Antiphishing.biz

A sophisticated phishing campaign targeting La Banque Postale customers in France uses a fake “Certicode Plus” security update to bypass two-factor authentication. Scammers use smishing and phishing to steal credentials and register their own devices, granting full access to victims’ accounts.

Target: Customers of La Banque Postale (France)
Threat Level: Critical (Mobile Authentication & Funds Theft)
Phishing Method Description
In this attack, scammers use a Security Compliance pretext. Victims receive a Phishing Email or SMS (Smishing) stating that their “Certicode Plus” service (the bank’s strong authentication system) is expiring or needs to be re-activated to comply with European banking regulations.
The link leads to a pixel-perfect replica of the La Banque Postale login portal. The phishing kit is specifically designed to harvest:
Identifiant ID (10-digit customer ID)
Personal Password (entered via a fake numeric keypad to mimic the real site)
Mobile Phone Number
Certicode Plus Activation Codes: The fake site attempts to intercept the activation or validation codes in real-time, allowing the attacker to link their device to the victim’s bank account.
⚠️ Red Flags to Watch For
The Deceptive URL: The official domain is labanquepostale.fr. Phishing sites often use lookalike addresses such as connexion-labanquepostale.com, certicode-plus-activation.net, lbp-securite.online, or free subdomains like la-banque-postale.web.app.
The Numeric Keypad: While the fake site mimics the official virtual keypad, pay attention to the speed and responsiveness. If the layout of the numbers changes or looks “blurry,” it may be a captured image used for phishing.
Urgent Warnings: Messages like “Your access will be suspended in 48 hours” are classic social engineering tactics to induce panic.
🛡️ How to Protect Yourself
Never Click Login Links: La Banque Postale explicitly states they will never send an email or SMS containing a link to the login page. Always type the address manually or use the official “La Banque Postale” mobile app.
App Notifications Only: Manage your Certicode Plus settings only within the official app. If you receive a request to “validate” something you didn’t initiate, ignore it and check your app directly.
Verify the Sender: Official banking SMS in France usually come from short-codes (e.g., 38004). If the message comes from a standard mobile number (+33 6… or +33 7…), it is 100% a scam.
Reporting: You can report La Banque Postale phishing by forwarding suspicious emails to [email protected] or SMS to the number 33700.

A Bank of America phishing campaign utilizes a multi-stage “identity verification” process to harvest full user credentials, including Social Security numbers, card details, and email passwords. Scammers use high-pressure SMS and emails directing users to fake sites designed to steal full identities rather than just login credentials.

Target: Bank of America Customers (USA)
Threat Level: Critical (Full Identity & Financial Takeover)
Phishing Method Description
This attack utilizes a “Social Engineering” pretext, where the victim is told their account access has been limited due to a “missing regulatory update” or “unusual activity.” Unlike simple login phishers, this kit leads the user through a series of official-looking screens to build trust.
The malicious site is a high-fidelity clone of the Bank of America portal, specifically designed to harvest:
Online ID & Passcode
Social Security Number (SSN) (Full or last 4 digits)
Date of Birth
Credit/Debit Card Details (Number, CVV, and Expiration Date)
ATM PIN: The ultimate red flag, as banks never ask for your physical ATM PIN on a website.
⚠️ Red Flags to Watch For
The URL Mask: The official domain is strictly bankofamerica.com. Phishing sites often use deceptive addresses like bofa-update-center.net, bankofamerica-support.org, or compromised third-party domains ending in .xyz or .info.
Requesting the ATM PIN: This is a definitive sign of fraud. A legitimate bank website will never ask you to type your 4-digit ATM PIN into a web form for “verification.”
Inconsistent Branding: Look for small details—if the logo is slightly blurry, the fonts look “off,” or the footer links (Privacy, Security) don’t work, it’s a fake.
🛡️ How to Protect Yourself
Ignore SMS/Email Links: Bank of America will never send you a link directly to a sensitive verification page. Always go to the official site by typing the address manually.
The PIN Rule: Your ATM PIN is for ATMs and point-of-sale terminals only. Never enter it on any website, regardless of how official it looks.
Use the Mobile App: If there is a real issue with your account, a notification will appear inside the secure Bank of America Mobile Banking app.
Immediate Action: If you have already entered your information on such a page, call the official Bank of America fraud department immediately at 1.877.388.5030 to freeze your accounts.

