Antiphishing.biz

A phishing campaign targeting Lead Bank business customers uses fraudulent “unauthorized login” alerts to drive victims to a spoofed portal designed to steal credentials, personal information, and 2FA codes. The attack creates a sense of urgency to trick users into entering sensitive data on a site with a misleading domain. To protect against this threat, users should only navigate to the official Lead Bank site via secure, known channels and never enter MFA codes on suspicious sites.

Target: Business Clients and Fintech Partners of Lead Bank (USA)
Threat Level: High (Corporate & Business Email Compromise)
Phishing Method Description
This attack targets corporate users of Lead Bank, a Kansas City-based institution known for its focus on business banking and financial technology. Scammers use a Clean Page Design strategy, creating a minimalist and professional-looking imitation of the bank’s corporate login portal.
Victims are typically reached via Spear Phishing (targeted emails) or LinkedIn messages claiming that a “Corporate Account Statement” is ready or that a “Secure Message” is waiting to be read.
The malicious page is specifically designed to harvest:
Corporate Email / Username
Business Banking Passwords
MFA / 2FA Tokens (Multi-Factor Authentication)
⚠️ Red Flags to Watch For
Subtle URL Alterations: The official domain is lead.bank. Phishing sites often use common extensions like leadbank-login.com, leadbank.net, or secure-leadbank.org.
Generic Salutations: Official business banks usually address clients by their full name or company name. Phishing emails often use “Dear Client” or “Valued Business Partner.”
Inconsistent Branding: Look closely at the logo and fonts. Scammers often use low-resolution images or slightly different font weights that deviate from Lead Bank’s official corporate identity.
🛡️ How to Protect Yourself
Verify the Domain Extension: Remember that Lead Bank uses the unique .bank top-level domain. This extension is restricted only to verified financial institutions. If the site ends in .com, .net, or anything else, it is a fraud.
Use Hardware Keys: For business banking, hardware security keys (like Yubikey) are much safer than SMS-based codes, as they cannot be easily phished by fake websites.
The “Slow Down” Rule: Corporate phishing often relies on a “Friday afternoon” rush. Always double-check the sender’s email address and the website URL before entering corporate credentials.
IT Reporting: If you encounter a suspicious Lead Bank login page, immediately report it to your company’s IT security department to prevent a broader Business Email Compromise (BEC) attack.

A phishing campaign targeting National Bank of Canada (Banque Nationale) clients uses fake “Interac e-Transfer” notifications to steal login credentials, security questions, and OTPs. The fraudulent pages, often mimicking the official BNC portal, are designed to capture data from users in Canada and Quebec. To protect against this threat, users are advised to enable Interac Autodeposit and verify the URL for signs of a scam.

Target: Customers of National Bank of Canada (Banque Nationale du Canada)
Threat Level: Critical (Banking Access & Funds Theft)
Phishing Method Description
This attack leverages the popularity of Interac e-Transfer in Canada. Scammers send a text message (SMS) or email stating that a “Refund,” “Government Rebate,” or “Payment” is waiting to be deposited.
The link leads to a sophisticated Brand Impersonation page that mimics the National Bank’s “Telnat” or “EasyPay” login interface. The fake site is designed to capture:
Access ID / Username
Password / Secret Question Answers
Direct Deposit Information
Card Number and Expiration Date
⚠️ Red Flags to Watch For
Lookalike URL: The official domain is nbc.ca (or bnc.ca). Phishing sites use deceptive addresses like nbc-verification-login.com, nbc-interac.online, or client-bnc.net.
Unexpected Money: Be suspicious of any notification for an e-transfer you weren’t expecting. If you didn’t sell anything or aren’t expecting a specific rebate, it’s likely a scam.
The “Deposit” Trap: Real Interac e-Transfers allow you to choose your bank from a list. Phishing pages often take you directly to a pre-selected fake login page for one specific bank.
🛡️ How to Protect Yourself
Set Up Autodeposit: This is the best defense. If you have Interac Autodeposit enabled, any legitimate transfer will go straight into your account without you needing to click any links or answer security questions.
The SMS Sender Check: Official alerts from National Bank usually come from short codes, not standard 10-digit mobile numbers. If the sender looks like a personal cell phone, delete the message.
Access via Official App: If you receive a notification, don’t click the link. Open your official National Bank (BNC) mobile app directly to check for any pending transfers or messages.
Report Phishing: You can forward suspicious SMS messages to the short code 7726 (SPAM) to help carriers block the sender.

