Protective measures:

  • Bookmark the official Facebook login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your Facebook account.
  • Be suspicious of any unsolicited message that asks you to log in to claim a game reward.
  • Never log in to Facebook via a link sent in a message or posted on social media.

A phishing attack on Amazon.de is being prepared

This screenshot shows a fake reCAPTCHA page impersonating Amazon.de. The page claims the victim must prove they are “not a robot” by entering characters from an image – a classic tactic used to trick victims into completing a “verification” step that often leads to malware or credential theft.

Threat Analysis: Amazon Fake reCAPTCHA Phishing – “I’m not a robot” Scam

How it works:
The victim receives a link (often via email, SMS, or malicious ad) that leads to this page. The page mimics a legitimate Amazon security check, displaying a fake CAPTCHA image with characters (“ACXJPVU”) and a checkbox “I’m not a robot.” The victim is instructed to enter the characters and click “Fortsetzen” (Continue). After submission, the victim is typically:

  • Redirected to a phishing page asking for Amazon login credentials
  • Prompted to download malware disguised as a “security update”
  • Taken to a survey or offer wall (affiliate fraud)

The goal:
The attacker aims to:

  • Trick the victim into entering information that can be used to bypass security measures
  • Lead the victim to a subsequent phishing page where Amazon credentials are stolen
  • Generate affiliate revenue through fake surveys or downloads

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not amazon.de. Legitimate Amazon CAPTCHA challenges appear on official Amazon domains.
  • Generic design / missing Amazon branding: While the page uses the Amazon logo, the layout is minimal and lacks the full navigation, security notices, and footer links of the real Amazon site.
  • Fake CAPTCHA image: The image text is simple and appears to be a static image, not a dynamically generated CAPTCHA. Real reCAPTCHA is more complex and interactive.
  • Unsolicited verification request: Amazon does not require you to complete a CAPTCHA via an external link to “prove you’re not a robot.”

What to do if you encounter this:

  • Do not enter any characters or click “Fortsetzen.”
  • Do not click any links or download any files from such pages.
  • If you have already entered information and were redirected to a login page, do not enter your Amazon credentials. Change your Amazon password immediately if you suspect you may have been tricked.
  • Always access Amazon by typing amazon.de directly into your browser.

Protective measures:

  • Never complete a CAPTCHA on a page you reached via a link. Legitimate CAPTCHA challenges appear only on the official site you are already visiting.
  • Check the URL carefully – Amazon.de domains end with amazon.de. Look for misspellings, extra words, or unusual top‑level domains.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your Amazon account.

Revealed carding using fake General Directorate of Public Finance of France pages (Direction générale des Finances publiques )

This screenshot shows a phishing page impersonating the official French tax website (impots.gouv.fr) . The page claims the victim needs to “confirm their bank card details” to receive a tax refund – a classic pretext to steal full credit card information.

Threat Analysis: French Tax Refund Phishing – Card Data Harvesting

How it works:
The victim receives a phishing email, SMS, or other message claiming they are eligible for a tax refund. The link leads to this page, which mimics the official French tax portal (impots.gouv.fr). The page asks the victim to provide:

  • Cardholder name (as printed on the card)
  • Expiration date (MM/AAAA)
  • Full card number
  • Visual cryptogram (CVV)

A button labelled “Valider mon remboursement” (Confirm my refund) submits the data to the attacker.

The goal:
The attacker collects full credit/debit card details to make fraudulent purchases, clone the card, or sell the information. No tax refund exists – the entire offer is fabricated.

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not impots.gouv.fr. The official French tax website uses only government domains.
  • Request for full card details for a refund: Legitimate tax refunds are deposited directly to the bank account the tax authorities already have on file – they never ask for your card number, expiration date, or CVV.
  • “Cryptogramme visuel” (CVV) request: No legitimate tax authority asks for your card security code.
  • Poor design / missing official elements: While the page copies the official logo and footer, the layout and the specific request for card details are not part of the real tax refund process.
  • Unsolicited refund notification: The French tax authorities (DGFiP) do not send unsolicited emails with links to claim refunds. Any such message is a scam.

What to do if you encounter this:

  • Do not enter any card or personal information.
  • If you are a French taxpayer, always access your tax account by typing impots.gouv.fr directly into your browser.
  • If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to the French tax authorities via their official reporting form.

Protective measures:

  • Never click links in unsolicited messages claiming a tax refund.
  • Always type the official government URL directly into your browser.
  • Never provide your card CVV or expiration date to “receive” a refund – refunds do not require this information.
  • Enable two‑factor authentication on your bank account and email.
  • Be suspicious of any message that creates urgency and asks for sensitive financial information.

