Antiphishing.biz – Page 4 – Proactive phishing detection for cybersecurity and network protection

Bank Negara Malaysia & Google Credential Harvesting revealed

Below is an analysis of the phishing campaign based on the three screenshots. The attack impersonates Bank Negara Malaysia (the central bank) and then Google, using a fake login flow to steal credentials for both.

Threat Analysis: Multi‑Step Phishing – Bank Negara Malaysia & Google Credential Harvesting

This campaign targets users in Malaysia and Indonesia (based on the language mix: Malay/Indonesian and English). It is designed to steal online banking credentials (User ID, password, phone number, and bank selection) first, and then capture the victim’s Google account credentials in a second step.

How it works:

Step 1 – Fake Bank Negara Malaysia Login Page (First Screenshot)
The victim receives a phishing link (e.g., via SMS, email, or social media) claiming a financial service issue or the need to log in. The link leads to a page hosted on taplink.ws (a link‑in‑bio service often abused for phishing). The page mimics the official Bank Negara Malaysia portal. It asks for:

Telephone number (with a Dutch prefix +31 as an example)
Bank selection (from a dropdown)
User ID / Username
Password
A checkbox to agree to “Terma & Syarat” (Terms & Conditions)

Incident Report: This deceptive layout was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the dangerous destination URL has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "Bank Negara Malaysia & Google Credential Harvesting revealed" phishing interface captured during link moderation on our platform. — Figure 1: Visual proof of the ongoing fraudulent campaign isolated on our infrastructure.

After the victim submits this data, they are redirected to the next step.

Step 2 – Fake Google Login Pages (Second and Third Screenshots)
The victim is then taken to a page that mimics the Google login interface (in Indonesian). It asks for:

Email address
Password

Actual screenshot 2 of "Bank Negara Malaysia & Google Credential Harvesting revealed" phishing interface captured during link moderation on our platform. — Figure 2: Visual proof of the ongoing fraudulent campaign isolated on our infrastructure.

The language (“Gunakan Akun Google Anda” – Use your Google account) and the note about adding the account to the device are copied from legitimate Google screens.

Actual screenshot 3 of "Bank Negara Malaysia & Google Credential Harvesting revealed" phishing interface captured during link moderation on our platform. — Figure 3: Visual proof of the ongoing fraudulent campaign isolated on our infrastructure.

The goal:
The attacker collects:

The victim’s bank login credentials (including which bank they use, their user ID, password, and phone number)
The victim’s Google account credentials (email and password)

With this combination, the attacker can:

Log into the victim’s bank account to transfer funds
Access the victim’s Google account to intercept password reset emails, steal personal data, and compromise other linked services
Use the phone number for SIM swapping or to bypass two‑factor authentication

Red flags to watch for:

Suspicious URL: The pages are hosted on taplink.ws, not on bnm.gov.my (Bank Negara Malaysia’s official domain) or google.com.
Unusual combination of requests: A central bank would never ask for your bank selection, user ID, password, and phone number in a single form – and certainly not redirect you to a Google login afterwards.
Language inconsistency: The Bank Negara page mixes English and Malay/Indonesian, but the domain and design are clearly not official.
Google login page on a third‑party domain: Legitimate Google login pages are only on google.com domains. The URL in the second screenshot is not shown fully, but the context makes it clear it is a phishing copy.
Unsolicited login request: Neither Bank Negara Malaysia nor Google sends links requiring you to log in via external sites to resolve “service” issues.

What to do if you encounter this:

Do not enter any information on these pages.
If you have already entered your bank credentials, contact your bank immediately to change your password and secure your account.
If you have entered your Google credentials, change your Google password immediately, enable two‑factor authentication (2FA), and review recent activity for any unauthorized logins.
Always access your bank and Google accounts by typing the official URLs directly (bnm.gov.my, google.com) – never through links.

Protective measures:

Bookmark the official login pages for your bank and Google.
Use a password manager – it will not autofill on fake domains.
Enable two‑factor authentication on all important accounts.
Be suspicious of any unsolicited message that asks you to log in via a link, especially when it involves multiple steps or different services.
Check the URL carefully – look for unusual top‑level domains (.ws, .top, .xyz) and free hosting services.