A sophisticated Bank of America phishing campaign is active, using fake “account lock” alerts to steal online credentials, Social Security numbers, and OTP codes. The attack utilizes pixel-perfect clones of the Bank of America portal, often combined with telephone spoofing, to harvest full financial access. Users should avoid clicking links in alerts and instead navigate directly to bankofamerica.com to verify account status.

Target: Customers of Bank of America (USA)
Threat Level: Critical (Full Account & Identity Takeover)
Phishing Method Description
In this attack, scammers use Advanced Credential Harvesting. The victim typically receives an urgent SMS or email stating that their account has been “locked due to suspicious activity.”
The link leads to a pixel-perfect clone of the Bank of America Online Banking login page. This multi-step phishing kit is designed to steal:
Online ID and Passcode
Social Security Number (SSN) (last 4 digits or full)
Email Address and Email Password (Claiming it’s for “identity verification”)
One-Time Passwords (OTP) intercepted in real-time.
⚠️ Red Flags to Watch For
The Lookalike URL: The official domain is bankofamerica.com. Phishing sites often use deceptive addresses like bofa-online-security.com, bankofamerica-verification.net, or short links like bit.ly or t.co in the initial message.
Requesting Email Credentials: A legitimate bank will never ask for the password to your personal email account (Gmail, Yahoo, Outlook) to “verify” your identity.
Sensitive Personal Info: While banks may ask for a part of your SSN on their official site, a sudden request for your full SSN and card PIN on a page you reached via a link is a major red flag.
🛡️ How to Protect Yourself
Use the Mobile App: Always use the official Bank of America Mobile Banking app for any alerts. If there is a real issue, you will see a notification inside the secure app environment.
“Sign-In ID” Check: Bank of America uses a “SiteKey” or persistent recognition features. If the login page looks “generic” and doesn’t recognize your browser/device as it usually does, close it immediately.
Protect Your Email: Enable Two-Factor Authentication (2FA) on your email account. Even if scammers steal your bank password, they won’t be able to access your email to reset it if your email is properly secured.
Reporting: You can report Bank of America phishing directly by forwarding suspicious emails to [email protected].

A phishing campaign targeting First Investment Bank (Fibank) in Bulgaria uses a fake “digital certificate update” to steal user credentials and one-time passwords (OTP). Scammers employ a “security scare” tactic, directing victims to a lookalike login portal that harvests login IDs, passwords, and OTPs for real-time account takeover.

Target: Customers of First Investment Bank (Fibank / ПИБ) in Bulgaria
Threat Level: High (Online Banking & SMS OTP Theft)
Phishing Method Description
This attack targets users of the “My Fibank” online portal. Scammers distribute links via Phishing Emails or SMS (Smishing) that look like official bank alerts. Common pretexts include “Security Update Required,” “Mandatory Account Synchronization,” or “Your Digital Certificate is Expiring.”
The fraudulent page is a pixel-perfect copy of the Bulgarian/English login interface. It is designed to capture:
Customer ID / Username (Потребителско име)
Login Password (Парола)
Mobile Phone Number
One-Time Password (OTP): The fake site often asks for the SMS code in real-time, allowing hackers to authorize a fraudulent transaction immediately.
⚠️ Red Flags to Watch For
The URL Discrepancy: The official domain is my.fibank.bg. Phishing sites often use deceptive addresses like fibank-bg.online, pib-login.net, or free hosting subdomains like my-fibank.github.io.
Requests for SMS Codes during Login: While some banks use SMS for login, be extremely wary if the site asks for multiple codes or a “Confirmation Code” just to view your balance.
SSL Certificate Check: Even if the site has a “lock” icon (HTTPS), clicking on it will often reveal a generic certificate or one issued to an unrelated entity, rather than “First Investment Bank AD.”
🛡️ How to Protect Yourself
Use the Token/App: Fibank’s official Token or the My Fibank Mobile App are much more secure than SMS-based authorization. Always prefer biometric (FaceID/Fingerprint) login through the official app.
Check the Language: Many phishing kits for Bulgaria contain subtle translation errors or use Russian/English characters where Bulgarian (Cyrillic) should be.
Bookmark the Login: Save the official https://fibank.bg as a bookmark and only use that link to access your finances.
Suspicious Sender: If you receive a banking alert from a standard mobile number (+359 8…) instead of the “Fibank” sender ID, delete it immediately.