Scam: 2008 Mercedes-Benz Rapido 999M

This screenshot shows a classified ad for a luxury vehicle (Mercedes-Benz Rapido motorhome) with a suspiciously low price (£7,800), urgent tone, and a request to contact the seller directly via email. This is a common setup for vehicle sale scams, often leading to advance fee fraud or phishing.

Threat Analysis: Vehicle Sale Scam – Fake Ad / Advance Fee Fraud

How the scam works:
The victim sees an ad (on a classified site, social media, or marketplace) for a high‑value vehicle at an extremely low price. The ad includes an urgent message (“FINAL PRICE – URGENT”) and a request to contact the seller directly via email. When the victim responds, the scammer typically:

  • Claims the vehicle is located abroad (or far away) and can be shipped
  • Asks for a deposit or full payment via bank transfer, PayPal (Friends & Family), or gift cards
  • Sends fake invoices, shipping documents, or escrow service links that are actually fraudulent
  • May ask for personal information (name, address, ID) for “paperwork”

After the victim sends money, the vehicle never arrives, and the scammer disappears.

The goal:
The attacker aims to:

  • Collect an upfront payment (deposit or full amount) that is never returned
  • Obtain personal information for identity theft
  • Redirect the victim to a phishing page disguised as an escrow or payment service

Red flags to watch for:

  • Too‑good‑to‑be‑true price: A 2008 Mercedes-Benz motorhome with low mileage (£7,800) is far below market value. Legitimate vehicles of this type cost £20,000–£50,000 or more.
  • Urgency (“URGENT”, “FINAL PRICE”): Classic pressure tactic to prevent the victim from researching or thinking critically.
  • Request to contact via email directly: Legitimate classified platforms encourage communication through the platform to protect buyers. Sellers who insist on direct email are often scammers.
  • Generic email address: [email protected] is a free email service, not a business domain. A legitimate seller would use a professional or platform‑linked contact method.
  • No verifiable details: The ad lacks specific location, VIN, service history, or other verifiable information that a real seller would provide.

What to do if you encounter this:

  • Do not reply to the email or send any money.
  • Do not provide any personal or financial information.
  • If you are looking to buy a vehicle, always:
  • Inspect it in person
  • Use secure payment methods (e.g., escrow, credit card with buyer protection)
  • Avoid paying deposits for vehicles you have not seen
  • Report the ad to the platform where it was posted (e.g., Facebook Marketplace, Gumtree, eBay).

Protective measures:

  • If the price seems too good to be true, it is a scam.
  • Never send money for a vehicle you have not seen in person.
  • Use reverse image search on the vehicle photos – scammers often reuse images from real ads.
  • Verify the seller’s identity – ask for video call, local registration, or meet in a public place.
  • Be suspicious of any urgent sale that requires payment before delivery.

Facebook phishing under the pretext of winning a FreeFire prize

These three screenshots show a multi‑step phishing campaign targeting Free Fire players. The scam promises free in‑game rewards (diamonds, magic cubes, etc.) and then directs victims to a fake Facebook login page to steal their credentials.

Threat Analysis: Free Fire Reward Phishing – Facebook Credential Harvesting

How the scam works (3 steps):

Step 1 – Fake Free Fire Event Page (First Screenshot)
The victim sees a page mimicking an official Free Fire announcement. It displays:

  • A countdown timer (e.g., “23 : 56 : 44”) to create urgency
  • Promises of free rewards: diamonds, magic cube, evolution stone, deluxe bundles
  • “Collect” buttons for various items

The page is designed to look like a legitimate in‑game event. Clicking any “Collect” button leads to the next step.

Step 2 – “Log in to claim prize” page (Third Screenshot)
The victim is told: “Selected prize locked. Log in using your FREEFIRE account to receive prize” and given an option to “Log in using Facebook account.” This is the transition to the credential harvesting page.

Step 3 – Fake Facebook Login Page (Second Screenshot)
The victim is redirected to a page that mimics the Facebook login interface. It asks for:

  • Mobile number or email address
  • Password

After the victim enters their credentials and clicks “Log In,” the information is captured and sent to the attacker.

The goal:
The attacker steals Facebook credentials to:

  • Take over the victim’s Facebook account
  • Access the linked Free Fire (Garena) account
  • Use the account to spread the scam to friends
  • Sell the account or its data on criminal markets

Red flags to watch for:

  • Free reward lure: Garena / Free Fire does not give away diamonds and rare items through external websites. Legitimate events are inside the game.
  • Login via Facebook on a third‑party page: A real reward would be claimed directly in the game, not by logging into Facebook via a random link.
  • Suspicious URL: The pages are hosted on domains that are not freefire.com, garena.com, or facebook.com.
  • Urgency tactics: Countdown timers and “limited time” messages pressure victims to act without thinking.
  • No official branding / design inconsistencies: The event page uses generic graphics and does not match the official Free Fire style.

