Antiphishing.biz

A phishing campaign targeting First Investment Bank (Fibank) in Bulgaria uses a fake “digital certificate update” to steal user credentials and one-time passwords (OTP). Scammers employ a “security scare” tactic, directing victims to a lookalike login portal that harvests login IDs, passwords, and OTPs for real-time account takeover.

Target: Customers of First Investment Bank (Fibank / ПИБ) in Bulgaria
Threat Level: High (Online Banking & SMS OTP Theft)
Phishing Method Description
This attack targets users of the “My Fibank” online portal. Scammers distribute links via Phishing Emails or SMS (Smishing) that look like official bank alerts. Common pretexts include “Security Update Required,” “Mandatory Account Synchronization,” or “Your Digital Certificate is Expiring.”
The fraudulent page is a pixel-perfect copy of the Bulgarian/English login interface. It is designed to capture:
Customer ID / Username (Потребителско име)
Login Password (Парола)
Mobile Phone Number
One-Time Password (OTP): The fake site often asks for the SMS code in real-time, allowing hackers to authorize a fraudulent transaction immediately.
⚠️ Red Flags to Watch For
The URL Discrepancy: The official domain is my.fibank.bg. Phishing sites often use deceptive addresses like fibank-bg.online, pib-login.net, or free hosting subdomains like my-fibank.github.io.
Requests for SMS Codes during Login: While some banks use SMS for login, be extremely wary if the site asks for multiple codes or a “Confirmation Code” just to view your balance.
SSL Certificate Check: Even if the site has a “lock” icon (HTTPS), clicking on it will often reveal a generic certificate or one issued to an unrelated entity, rather than “First Investment Bank AD.”
🛡️ How to Protect Yourself
Use the Token/App: Fibank’s official Token or the My Fibank Mobile App are much more secure than SMS-based authorization. Always prefer biometric (FaceID/Fingerprint) login through the official app.
Check the Language: Many phishing kits for Bulgaria contain subtle translation errors or use Russian/English characters where Bulgarian (Cyrillic) should be.
Bookmark the Login: Save the official https://fibank.bg as a bookmark and only use that link to access your finances.
Suspicious Sender: If you receive a banking alert from a standard mobile number (+359 8…) instead of the “Fibank” sender ID, delete it immediately.

TymeBank phishing campaigns target South African customers through SMS and email alerts claiming account suspension, directing victims to a fake portal designed to steal ID numbers, PINs, and real-time OTPs. These attacks exploit the bank’s digital-only model, urging users to use official applications and ignore suspicious links.

Target: Customers of TymeBank (South Africa)
Threat Level: High (Digital Banking Access & Identity Theft)
Phishing Method Description
This attack targets users of TymeBank, a leading digital-only bank in South Africa. Scammers exploit the bank’s paperless nature by sending SMS (Smishing) or emails claiming that the user’s “Smart ID” verification has failed or that their “Everyday Account” requires an urgent security update.
The fraudulent page is a sophisticated clone of the TymeBank web login. It is specifically designed to harvest:
South African ID Number
Mobile Phone Number (linked to the account)
Internet Banking Password / PIN
OTP (One-Time PIN): The fake site intercepts the SMS code in real-time to authorize fraudulent transfers or link a new device to the account.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is tymebank.co.za. Phishing sites often use variations like tymebank-login.com, secure-tyme.net, or free hosting URLs like tyme-portal.web.app.
Unexpected OTP Prompts: If the website asks for an OTP (One-Time PIN) immediately after you enter your password — without you performing a transaction — it is a sign that a hacker is trying to log in simultaneously.
Insecure Connection: While many phishing sites use HTTPS, always check if the certificate is actually issued to “Tyme Bank Limited.” If it’s a generic “Let’s Encrypt” certificate for a random domain, it’s a scam.
🛡️ How to Protect Yourself
Use the TymeBank App: Always perform banking through the official TymeBank App from the Google Play Store, Huawei AppGallery, or Apple App Store. The app uses secure device binding which is much harder to phish.
Never Share Your PIN: TymeBank will never ask for your secret PIN or OTP over the phone, via SMS, or through a link in an email.
The “Official Channel” Rule: If you receive a suspicious alert, log out and call the official TymeBank support line at 0860 TymeBank (896 3226) to verify the status of your account.
Public Kiosks: Be extra cautious if you recently used a TymeBank kiosk in a retail store (like Pick n Pay or Boxer). Scammers sometimes time their attacks to coincide with physical interactions.