Touch ‘n Go eWallet Hijack detected

Phishing Alert: The “eWallet Hijack” Scam

This screenshot shows a sophisticated phishing page that impersonates the Touch ‘n Go eWallet login interface. While the URL suggests a gaming theme (sangepoints), the actual goal is to drain your digital wallet.

Security Notice: This malicious interface was logged, cross-checked, and neutralized firsthand by the Antiphishing.biz security team during our standard URL vetting operations. To protect the public, the dangerous destination URL has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "Touch ‘n Go eWallet Hijack detected" phishing interface captured during link moderation on our platform. — Figure 1: Live screenshot of the live scam infrastructure captured during routine moderation.

1. Brand Impersonation (Spoofing)

The attackers use the official colors, fonts, and the Touch ‘n Go eWallet logo at the top of the page.

The Tactic: This is a “Double Trap.” The user might come for gaming points but is told they need to log in with their wallet to “pay a small fee” or “verify their identity” to receive the reward.
The Reality: Any legitimate login for Touch ‘n Go would occur on their official domain (touchngo.com.my) or within the app, never on a Taplink page.

2. High-Value Data Theft: Mobile Number & PIN

The form asks for two critical pieces of information:

Mobile Number: Used as the account ID for most eWallets.
6-digit PIN: This is the master key to your funds.
The Theft: Once a victim enters these details, the scammer can instantly log into the real app, change the password, and transfer all the money to another account.

3. False Sense of Security

At the bottom, there is a reassuring message: “Don’t worry, rest assured that your data are kept secure and confidential.”

Social Engineering: This is a psychological trick designed to lower the victim’s guard at the most critical moment. Scammers often use professional-sounding legal or security disclaimers to appear legitimate.

How to Stay Safe:

Check the URL twice: If you see a banking or eWallet login form on a domain like taplink.ws, it is 100% a scam.
Never enter your PIN on a website: Payment apps are designed to be used inside the app. Your eWallet will never ask for your PIN via a browser link sent by a stranger.
Enable Biometrics: Using FaceID or Fingerprint for your wallet makes it much harder for scammers to use a stolen PIN.

Phishing Alert: The “Push Notification” Hijack

This screenshot captures the final step of an account takeover. After stealing your credentials, the scammer is now tricking you into authorizing their fraudulent login.

Actual screenshot 2 of "Touch ‘n Go eWallet Hijack detected" phishing interface captured during link moderation on our platform. — Figure 2: Live screenshot of the live scam infrastructure captured during routine moderation.

1. The “Check Your Phone” Trap

The page displays a convincing message: “We sent a notification to your device. Tap ‘Yes’ to complete the process.”

The Tactic: This is timed perfectly. While you are looking at this fake page, a real notification from the actual Touch ‘n Go eWallet app pops up on your phone.
The Reality: The notification you see on your phone is not to “receive points” or “verify a reward.” It is a request to authorize a new device (the scammer’s phone) to access your wallet.

2. Social Engineering: The “Continue” Button

The large “Continue” button at the bottom does nothing technical—it is purely psychological.

The Goal: It keeps the victim engaged and waiting on the site while the scammer waits for the victim to tap “Yes” on their mobile device.
The Deception: By creating a professional-looking “Processing” screen, the scammer makes the illegal login attempt feel like a legitimate part of the “Get Money” or “Get Points” flow.

3. Exploiting 2FA (Two-Factor Authentication)

The Breach: Scammers know that most people trust their app’s notifications. They rely on the victim’s confusion: the victim thinks they are confirming a “Safe Receipt of Funds,” but they are actually handing over the keys to their account.
The Result: If you tap “Yes” or enter an OTP code on this site, the scammer gains full control of your eWallet. They can immediately drain your balance and any linked bank accounts or credit cards.

How to Stay Safe:

Never “Authorize” via a Link: If you receive a push notification to log in while you are on a third-party website (like Taplink), always tap “No” or “Reject”.
Read the Notification Carefully: Real security alerts will say “Are you trying to log in from a new device?” or “Authorize this transaction?”. If you didn’t initiate it yourself inside the official app, it’s a scam.
Close the Browser: If a site asks you to “wait for a notification” to receive a prize, it is 100% a scam. Official rewards never require 2FA authorization.