A phishing campaign targeting HSBC Bank customers uses a fake “Secure Key” synchronization alert to steal login credentials and real-time, six-digit security codes. This sophisticated attack mimics official security procedures to bypass multi-factor authentication, directing victims to fraudulent, lookalike domains.

Target: HSBC Bank Customers (Global / UK / Hong Kong)
Threat Level: Critical (Physical & Digital Secure Key Hijacking)
Phishing Method Description
This attack targets the core security feature of HSBC banking: the Digital Secure Key (app-based) or the physical Secure Key (hardware token). Scammers distribute high-pressure alerts via SMS or Email claiming a “New Payee has been added” or “Your Secure Key requires a mandatory update to avoid account suspension.”
The link leads to a sophisticated Brand Impersonation portal. The phishing kit is designed to harvest:
Username / IB User ID
Memorable Answer (Secret questions)
Secure Key Codes: The fake site prompts the victim to generate a code on their physical device or app and enter it. This code is used by the attacker in real-time to authorize a large fraudulent transfer.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is hsbc.com (or local variants like hsbc.co.uk). Phishing sites use addresses like hsbc-online-security.net, secure-login-hsbc.com, or hsbc-verification.org.
Real-Time Interception: If the website asks for a Secure Key code immediately after you enter your username, it is a sign that a hacker is attempting a concurrent login on the official site.
Generic Links: HSBC has a strict policy against sending direct links to login pages in security alert emails or SMS.
🛡️ How to Protect Yourself
Trust the Physical Device: If you use a physical Secure Key, remember that it is designed to authorize specific actions. Never enter a code from your device onto a website unless you are 100% sure you are on the official HSBC site you accessed manually.
App Notifications: Use the HSBC UK Mobile Banking (or local) app. Authentic security alerts will appear as secure messages within the app.
The “Payee” Trick: If you get an alert about a “New Payee” you didn’t add, do not click the link to “cancel” it. Log in via the official app to verify your recent activity.
Reporting: You can report HSBC phishing by forwarding suspicious emails to [email protected] or suspicious SMS to the short code 7726.

💡 Expert Security Tip:
This attack is designed to bypass Multi-Factor Authentication (MFA) by tricking you into providing a “one-time” code. Your HSBC Secure Key is your final line of defense; never use it to “verify” your identity on a page reached through a link. Treat any request for a security code as a request for your money.

A phishing campaign targeting TF Bank customers in Germany, Austria, and Scandinavia uses “security update” phishing emails and SMS to harvest login credentials and real-time OTPs. The attack, often involving fake “Meine Karte” portals, aims to steal personal data and access credit lines by mimicking legitimate brand identity

Target: TF Bank Customers (Germany, Austria, Sweden, Norway)
Threat Level: High (Credit Card & Mastercard Identity Check Theft)
Phishing Method Description
This attack focuses on Credit Card Credential Harvesting. Scammers send out Phishing Emails or SMS (Smishing) claiming that the user’s “Meine Karte” online access or “Mastercard Identity Check” needs to be updated to prevent account suspension.
The link leads to a high-quality clone of the TF Bank login portal. The phishing kit is specifically designed to harvest:
Customer ID / Email
Online Banking Password
Full Credit Card Details (Number, Expiry, CVV)
Mobile Phone Number
One-Time Password (OTP): The fake site attempts to intercept the SMS code in real-time, allowing the attacker to authorize a fraudulent transaction or add the card to a mobile wallet (Apple Pay/Google Pay).
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is tfbank.de (or .at, .se). Phishing sites use lookalikes like tfbank-meinekarte.online, sicherheit-tfbank.net, or tf-kunden-service.com.
Urgent Verification: Messages claiming “Unusual activity detected” or “Mandatory security update” are used to create a sense of panic.
Generic Salutations: Official bank communications usually include your name. Phishing emails often start with “Dear Customer” or “Guten Tag.”
🛡️ How to Protect Yourself
Use the Official App: Manage your TF Bank Mastercard only through the official TF Bank Mobile App. Authentic security updates will be handled within the secure app environment.
The “No Link” Rule: TF Bank states they will never ask you for sensitive data (like your PIN or CVV) via an email link. Always type the address manually into your browser.
Check the SMS Content: If you receive an OTP, read the text carefully. If the SMS says “Code for adding card to Apple Pay” but you are just trying to “log in,” it is a scam.
Report Phishing: You can report TF Bank phishing by forwarding suspicious emails to [email protected].