A phishing campaign targeting Intesa Sanpaolo users employs fraudulent pages mimicking the “MyKey” security system to steal user codes, PINs, and real-time OTPs. These phishing sites, often distributed via SMS or email, impersonate the bank to authorize fraudulent SEPA transfers.

Target: Customers of Intesa Sanpaolo (Italy)
Threat Level: Critical (Mobile Banking & O-Key Smart Theft)
Phishing Method Description
This attack targets users of the “MyKey” security system used by Intesa Sanpaolo. Scammers distribute fraudulent links via Smishing (SMS) or Phishing Emails, often using an alarming tone: “Your account has been restricted for security reasons” or “An unauthorized login was detected from a new device.”
The link leads to a high-fidelity clone of the Italian login portal. The phishing kit is specifically designed to harvest:
Codice Titolare (Owner Code)
PIN Code
Mobile Phone Number
O-Key Smart / SMS OTP: The fake page intercepts the security code in real-time, allowing the attacker to authorize a fraudulent transfer or change the associated phone number.
⚠️ Red Flags to Watch For
The Deceptive URL: The official domain is intesasanpaolo.com. Phishing sites often use lookalike addresses such as secure-intesasanpaolo.com, mykey-is.net, is-assistenza.online, or free subdomains like intesa-login.web.app.
Urgent Call-to-Action: Messages like “Action Required within 24 hours” or “Click here to avoid permanent block” are designed to bypass your critical thinking.
Direct Link to Login: Intesa Sanpaolo officially states they will never include a direct link to the login page in an SMS or email.
🛡️ How to Protect Yourself
Use the “O-Key Smart” App: Always authorize transactions and logins directly through the official Intesa Sanpaolo Mobile app. Never enter the generated codes on a website you reached via a link.
Type the Address: If you receive an alert, ignore the link. Manually type ://intesasanpaolo.com into your browser or use the official app to check your notifications.
Check the Language: While the phishing pages are often well-translated, look for subtle errors in the Italian text or fonts that look different from the official corporate style.
Reporting: You can report suspicious activity directly to the bank at [email protected] or call the official toll-free number 800.303.303 (from Italy).

A Bank of America phishing campaign employs a “System Maintenance” pretext to solicit user credentials and Social Security Numbers under the guise of security synchronization. The attack utilizes deceptive domains to mirror the official portal, aiming to capture sensitive information, including real-time, one-time passcodes (OTP).

Target: Bank of America Customers (USA)
Threat Level: Critical (Identity & Full Account Takeover)
Phishing Method Description
This sophisticated attack goes beyond simple password theft. Scammers use a Multi-Step Credential Harvesting technique. The victim is often directed to this page via a “security alert” email or SMS claiming that their online access is out of sync with new federal banking regulations.
The fake site mimics the official Bank of America secure login environment. Once the victim enters their initial credentials, the phishing kit triggers a second page designed to harvest highly sensitive personal data used for identity recovery:
Online ID & Passcode
Security Challenge Questions & Answers (Mother’s maiden name, first pet, etc.)
Social Security Number (SSN)
Email Account Access (to intercept 2FA codes in real-time)
⚠️ Red Flags to Watch For
The URL Mask: While the page looks perfect, the address bar will show a domain like bofa-verification-portal.com, bankofamerica-support.net, or a compromised third-party site. The official domain is strictly bankofamerica.com.
Excessive Information Requests: A legitimate bank login will rarely ask for your full Social Security Number and answers to all your security questions in a single session unless you are manually resetting your password.
Broken “Security” Links: On these fake pages, links like “Privacy,” “Security,” or “Locations” are usually inactive or redirect back to the same phishing form.
🛡️ How to Protect Yourself
Never Share Security Answers: Treat your security question answers like passwords. Never enter them on a site you reached via a link.
Use the Mobile App: Bank of America’s official app uses device-level security. If there is a real “synchronization” issue, the app will notify you through a secure in-app message.
Enable Advanced 2FA: Switch from SMS-based codes to an authenticator app or a hardware security key if your bank supports it.
Direct Access: If you receive a suspicious alert, close your browser, open a new tab, and manually type ://bankofamerica.com to log in safely.