Phishing Alert: The “Google Login” Account Takeover

This screenshot reveals a fake Google login page hosted on Taplink. Scammers use the familiarity of Google to gain full access to your emails, photos, cloud storage, and saved passwords.

Actual screenshot 3 of "Touch ‘n Go eWallet Hijack detected" phishing interface captured during link moderation on our platform. — Figure 3: Live screenshot of the live scam infrastructure captured during routine moderation.

1. The Visual Deception (Impersonation)

The page uses the official Google logo and mimics the layout of a real login screen.

The Tactic: The text is in Indonesian (“Gunakan Akun Google Anda…”), which suggests this specific campaign is targeting users in Southeast Asia.
The Red Flag: A real Google login will always be hosted on ://google.com. If you see a Google login form on taplink.ws or any other domain, it is 100% a fake.

2. High-Stake Theft: Email and Password

The form asks for your Email and Password.

The Goal: Once the victim enters these, the scammer gains access to the victim’s primary email. From there, they can reset passwords for other services (banking, social media, crypto exchanges) and steal sensitive personal data from Google Drive and Photos.

3. Exploiting “Safe” Domains

By using sangepoints.taplink.ws, the attackers hope that the “safe” reputation of Taplink will prevent the browser from showing a “Dangerous Site” warning. They often lure victims to this page by promising “Premium Game Features” or “Early Access” that supposedly requires a Google login to “sync progress.”

How to Stay Safe:

Check the URL Bar: This is the most important rule. If the URL doesn’t end in google.com, do not type anything.
Use a Password Manager: Professional password managers (like 1Password or Bitwarden) will refuse to autofill your password on a phishing site because they recognize the domain is wrong.
Enable 2-Step Verification (2FA): Always use a physical security key (like YubiKey) or an Authenticator App. Never trust a login request that pops up while you are on a suspicious website.

Phishing Alert: The “Success” Deception

This screenshot captures the moment after a victim has already submitted their Google credentials. It is a critical psychological tactic used to buy time for the attacker.

Actual screenshot 4 of "Touch ‘n Go eWallet Hijack detected" phishing interface captured during link moderation on our platform. — Figure 4: Live screenshot of the live scam infrastructure captured during routine moderation.

1. The Fake Success Message

The popup says: “Terima kasih atas aplikasi Anda” (“Thank you for your application”) with a green checkmark.

The Tactic: By showing a “Success” screen, the scammer makes the victim feel that the process is over and everything is fine.
The Reality: At this very second, the victim’s email and password have already been sent to the scammer’s server.

2. Psychological “Cooling Off”

Why it works: If the page just crashed or showed an error, the victim might realize they were scammed and immediately try to change their password or enable 2FA.
The Goal: The “Tutup” (“Close”) button encourages the user to simply close the tab and move on, giving the scammer minutes or hours of uninterrupted access to the stolen account.

3. Language Targeting

The Indonesian text confirms that this specific campaign (sangepoints.taplink.ws) is a localized attack. Scammers often use the victim’s native language to increase the conversion rate and build trust.

How to Stay Safe:

Check your Activity: If you ever realize you’ve entered data into a suspicious site, go to google.com immediately.
Sign out of all devices: Use the “Sign out of all sessions” feature to kick any intruders out of your account.
Change your password instantly: Every second counts before the scammer sets up their own recovery info.

Fake Carousell”Safe Payment” Receipt

Phishing Alert: The “Fake Buyer” Marketplace Scam

This screenshot demonstrates a common and dangerous phishing tactic used on classifieds and marketplace platforms (like Carousell, Olx, or Avito).

Incident Report: This malicious interface was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the phishing source domain has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users detect replica fraud techniques before financial damage occurs.

Actual screenshot of "Fake Carousell”Safe Payment” Receipt" phishing interface captured during link moderation on our platform. — Figure 1: Visual proof of the ongoing fraudulent campaign isolated on our infrastructure.

Here is a breakdown of how this scam works to steal your banking information:

1. The Domain Deception

Look closely at the URL: carousell.83774920.sale/….