💡 Expert Security Tip:
Scammers use TF Bank phishing to bypass 3D Secure (Mastercard Identity Check). Your 6-digit SMS code is a “digital signature” for a transaction. Never enter an OTP on a website reached via a link. If a site asks for your CVV and an OTP at the same time during a “login” or “update,” close the tab immediately.

A phishing campaign impersonating German tax authorities (Finanzamt/ELSTER) is targeting taxpayers with fraudulent “Erstattung Ihrer persönlichen Einkommensteuer” (Income Tax Refund) emails and SMS, directing them to a fake portal designed to steal banking credentials (PINs/TANs). The attack uses a “Multi-Bank” approach, presenting a list of major German banks to intercept credentials in real-time, often using lookalike URLs.

Target: Taxpayers in Germany
Threat Level: Critical (Tax Fraud & Multi-Bank Phishing)
Phishing Method Description
This attack uses Government Impersonation to exploit the annual tax return season. Victims receive a professional-looking email with the subject “Erstattung Ihrer persönlichen Einkommensteuer” (Refund of your personal income tax), claiming that a significant tax overpayment is waiting to be claimed.
The link leads to a sophisticated “Gateway” Page. Instead of mimicking just one bank, this phishing kit shows a list of major German financial institutions (Sparkasse, Deutsche Bank, Postbank, Volksbanken Raiffeisenbanken, etc.). Once the victim selects their bank, they are redirected to a pixel-perfect clone of that specific bank’s login portal.
The site is designed to harvest:
Full Personal Identity (Name, Address, Tax ID)
Online Banking Credentials (PIN, Customer ID)
PhotoTAN / PushTAN / SMS OTP: The fake site intercepts the authorization code in real-time, allowing the attacker to empty the account or authorize fraudulent transfers under the guise of “confirming the refund.”
⚠️ Red Flags to Watch For
The Lookalike Gateway URL: Official tax refunds in Germany are handled via ELSTER (elster.de) or by post. The phishing site will use deceptive domains like finanzamt-erstattung.online, steuer-deutschland.net, or bundesfinanzministerium.com.
Method of Delivery: The German Tax Office (Finanzamt) never sends notifications about tax refunds via email or SMS containing clickable links for bank details. Official communication is always sent via the secure ELSTER inbox or by physical mail.
Bank Selection Menu: A real government site will never ask you to click on your bank’s logo to log in and “receive” money. Refunds are automatically sent to the IBAN already on file with the tax office.
🛡️ How to Protect Yourself
The ELSTER Rule: If you are expecting a refund, log in directly to your official ELSTER account at www.elster.de. If there is a notification, it will be there.
Don’t Click, Just Wait: Official tax assessments (Steuerbescheid) always arrive by post. If you haven’t received a letter, the email is 100% a scam.
Never Log In via Links: If an email asks you to log into your bank to “verify a deposit,” it is a trap. Banks do not require you to log in to receive an incoming wire transfer.
Report the Scam: Forward suspicious tax-related emails to the official Federal Central Tax Office or use the 7726 short code for SMS reporting.