A phishing campaign targeting German Deutsche Bank customers uses a fake “PhotoTAN” activation page to steal login credentials and authorize unauthorized transactions [1]. The attack, often delivered via phishing emails or SMS, directs users to a high-fidelity clone of the bank’s portal, requesting branch codes, account numbers, PINs, and QR code scans.

Target: Customers of Deutsche Bank (Germany)
Threat Level: Critical (Transaction Authorization Theft)
Phishing Method Description
This attack uses a highly sophisticated Security Process Impersonation. Scammers send out Phishing Emails or SMS (Smishing) claiming that the user’s PhotoTAN app needs to be reactivated, synchronized, or updated due to a new security regulation (e.g., “PSD2 compliance”).
The link leads to a perfect replica of the Deutsche Bank “Meine Bank” login portal. The phishing kit is designed to harvest:
Branch Code (Filiale) and Account Number (Konto)
Sub-account Number (Unterkonto)
Online Banking PIN
PhotoTAN Activation Graphics: The fake site often displays a QR code and asks the victim to scan it with their official app. In reality, the victim is scanning a code that authorizes the attacker’s device or a fraudulent transaction.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is deutsche-bank.de. Phishing sites use lookalikes like meine-deutsche-bank.online, db-phototan-aktivierung.com, or sicherheit-db.net.
Requests to Scan QR Codes: Deutsche Bank will never ask you to scan a PhotoTAN QR code to “log in” or “update your profile” on a page you reached via a link. QR codes are strictly for authorizing specific actions you initiated yourself.
Language Nuances: Look for subtle errors in German grammar or the use of generic greetings instead of your specific name.
🛡️ How to Protect Yourself
Manual Entry Only: Always access your banking by typing www.deutsche-bank.de directly into your browser. Never follow links from emails or SMS.
PhotoTAN Security: Treat every PhotoTAN scan as a real money transfer. Before scanning, always check your app’s screen to see exactly what you are authorizing. If it says “Activation” or shows an unfamiliar transaction amount, cancel immediately.
Hardware Token Option: For maximum security, consider using a physical PhotoTAN reader instead of a smartphone app.
Report Suspicious Content: Forward any suspicious emails to [email protected] to help the bank’s security team take down the fraudulent sites.

A sophisticated phishing campaign targeting La Banque Postale customers in France uses a fake “Certicode Plus” security update to bypass two-factor authentication. Scammers use smishing and phishing to steal credentials and register their own devices, granting full access to victims’ accounts.

Target: Customers of La Banque Postale (France)
Threat Level: Critical (Mobile Authentication & Funds Theft)
Phishing Method Description
In this attack, scammers use a Security Compliance pretext. Victims receive a Phishing Email or SMS (Smishing) stating that their “Certicode Plus” service (the bank’s strong authentication system) is expiring or needs to be re-activated to comply with European banking regulations.
The link leads to a pixel-perfect replica of the La Banque Postale login portal. The phishing kit is specifically designed to harvest:
Identifiant ID (10-digit customer ID)
Personal Password (entered via a fake numeric keypad to mimic the real site)
Mobile Phone Number
Certicode Plus Activation Codes: The fake site attempts to intercept the activation or validation codes in real-time, allowing the attacker to link their device to the victim’s bank account.
⚠️ Red Flags to Watch For
The Deceptive URL: The official domain is labanquepostale.fr. Phishing sites often use lookalike addresses such as connexion-labanquepostale.com, certicode-plus-activation.net, lbp-securite.online, or free subdomains like la-banque-postale.web.app.
The Numeric Keypad: While the fake site mimics the official virtual keypad, pay attention to the speed and responsiveness. If the layout of the numbers changes or looks “blurry,” it may be a captured image used for phishing.
Urgent Warnings: Messages like “Your access will be suspended in 48 hours” are classic social engineering tactics to induce panic.
🛡️ How to Protect Yourself
Never Click Login Links: La Banque Postale explicitly states they will never send an email or SMS containing a link to the login page. Always type the address manually or use the official “La Banque Postale” mobile app.
App Notifications Only: Manage your Certicode Plus settings only within the official app. If you receive a request to “validate” something you didn’t initiate, ignore it and check your app directly.
Verify the Sender: Official banking SMS in France usually come from short-codes (e.g., 38004). If the message comes from a standard mobile number (+33 6… or +33 7…), it is 100% a scam.
Reporting: You can report La Banque Postale phishing by forwarding suspicious emails to [email protected] or SMS to the number 33700.