The Trap: Scammers use a subdomain that includes the brand name (carousell) to create a false sense of security.
The Reality: The actual domain is 83774920.sale. Official Carousell transactions will never happen on a random numeric domain or a .sale extension. They always stay within carousell.ph or the official app.

2. The Emotional Hook: “Receipt of Funds”

The page is designed to look like a legitimate “Safe Receipt of Money” portal.

The Tactic: The scammer contacts a seller and claims they have already paid for the item. They send this link to the seller, claiming it’s the only way to “accept” or “receive” the money.
The Red Flag: Legitimate marketplaces do not require you to enter your full card details or address on a third-party link to receive a payment.

3. Psychological Manipulation

Urgency: The text states the item “must be shipped within 3 days,” pushing the victim to act quickly.
False Protection: Using terms like “Protection Carousell” and “Dedicated team” is a social engineering trick to make the victim lower their guard.
The “Get Money” Button: The bright red button “Stage 2/2: Get Money” is the final trap. Clicking it will typically lead to a fake bank login page or a form asking for your card number, CVV, and SMS OTP.

How to Stay Safe:

Stay on the App: Never follow links sent by buyers in external messengers (WhatsApp, Viber, Telegram).
Verify the URL: Always check the main domain. If it’s not the official platform address, it’s a scam.
No Card Info for Receiving: You do not need to provide your CVV or a one-time password (OTP) to receive money. These are only for sending money.

Actual screenshot 2 of "Fake Carousell”Safe Payment” Receipt" phishing interface captured during link moderation on our platform. — Figure 2: Visual proof of the ongoing fraudulent campaign isolated on our infrastructure.

Actual screenshot 3 of "Fake Carousell”Safe Payment” Receipt" phishing interface captured during link moderation on our platform. — Figure 3: Visual proof of the ongoing fraudulent campaign isolated on our infrastructure.

Phishing Scheme: Fake “Safe Payment” Receipt
How the scam works:
The Approach: A scammer contacts a seller on a marketplace (Carousell), posing as a legitimate buyer. They claim to have already made the payment through the platform’s internal “safe deal” system.
The Link: The scammer sends a generated link (like the one above) via an external messenger (WhatsApp/Viber), claiming it’s the official “Receipt of Funds” page.
The Trap: The page looks identical to the official marketplace design. It displays a “Stage 1/2: Receipt of Funds” form, asking the seller to confirm their details.
The Theft: When the seller clicks “Get Money,” they are redirected to a fake payment gateway that asks for Full Card Number, Expiry Date, CVV, and even an SMS OTP (One-Time Password). Instead of receiving funds, the victim’s account is drained.
Warning Signs:
External Links: Official platforms never send payment links via third-party messengers.
Fake Domain: Always check the root domain. In this case, it is 83774920.sale, which has nothing to do with the official carousell.ph.
Receiving Money Doesn’t Require CVV: You never need to provide your card’s CVV or an SMS confirmation code to receive a payment.

Pinkoi Fake Suspension Notice detected

These screenshots show a phishing campaign impersonating Pinkoi (a popular e‑commerce platform for designers and handmade goods) and an associated seller named “Amberlithuania”. The scam uses a fake account suspension notice to trick victims into providing full bank card details and personal information.

Threat Intel: This scam layout was logged, cross-checked, and neutralized firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the phishing source domain has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Actual screenshot of "Pinkoi Fake Suspension Notice detected" phishing interface captured during link moderation on our platform. — Figure 1: Actual screenshot of the live scam infrastructure captured during routine moderation.

Threat Analysis: Pinkoi Seller Phishing – Fake “Account Suspended” / Card Verification Scam

How it works:

Fake Suspension Notice – The victim (likely a seller or buyer on Pinkoi) sees a page claiming that the “Amberlithuania” account is suspended and must verify a bank card within 24 hours to restore access. Logos of Visa, Mastercard, PayPal, and Google Pay are shown to create a false sense of security.
Card Details Request – The victim is directed to a page that asks for card number and later cardholder name and phone number. A fake “Secure Connection” badge and SSL claim are added to appear legitimate.
Urgency and False Reassurance – The message states that verification must be completed within a limited time (24 hours) and claims that all personal details are protected and not visible to anyone – a common tactic to lower suspicion.