💡 Expert Security Tip:
This is a Multi-Bank Phishing Kit. By offering a choice of banks, scammers cast a wide net to catch any victim regardless of where they hold an account. Remember: The Tax Office already has your bank details. They will never ask you to “log in and choose your bank” to send you money.

A phishing campaign targeting RWE AG customers in Germany uses fake energy refund emails to steal sensitive personal and financial data, including online banking credentials, via a fraudulent portal. The scam pressures users with urgent deadlines to claim a “refund for overpaid electricity costs” and directs them to malicious domains, such as kunden-rwe.net, to enter credentials. To protect against this threat, customers should only log in through the official rwe.com portal and report suspicious messages.

Target: RWE AG Customers and Energy Consumers in Germany
Threat Level: High (Financial Identity & Bank Access Theft)
Phishing Method Description
This attack leverages Utility Provider Impersonation. Scammers send out Phishing Emails or SMS (Smishing) claiming that due to a billing error or a government energy subsidy, the customer is entitled to a “Refund” (Guthaben) or “Climate Bonus.”
The link leads to a sophisticated fake page that mimics the RWE “Meine RWE” customer portal. To “receive the refund,” the victim is prompted to:
Select their Bank (using a multi-bank gateway menu)
Enter Online Banking Login Credentials (PIN and Username/ID)
Provide a TAN/OTP Code: The fake site intercepts the authorization code in real-time, allowing attackers to authorize fraudulent outgoing transfers instead of depositing a refund.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is rwe.com. Phishing sites use lookalikes such as rwe-erstattung.online, energie-guthaben.net, rwe-kundenportal.com, or compromised third-party URLs.
The “Refund” Hook: Energy companies usually settle refunds by crediting them toward your next bill or automatically transferring them to the IBAN already on file. They never send links asking you to log in to your bank to “receive” money.
Generic Communication: While the page looks professional, the initial email often lacks your specific customer contract number (Vertragskontonummer).
🛡️ How to Protect Yourself
Check Your Bill: If you are expecting a refund, check your last physical or digital bill. If there is a credit, it will be clearly stated there.
The “No Bank Login” Rule: Never log into your bank via a link provided in a utility email. If RWE needs your bank details, they will ask you to update them securely within their official portal that you access manually.
Verify the Sender: Check the sender’s email address. Official RWE communications come from @rwe.com. Be wary of addresses that look “similar” but are slightly off (e.g., @rwe-service.de).
Direct Access: Always type ://rwe.com manually into your browser to access the “Meine RWE” area.

💡 Expert Security Tip:
This is a Payment Gateway Scam. By asking you to “select your bank,” scammers are not trying to send you money—they are trying to gain access to your bank account. Real utility companies already have your bank details if you pay by SEPA direct debit. They will never ask you to “log in to your bank” to process a refund.

A phishing campaign impersonating One Nevada Credit Union targets members via SMS and email, aiming to harvest login credentials, security answers, and sensitive personal information like SSNs through a cloned, fraudulent portal. Attackers exploit regional brand trust to create urgency around “security verification,” targeting the legitimate onenevada.org domain with sophisticated lookalike URLs. To protect against this fraud, users should rely only on the official One Nevada app, avoid clicking links in unsolicited messages, and verify any alerts directly through official, trusted channels.