TymeBank phishing campaigns target South African customers through SMS and email alerts claiming account suspension, directing victims to a fake portal designed to steal ID numbers, PINs, and real-time OTPs. These attacks exploit the bank’s digital-only model, urging users to use official applications and ignore suspicious links.

Target: Customers of TymeBank (South Africa)
Threat Level: High (Digital Banking Access & Identity Theft)
Phishing Method Description
This attack targets users of TymeBank, a leading digital-only bank in South Africa. Scammers exploit the bank’s paperless nature by sending SMS (Smishing) or emails claiming that the user’s “Smart ID” verification has failed or that their “Everyday Account” requires an urgent security update.
The fraudulent page is a sophisticated clone of the TymeBank web login. It is specifically designed to harvest:
South African ID Number
Mobile Phone Number (linked to the account)
Internet Banking Password / PIN
OTP (One-Time PIN): The fake site intercepts the SMS code in real-time to authorize fraudulent transfers or link a new device to the account.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is tymebank.co.za. Phishing sites often use variations like tymebank-login.com, secure-tyme.net, or free hosting URLs like tyme-portal.web.app.
Unexpected OTP Prompts: If the website asks for an OTP (One-Time PIN) immediately after you enter your password — without you performing a transaction — it is a sign that a hacker is trying to log in simultaneously.
Insecure Connection: While many phishing sites use HTTPS, always check if the certificate is actually issued to “Tyme Bank Limited.” If it’s a generic “Let’s Encrypt” certificate for a random domain, it’s a scam.
🛡️ How to Protect Yourself
Use the TymeBank App: Always perform banking through the official TymeBank App from the Google Play Store, Huawei AppGallery, or Apple App Store. The app uses secure device binding which is much harder to phish.
Never Share Your PIN: TymeBank will never ask for your secret PIN or OTP over the phone, via SMS, or through a link in an email.
The “Official Channel” Rule: If you receive a suspicious alert, log out and call the official TymeBank support line at 0860 TymeBank (896 3226) to verify the status of your account.
Public Kiosks: Be extra cautious if you recently used a TymeBank kiosk in a retail store (like Pick n Pay or Boxer). Scammers sometimes time their attacks to coincide with physical interactions.

A phishing campaign targeting Intesa Sanpaolo users employs fraudulent pages mimicking the “MyKey” security system to steal user codes, PINs, and real-time OTPs. These phishing sites, often distributed via SMS or email, impersonate the bank to authorize fraudulent SEPA transfers.

Target: Customers of Intesa Sanpaolo (Italy)
Threat Level: Critical (Mobile Banking & O-Key Smart Theft)
Phishing Method Description
This attack targets users of the “MyKey” security system used by Intesa Sanpaolo. Scammers distribute fraudulent links via Smishing (SMS) or Phishing Emails, often using an alarming tone: “Your account has been restricted for security reasons” or “An unauthorized login was detected from a new device.”
The link leads to a high-fidelity clone of the Italian login portal. The phishing kit is specifically designed to harvest:
Codice Titolare (Owner Code)
PIN Code
Mobile Phone Number
O-Key Smart / SMS OTP: The fake page intercepts the security code in real-time, allowing the attacker to authorize a fraudulent transfer or change the associated phone number.
⚠️ Red Flags to Watch For
The Deceptive URL: The official domain is intesasanpaolo.com. Phishing sites often use lookalike addresses such as secure-intesasanpaolo.com, mykey-is.net, is-assistenza.online, or free subdomains like intesa-login.web.app.
Urgent Call-to-Action: Messages like “Action Required within 24 hours” or “Click here to avoid permanent block” are designed to bypass your critical thinking.
Direct Link to Login: Intesa Sanpaolo officially states they will never include a direct link to the login page in an SMS or email.
🛡️ How to Protect Yourself
Use the “O-Key Smart” App: Always authorize transactions and logins directly through the official Intesa Sanpaolo Mobile app. Never enter the generated codes on a website you reached via a link.
Type the Address: If you receive an alert, ignore the link. Manually type ://intesasanpaolo.com into your browser or use the official app to check your notifications.
Check the Language: While the phishing pages are often well-translated, look for subtle errors in the Italian text or fonts that look different from the official corporate style.
Reporting: You can report suspicious activity directly to the bank at [email protected] or call the official toll-free number 800.303.303 (from Italy).