Actual screenshot 2 of "Pinkoi Fake Suspension Notice detected" phishing interface captured during link moderation on our platform. — Figure 2: Actual screenshot of the live scam infrastructure captured during routine moderation.

Actual screenshot 3 of "Pinkoi Fake Suspension Notice detected" phishing interface captured during link moderation on our platform. — Figure 3: Actual screenshot of the live scam infrastructure captured during routine moderation.

The goal:
The attacker steals:

Full credit/debit card number
Cardholder name
Phone number

With this information, the attacker can make fraudulent online purchases, clone the card, or sell the data on criminal markets. There is no actual account suspension – the entire notice is fabricated.

Red flags to watch for:

Suspicious URL: The page is hosted on a domain like pinkoi.83774920.sale, not the official Pinkoi domain (pinkoi.com).
Request for full card details to “verify” an account: Legitimate platforms never ask for your card number, expiration date, or CVV to reactivate a suspended account. Such verification would happen through official payment gateways or by contacting support directly.
Threat of immediate suspension / limited time: The 24‑hour deadline is a classic pressure tactic to prevent victims from thinking critically.
Fake “Secure Connection” badge and SSL claim: These are copied from legitimate sites but do not guarantee safety – the page is still a phishing site.
Poor design / generic layout: The pages lack the full Pinkoi branding, navigation, and security notices that would appear on the real site.

What to do if you encounter this:

Do not enter any card details, personal information, or phone number.
If you are a Pinkoi user, always access your account by typing pinkoi.com directly into your browser. Check your account status through official channels.
If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
Report the phishing page to Pinkoi’s security team.

Protective measures:

Never click links in unsolicited messages claiming your account is suspended or needs verification.
Always type the official website URL directly into your browser.
Never provide your card details, CVV, or expiration date in response to an account suspension notice.
Enable two‑factor authentication on your e‑commerce and email accounts.
Check the URL carefully – look for misspellings, extra words, or unusual top‑level domains (e.g., .sale, .xyz).

Easybank phishing page detected

A phishing campaign targeting easybank (a German direct bank), based on the two screenshots.

Threat Analysis: easybank Phishing – Fake Online Banking Login with Fake Waiting Page

This phishing campaign impersonates easybank, a German online bank. The attack is designed to steal the victim’s online banking credentials (username and password) and then use a fake “processing” page to reduce suspicion.

How it works:

Step 1 – Fake Login Page (First Screenshot)
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to log in. The link leads to this page, which mimics the easybank Online‑Banking login portal. The page asks for:

Incident Report: This deceptive layout was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the hostile origin link has been safely deactivated within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "Easybank phishing page detected" phishing interface captured during link moderation on our platform. — Figure 1: Visual proof of the live scam infrastructure isolated on our infrastructure.

Benutzername (username)
Passwort (password)

A link for “Zugangsdaten vergessen” (forgotten credentials) is added to appear legitimate. The page also includes a “Jetzt registrieren” (register now) option and references to “Tagesgeldkonto” (overnight money account) – all copied from the real bank’s website.

Step 2 – Fake Waiting Page (Second Screenshot)
After the victim submits their credentials, they are taken to this page. It claims that the request is being processed and asks the victim not to leave the page to avoid interruption. This serves two purposes:

It buys time for the attacker to use the stolen credentials to log into the real easybank portal.
It reduces suspicion – the victim believes the login was successful and that the system is working normally.

Actual screenshot 2 of "Easybank phishing page detected" phishing interface captured during link moderation on our platform. — Figure 2: Visual proof of the live scam infrastructure isolated on our infrastructure.

In reality, the credentials have already been captured, and the attacker may be using them to access the victim’s real account, transfer funds, or change settings.

The goal:
The attacker steals easybank login credentials to:

Access the victim’s bank account
View balances, transfer money, and make unauthorized payments
Commit fraud or identity theft

Red flags to watch for:

Suspicious URL: The login page is hosted on a domain that is not easybank.de or the official easybank domain. The URL contains somafi-group.fr – an unrelated French domain, not the bank’s official address.
Unsolicited login request: easybank does not send links requiring customers to log in to resolve account issues. Always type the official URL directly.
Generic waiting page: A legitimate online banking system does not display a simple “please wait” page after login – the user is either logged in or shown an error. This waiting page is a classic phishing tactic to stall while the attacker works.
Minimal design / missing security features: The fake login page lacks the full branding, security notices, and multi‑factor authentication prompts (e.g., chipTAN, pushTAN) that would appear on the real easybank site.