What to do if you encounter this:

  • Do not click any “Collect” buttons or enter any Facebook credentials.
  • If you have already entered your Facebook login details, change your password immediately and enable two‑factor authentication (2FA). Also check for any unauthorized activity or connected apps.
  • Always claim in‑game rewards through the official Free Fire app – never through external links.
  • Report the phishing pages to Facebook and to Garena.

Protective measures:

  • Remember: no legitimate game reward requires you to log in via a link.
  • Never log into Facebook on a page you reached from a game “reward” link.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your Facebook account.
  • Be suspicious of any unsolicited offer that promises free premium currency.

Phishing of Facebook under the pretext of boosting likes

These two screenshots show a Facebook engagement scam (“like boosting”) combined with a fake Facebook login page. The scam promises to increase likes, views, or engagement on social media posts, but instead steals the victim’s Facebook credentials.

Threat Analysis: Facebook “Like Booster” Scam – Credential Harvesting

How it works:
The victim encounters a link (via social media, email, or messaging app) promising free or cheap likes, followers, or engagement for their Facebook posts. The first screenshot shows a page with “Statuts” and “Like” buttons – a typical interface for a fake engagement service. The victim is told they need to log in to Facebook to activate the likes or to connect their account. Clicking the login button leads to a fake Facebook login page (second screenshot), which asks for:

  • Email or phone number
  • Password

After the victim enters their credentials and clicks “Log In,” the information is captured and sent to the attacker. The victim may then be redirected to a fake “processing” page or a survey wall, but no likes are ever delivered.

The goal:
The attacker steals Facebook credentials to:

  • Take over the victim’s Facebook account
  • Use the account to post spam, scams, or malicious links
  • Sell the account or its data on criminal markets
  • Launch further phishing attacks from a trusted account

Red flags to watch for:

  • Suspicious URL: The link leads to holidaypure.com (or similar), not facebook.com. Legitimate Facebook login pages are only on official Facebook domains.
  • Promise of free likes / engagement: Facebook does not allow third‑party services to boost likes via a simple login. Any such offer is a scam.
  • Login required on a third‑party site: A legitimate engagement service would not ask for your Facebook password. You would grant permissions via Facebook’s official OAuth (which does not require entering your password on the service’s site).
  • Unsolicited offer: Receiving a link promising free likes is almost always a phishing attempt.
  • Fake Facebook login page: The second screenshot mimics Facebook’s interface but is missing security indicators (e.g., proper URL, two‑factor prompt).

What to do if you encounter this:

  • Do not enter your Facebook email/phone or password.
  • If you have already entered your credentials, change your Facebook password immediately and enable two‑factor authentication (2FA). Also check for any unauthorized activity or connected apps.
  • Never use third‑party services that ask for your Facebook password – use only official Facebook tools or legitimate marketing platforms that authenticate via OAuth.
  • Report the phishing page to Facebook.

Protective measures:

  • Bookmark the official Facebook login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your Facebook account.
  • Be suspicious of any service that promises free likes, views, or followers in exchange for your login credentials.

Preparation of an attack on Facebook in Spanish detected

This screenshot shows a Spanish‑language phishing page impersonating Facebook. The page is designed to steal login credentials (mobile number or email address and password).

Threat Analysis: Facebook Phishing – Credential Harvesting (Spanish Variant)

How it works:
The victim receives a phishing email, SMS, or social media message claiming a security alert, account issue, or the need to verify their information. The link leads to this page, which mimics the Facebook login interface. The victim is asked to enter their mobile number or email address and password, then click “Entrar” (Login). The credentials are captured and sent to the attacker.

The goal:
The attacker steals Facebook account credentials to:

  • Take over the victim’s Facebook account
  • Access private messages and personal information
  • Post spam or malicious links from a trusted account
  • Use the account to send further phishing messages to the victim’s friends
  • Attempt credential reuse on other platforms (email, banking, etc.)

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not facebook.com. Legitimate Facebook login pages are only on official Facebook domains.
  • Unsolicited login request: Facebook does not send links requiring users to log in to resolve account issues.
  • Minimal design / missing security features: While the page copies Facebook’s layout, it lacks the full navigation, security notices, and two‑factor authentication options present on the real site.
  • Language inconsistency: The page includes a mix of Spanish and other languages in the footer, which may be a sign of a copied template.
  • No personalization or account selection: A real Facebook login often displays a profile photo or saved account – this page does not.

What to do if you encounter this:

  • Do not enter your mobile number, email, or password.
  • If you have already entered your credentials, change your Facebook password immediately and enable two‑factor authentication (2FA). Also check for any unauthorized activity or connected apps.
  • Always access Facebook by typing facebook.com directly into your browser.

Protective measures:

  • Bookmark the official Facebook login page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate facebook.com domains.
  • Enable two‑factor authentication on your Facebook account.
  • Be suspicious of any unsolicited message that asks you to log in via a link.