A Bank of America phishing campaign employs a “System Maintenance” pretext to solicit user credentials and Social Security Numbers under the guise of security synchronization. The attack utilizes deceptive domains to mirror the official portal, aiming to capture sensitive information, including real-time, one-time passcodes (OTP).

Target: Bank of America Customers (USA)
Threat Level: Critical (Identity & Full Account Takeover)
Phishing Method Description
This sophisticated attack goes beyond simple password theft. Scammers use a Multi-Step Credential Harvesting technique. The victim is often directed to this page via a “security alert” email or SMS claiming that their online access is out of sync with new federal banking regulations.
The fake site mimics the official Bank of America secure login environment. Once the victim enters their initial credentials, the phishing kit triggers a second page designed to harvest highly sensitive personal data used for identity recovery:
Online ID & Passcode
Security Challenge Questions & Answers (Mother’s maiden name, first pet, etc.)
Social Security Number (SSN)
Email Account Access (to intercept 2FA codes in real-time)
⚠️ Red Flags to Watch For
The URL Mask: While the page looks perfect, the address bar will show a domain like bofa-verification-portal.com, bankofamerica-support.net, or a compromised third-party site. The official domain is strictly bankofamerica.com.
Excessive Information Requests: A legitimate bank login will rarely ask for your full Social Security Number and answers to all your security questions in a single session unless you are manually resetting your password.
Broken “Security” Links: On these fake pages, links like “Privacy,” “Security,” or “Locations” are usually inactive or redirect back to the same phishing form.
🛡️ How to Protect Yourself
Never Share Security Answers: Treat your security question answers like passwords. Never enter them on a site you reached via a link.
Use the Mobile App: Bank of America’s official app uses device-level security. If there is a real “synchronization” issue, the app will notify you through a secure in-app message.
Enable Advanced 2FA: Switch from SMS-based codes to an authenticator app or a hardware security key if your bank supports it.
Direct Access: If you receive a suspicious alert, close your browser, open a new tab, and manually type ://bankofamerica.com to log in safely.

A phishing campaign targeting German Deutsche Bank customers uses a fake “PhotoTAN” activation page to steal login credentials and authorize unauthorized transactions [1]. The attack, often delivered via phishing emails or SMS, directs users to a high-fidelity clone of the bank’s portal, requesting branch codes, account numbers, PINs, and QR code scans.

Target: Customers of Deutsche Bank (Germany)
Threat Level: Critical (Transaction Authorization Theft)
Phishing Method Description
This attack uses a highly sophisticated Security Process Impersonation. Scammers send out Phishing Emails or SMS (Smishing) claiming that the user’s PhotoTAN app needs to be reactivated, synchronized, or updated due to a new security regulation (e.g., “PSD2 compliance”).
The link leads to a perfect replica of the Deutsche Bank “Meine Bank” login portal. The phishing kit is designed to harvest:
Branch Code (Filiale) and Account Number (Konto)
Sub-account Number (Unterkonto)
Online Banking PIN
PhotoTAN Activation Graphics: The fake site often displays a QR code and asks the victim to scan it with their official app. In reality, the victim is scanning a code that authorizes the attacker’s device or a fraudulent transaction.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is deutsche-bank.de. Phishing sites use lookalikes like meine-deutsche-bank.online, db-phototan-aktivierung.com, or sicherheit-db.net.
Requests to Scan QR Codes: Deutsche Bank will never ask you to scan a PhotoTAN QR code to “log in” or “update your profile” on a page you reached via a link. QR codes are strictly for authorizing specific actions you initiated yourself.
Language Nuances: Look for subtle errors in German grammar or the use of generic greetings instead of your specific name.
🛡️ How to Protect Yourself
Manual Entry Only: Always access your banking by typing www.deutsche-bank.de directly into your browser. Never follow links from emails or SMS.
PhotoTAN Security: Treat every PhotoTAN scan as a real money transfer. Before scanning, always check your app’s screen to see exactly what you are authorizing. If it says “Activation” or shows an unfamiliar transaction amount, cancel immediately.
Hardware Token Option: For maximum security, consider using a physical PhotoTAN reader instead of a smartphone app.
Report Suspicious Content: Forward any suspicious emails to [email protected] to help the bank’s security team take down the fraudulent sites.