What to do if you encounter this:

Do not enter your username or password.
If you have already entered your credentials, contact easybank immediately to block your account and change your access data.
Always access online banking by typing easybank.de directly into your browser or using the official easybank app.
Report the phishing page to easybank’s fraud department.

Protective measures:

Bookmark the official easybank login page and use that bookmark.
Use a password manager – it will autofill only on legitimate domains.
Enable two‑factor authentication (chipTAN, pushTAN, or mobileTAN) – but be aware that attackers may also try to intercept these codes if they have already captured your credentials.
Be suspicious of any unsolicited message that asks you to log in via a link.
Check the URL carefully – look for misspellings, extra words, or unusual top‑level domains.

Scotiabank phishing page detected

The Scotiabank phishing campaign observed in early 2026 utilizes fake account verification alerts, leveraging fraudulent emails or SMS to direct users to a professionally designed, deceptive login page. Attackers aim to capture ScotiaCard numbers, passwords, and secondary verification data to gain unauthorized access to accounts.

Threat Intel: This spoofed page was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the dangerous destination URL has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users detect replica fraud techniques before financial damage occurs.

Actual screenshot of "Scotiabank phishing page detected" phishing interface captured during link moderation on our platform. — Figure 1: Actual screenshot of the live scam infrastructure isolated on our infrastructure.

Actual screenshot 2 of "Scotiabank phishing page detected" phishing interface captured during link moderation on our platform. — Figure 2: Actual screenshot of the live scam infrastructure isolated on our infrastructure.

Actual screenshot 3 of "Scotiabank phishing page detected" phishing interface captured during link moderation on our platform. — Figure 3: Actual screenshot of the live scam infrastructure isolated on our infrastructure.

Actual screenshot 4 of "Scotiabank phishing page detected" phishing interface captured during link moderation on our platform. — Figure 4: Actual screenshot of the live scam infrastructure isolated on our infrastructure.

Actual screenshot 5 of "Scotiabank phishing page detected" phishing interface captured during link moderation on our platform. — Figure 5: Actual screenshot of the live scam infrastructure isolated on our infrastructure.

ING Home’Bank phishing page revealed

Incident Report: This deceptive layout was logged, cross-checked, and neutralized firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the hostile origin link has been safely deactivated within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Target: ING Bank Customers (Europe/Romania/Poland)
Threat Level: Critical (Session Hijacking)
Phishing Method Description
This method focuses on Device Authorization Theft. The phishing page mimics the ING “HomeBank” interface, often using a “Synchronize your security device” or “Update HomeBank app” pretext.
The attacker’s goal is not just your password, but the Authorization Code (token) generated by your mobile app. By entering this code into the fake site, you are actually authorizing the threat actor’s device to access your bank account.
Red Flags to Watch For
Suspicious Domain: The URL might look like ing-homebank-update.com or authorization-ing.net. ING only uses its official national domains (e.g., ing.ro, ing.pl, ing.com).
Unusual Requests: Banks will never ask you to “synchronize” or “re-verify” your device through a link sent via SMS or Email.
Language Errors: Often, these pages contain subtle grammatical mistakes or incorrect font rendering that differs from the official app.
How to Protect Yourself
App Notifications: Trust only the notifications that appear inside your official ING mobile app.
Never Share Codes: Never enter a 2FA or authorization code on a website you reached via a link. Codes should only be entered in the official app or the bank’s main website that you opened yourself.
Enable Push-Alerts: Set up instant notifications for any login or transaction so you can react immediately if your account is compromised.

Banco de Bogota phishing page detected

A sophisticated phishing campaign targeting Banco de Bogotá in Colombia uses deceptive “security update” messages to steal user credentials, including identification numbers and full credit card details. This fraudulent site imitates the official banking portal to bypass security checks and solicit sensitive information through high-pressure tactics.