A Bank of America phishing campaign utilizes a multi-stage “identity verification” process to harvest full user credentials, including Social Security numbers, card details, and email passwords. Scammers use high-pressure SMS and emails directing users to fake sites designed to steal full identities rather than just login credentials.

Target: Bank of America Customers (USA)
Threat Level: Critical (Full Identity & Financial Takeover)
Phishing Method Description
This attack utilizes a “Social Engineering” pretext, where the victim is told their account access has been limited due to a “missing regulatory update” or “unusual activity.” Unlike simple login phishers, this kit leads the user through a series of official-looking screens to build trust.
The malicious site is a high-fidelity clone of the Bank of America portal, specifically designed to harvest:
Online ID & Passcode
Social Security Number (SSN) (Full or last 4 digits)
Date of Birth
Credit/Debit Card Details (Number, CVV, and Expiration Date)
ATM PIN: The ultimate red flag, as banks never ask for your physical ATM PIN on a website.
⚠️ Red Flags to Watch For
The URL Mask: The official domain is strictly bankofamerica.com. Phishing sites often use deceptive addresses like bofa-update-center.net, bankofamerica-support.org, or compromised third-party domains ending in .xyz or .info.
Requesting the ATM PIN: This is a definitive sign of fraud. A legitimate bank website will never ask you to type your 4-digit ATM PIN into a web form for “verification.”
Inconsistent Branding: Look for small details—if the logo is slightly blurry, the fonts look “off,” or the footer links (Privacy, Security) don’t work, it’s a fake.
🛡️ How to Protect Yourself
Ignore SMS/Email Links: Bank of America will never send you a link directly to a sensitive verification page. Always go to the official site by typing the address manually.
The PIN Rule: Your ATM PIN is for ATMs and point-of-sale terminals only. Never enter it on any website, regardless of how official it looks.
Use the Mobile App: If there is a real issue with your account, a notification will appear inside the secure Bank of America Mobile Banking app.
Immediate Action: If you have already entered your information on such a page, call the official Bank of America fraud department immediately at 1.877.388.5030 to freeze your accounts.

A phishing campaign targeting HSBC Bank customers uses a fake “Secure Key” synchronization alert to steal login credentials and real-time, six-digit security codes. This sophisticated attack mimics official security procedures to bypass multi-factor authentication, directing victims to fraudulent, lookalike domains.

Target: HSBC Bank Customers (Global / UK / Hong Kong)
Threat Level: Critical (Physical & Digital Secure Key Hijacking)
Phishing Method Description
This attack targets the core security feature of HSBC banking: the Digital Secure Key (app-based) or the physical Secure Key (hardware token). Scammers distribute high-pressure alerts via SMS or Email claiming a “New Payee has been added” or “Your Secure Key requires a mandatory update to avoid account suspension.”
The link leads to a sophisticated Brand Impersonation portal. The phishing kit is designed to harvest:
Username / IB User ID
Memorable Answer (Secret questions)
Secure Key Codes: The fake site prompts the victim to generate a code on their physical device or app and enter it. This code is used by the attacker in real-time to authorize a large fraudulent transfer.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is hsbc.com (or local variants like hsbc.co.uk). Phishing sites use addresses like hsbc-online-security.net, secure-login-hsbc.com, or hsbc-verification.org.
Real-Time Interception: If the website asks for a Secure Key code immediately after you enter your username, it is a sign that a hacker is attempting a concurrent login on the official site.
Generic Links: HSBC has a strict policy against sending direct links to login pages in security alert emails or SMS.
🛡️ How to Protect Yourself
Trust the Physical Device: If you use a physical Secure Key, remember that it is designed to authorize specific actions. Never enter a code from your device onto a website unless you are 100% sure you are on the official HSBC site you accessed manually.
App Notifications: Use the HSBC UK Mobile Banking (or local) app. Authentic security alerts will appear as secure messages within the app.
The “Payee” Trick: If you get an alert about a “New Payee” you didn’t add, do not click the link to “cancel” it. Log in via the official app to verify your recent activity.
Reporting: You can report HSBC phishing by forwarding suspicious emails to [email protected] or suspicious SMS to the short code 7726.

💡 Expert Security Tip:
This attack is designed to bypass Multi-Factor Authentication (MFA) by tricking you into providing a “one-time” code. Your HSBC Secure Key is your final line of defense; never use it to “verify” your identity on a page reached through a link. Treat any request for a security code as a request for your money.