Target: Members of One Nevada Credit Union (USA)
Threat Level: High (MFA Bypass & Full Account Takeover)
Phishing Method Description
This attack targets the Digital Banking users of One Nevada Credit Union. Scammers use a Security Alert pretext, sending out Smishing (SMS) or Phishing Emails claiming that an “Unauthorized Device” has logged into the account or that a “MFA Security Update” is mandatory.
The link leads to a high-fidelity clone of the One Nevada online banking portal. The phishing kit is specifically designed to harvest:
Username / Member Number
Password
Multi-Factor Authentication (MFA) Codes: The fake site prompts the victim to enter the SMS or Email code in real-time. The attacker immediately uses this code on the real banking site to gain full access.
Personal Identity Info: Social Security Number (SSN) fragments and phone numbers for identity verification.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is onenevada.org. Phishing sites use lookalikes such as onenevada-verify.net, secure-onenevada.com, or onenevada-login.online. Note that credit unions almost always use .org extensions.
Urgency & Pressure: Language like “Your access will be restricted” or “Unauthorized transfer detected” is used to bypass the victim’s critical thinking.
Requests for MFA during Login: If a site asks for an MFA code immediately after you enter your password on an unfamiliar page, it’s a sign of a real-time interception attack.
🛡️ How to Protect Yourself
Use the Mobile App: Always perform your banking through the official One Nevada Mobile Banking app. Secure alerts will be delivered inside the app’s secure mailbox.
The “No Link” Rule: One Nevada Credit Union will never send you a text message or email containing a link to a login page asking for your credentials. Always type the address manually into your browser.
Verify the SMS Source: Official alerts come from short codes. If you receive a banking alert from a standard 10-digit mobile number, treat it as a scam.
Immediate Action: If you have entered information on a suspicious page, call the official Member Services at (702) 457-1000 or (800) 388-3000 immediately to lock your account.

💡 Expert Security Tip:
This is a Real-Time MFA Proxy Attack. The scammers are acting as a “middleman” between you and the bank. Your One-Time Passcode (OTP) is the final key to your money. Never enter a code on a website you reached via a link. If the bank sends you a code, read the text carefully—it often says “Do not share this code with anyone.”

A widespread phishing campaign targeting BBVA bank customers in Spain and Latin America uses high-pressure smishing tactics to steal login credentials and SMS OTP codes. Fraudulent websites mimic the legitimate BBVA portal to intercept security codes for unauthorized transactions. Users are advised to avoid clicking links in suspicious messages and to use the official BBVA app for account management.

Target: BBVA Bank Customers (Spain, Mexico, Colombia, Peru)
Threat Level: Critical (Real-time Account Takeover & OTP Theft)
Phishing Method Description
This attack uses High-Pressure Social Engineering. Victims receive an SMS (Smishing) claiming that an “unauthorized login from a new device” has been detected or that their “security account needs to be synchronized” immediately to avoid permanent blockage.
The link leads to a pixel-perfect replica of the BBVA “Banca Móvil” or web portal. The phishing kit is specifically designed to harvest:
Customer ID / DNI / NIF (Identification Number)
Access Password (Contraseña)
Mobile Phone Number
One-Time Password (OTP): The fake site prompts the victim to enter the SMS code in real-time. The attacker uses this intercepted code on the actual BBVA site to authorize fraudulent transfers or link their own device to the account.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is bbva.es (Spain) or bbva.mx (Mexico). Phishing sites use lookalikes such as bbva-seguridad.online, verificar-acceso-bbva.net, bbva-asistencia.com, or free subdomains like ://firebaseapp.com.
Urgent & Alarming Tone: Language like “Acceso no autorizado detectado” or “Bloqueo preventivo” is used to bypass critical thinking.
Links in SMS: BBVA has a strict policy: they will never include clickable links in SMS messages sent to customers regarding account security or login issues.
🛡️ How to Protect Yourself
Use the BBVA App: Perform all your banking and notifications through the official BBVA App. The app uses biometric login and secure push notifications which are much harder to phish.
The “No Link” Rule: If you receive a security alert via SMS, ignore the link. Manually type www.bbva.es (or your local BBVA address) into your browser to check your account status.
Verify the Sender: Official alerts from BBVA usually come from a registered “BBVA” sender ID. If the message comes from a standard 10-digit mobile number, it is 100% a fraud.
Immediate Action: If you have entered your data on a suspicious page, call the official BBVA 24-hour fraud line immediately: 900 102 801 (Spain) or 55 5226 2663 (Mexico).

💡 Expert Security Tip:
This is a Real-time Man-in-the-Middle (MitM) attack. The scammers are acting as a “bridge” between you and the real bank. Your SMS OTP is the final key to your money. Never enter a code on a website you reached via a link. If the bank sends you a code, read the text carefully—it often explicitly warns: “No compartas este código con nadie.”