Analysis Memo: This malicious interface was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the phishing source domain has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users detect replica fraud techniques before financial damage occurs.

Actual screenshot of "Banco de Bogota phishing page detected" phishing interface captured during link moderation on our platform. — Figure 1: Verified screenshot of the ongoing fraudulent campaign intercepted by our security systems.

Actual screenshot 2 of "Banco de Bogota phishing page detected" phishing interface captured during link moderation on our platform. — Figure 2: Verified screenshot of the ongoing fraudulent campaign intercepted by our security systems.

Actual screenshot 3 of "Banco de Bogota phishing page detected" phishing interface captured during link moderation on our platform. — Figure 3: Verified screenshot of the ongoing fraudulent campaign intercepted by our security systems.

Actual screenshot 4 of "Banco de Bogota phishing page detected" phishing interface captured during link moderation on our platform. — Figure 4: Verified screenshot of the ongoing fraudulent campaign intercepted by our security systems.

Actual screenshot 5 of "Banco de Bogota phishing page detected" phishing interface captured during link moderation on our platform. — Figure 5: Verified screenshot of the ongoing fraudulent campaign intercepted by our security systems.

Actual screenshot 6 of "Banco de Bogota phishing page detected" phishing interface captured during link moderation on our platform. — Figure 6: Verified screenshot of the ongoing fraudulent campaign intercepted by our security systems.

Actual screenshot 7 of "Banco de Bogota phishing page detected" phishing interface captured during link moderation on our platform. — Figure 7: Verified screenshot of the ongoing fraudulent campaign intercepted by our security systems.

Target: Customers of Banco de Bogotá (Colombia)
Threat Level: High (Credit Card & Identity Theft)
Phishing Method Description
This attack uses Visual Impersonation to mimic the “Banca Virtual” (Virtual Banking) portal of Banco de Bogotá. Scammers typically distribute these links via SMS (Smishing) or Email, claiming that the user’s digital key has expired or that an “unusual transaction” requires immediate verification.
The fake site is designed to harvest:
Customer ID / Username (Documento de Identidad)
Online Banking Password
Token / OTP Codes (One-Time Passwords)
Full Debit/Credit Card Details (Number, Expiration Date, and CVV)
Red Flags to Watch For
The URL Trap: The official domain is bancodebogota.com. Phishing links often use strange subdomains or lookalike addresses like bancodebogota-seguro.com, validar-bogota.net, or free hosting platforms.
Requesting the CVV: Real banking login pages never ask for your 3-digit CVV code (on the back of your card) just to log into your account. This is a clear sign of a credit card “skimmer.”
Mixed Languages/Broken Links: Often, the “Help” or “Contact Us” buttons on these fake pages lead nowhere or return a 404 error, as only the login form is functional.
How to Protect Yourself
Type, Don’t Click: Always manually type ://bancodebogota.com into your browser address bar. Never click on links in SMS messages.
Verify the SMS Sender: Banco de Bogotá sends alerts from official short codes. If you receive a security alert from a regular 10-digit mobile number, it is 100% a scam.
Use the Official App: Perform all sensitive operations and balance checks through the official “Banca Móvil” app downloaded from the App Store or Google Play.
Identify Verification: If the site asks you to enter multiple codes from your Token one after another, close the page immediately. Scammers do this to perform unauthorized transfers in real-time.

LEAD Bank phishing page detected

A phishing campaign targeting Lead Bank business customers uses fraudulent “unauthorized login” alerts to drive victims to a spoofed portal designed to steal credentials, personal information, and 2FA codes. The attack creates a sense of urgency to trick users into entering sensitive data on a site with a misleading domain. To protect against this threat, users should only navigate to the official Lead Bank site via secure, known channels and never enter MFA codes on suspicious sites.

Security Notice: This deceptive layout was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the dangerous destination URL has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Actual screenshot of "LEAD Bank phishing page detected" phishing interface captured during link moderation on our platform. — Figure 1: Live screenshot of the ongoing fraudulent campaign isolated on our infrastructure.

Target: Business Clients and Fintech Partners of Lead Bank (USA)
Threat Level: High (Corporate & Business Email Compromise)
Phishing Method Description
This attack targets corporate users of Lead Bank, a Kansas City-based institution known for its focus on business banking and financial technology. Scammers use a Clean Page Design strategy, creating a minimalist and professional-looking imitation of the bank’s corporate login portal.
Victims are typically reached via Spear Phishing (targeted emails) or LinkedIn messages claiming that a “Corporate Account Statement” is ready or that a “Secure Message” is waiting to be read.
The malicious page is specifically designed to harvest:
Corporate Email / Username
Business Banking Passwords
MFA / 2FA Tokens (Multi-Factor Authentication)
Red Flags to Watch For
Subtle URL Alterations: The official domain is lead.bank. Phishing sites often use common extensions like leadbank-login.com, leadbank.net, or secure-leadbank.org.
Generic Salutations: Official business banks usually address clients by their full name or company name. Phishing emails often use “Dear Client” or “Valued Business Partner.”
Inconsistent Branding: Look closely at the logo and fonts. Scammers often use low-resolution images or slightly different font weights that deviate from Lead Bank’s official corporate identity.
How to Protect Yourself
Verify the Domain Extension: Remember that Lead Bank uses the unique .bank top-level domain. This extension is restricted only to verified financial institutions. If the site ends in .com, .net, or anything else, it is a fraud.
Use Hardware Keys: For business banking, hardware security keys (like Yubikey) are much safer than SMS-based codes, as they cannot be easily phished by fake websites.
The “Slow Down” Rule: Corporate phishing often relies on a “Friday afternoon” rush. Always double-check the sender’s email address and the website URL before entering corporate credentials.
IT Reporting: If you encounter a suspicious Lead Bank login page, immediately report it to your company’s IT security department to prevent a broader Business Email Compromise (BEC) attack.

Banque Nationale phishing page detected

A phishing campaign targeting National Bank of Canada (Banque Nationale) clients uses fake “Interac e-Transfer” notifications to steal login credentials, security questions, and OTPs. The fraudulent pages, often mimicking the official BNC portal, are designed to capture data from users in Canada and Quebec. To protect against this threat, users are advised to enable Interac Autodeposit and verify the URL for signs of a scam.

Security Notice: This scam layout was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the phishing source domain has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users detect replica fraud techniques before financial damage occurs.

Actual screenshot of "Banque Nationale phishing page detected" phishing interface captured during link moderation on our platform. — Figure 1: Live screenshot of the live scam infrastructure intercepted by our security systems.

Target: Customers of National Bank of Canada (Banque Nationale du Canada)
Threat Level: Critical (Banking Access & Funds Theft)
Phishing Method Description
This attack leverages the popularity of Interac e-Transfer in Canada. Scammers send a text message (SMS) or email stating that a “Refund,” “Government Rebate,” or “Payment” is waiting to be deposited.
The link leads to a sophisticated Brand Impersonation page that mimics the National Bank’s “Telnat” or “EasyPay” login interface. The fake site is designed to capture:
Access ID / Username
Password / Secret Question Answers
Direct Deposit Information
Card Number and Expiration Date
Red Flags to Watch For
Lookalike URL: The official domain is nbc.ca (or bnc.ca). Phishing sites use deceptive addresses like nbc-verification-login.com, nbc-interac.online, or client-bnc.net.
Unexpected Money: Be suspicious of any notification for an e-transfer you weren’t expecting. If you didn’t sell anything or aren’t expecting a specific rebate, it’s likely a scam.
The “Deposit” Trap: Real Interac e-Transfers allow you to choose your bank from a list. Phishing pages often take you directly to a pre-selected fake login page for one specific bank.
How to Protect Yourself
Set Up Autodeposit: This is the best defense. If you have Interac Autodeposit enabled, any legitimate transfer will go straight into your account without you needing to click any links or answer security questions.
The SMS Sender Check: Official alerts from National Bank usually come from short codes, not standard 10-digit mobile numbers. If the sender looks like a personal cell phone, delete the message.
Access via Official App: If you receive a notification, don’t click the link. Open your official National Bank (BNC) mobile app directly to check for any pending transfers or messages.
Report Phishing: You can forward suspicious SMS messages to the short code 7726 (SPAM) to help carriers block the sender.