Antiphishing.biz

A phishing campaign targeting Bank Central Asia (BCA) customers in Indonesia uses WhatsApp-based smishing to direct victims to fraudulent sites mimicking the KlikBCA login portal. Attackers aim to harvest User IDs, PINs, and KeyBCA token codes, enabling real-time, fraudulent transaction authorization. The attack is a “Token Interception” method, utilizing spoofed domains like klikbca-update.online to bypass security and steal user funds.

Target: Customers of Bank Central Asia (BCA) in Indonesia
Threat Level: Critical (KlikBCA & Individual Access Theft)
Phishing Method Description
This attack targets users of KlikBCA Individual and the BCA Mobile app. Scammers distribute fraudulent links via WhatsApp or SMS (Smishing), often using an “official-looking” announcement about a “New Service Fee Policy” (e.g., changing the monthly fee to 150,000 IDR) or a “Security Feature Update.”
The link leads to a pixel-perfect replica of the BCA login portal. The phishing kit is specifically designed to harvest:
User ID / Username
Internet Banking PIN
Mobile Phone Number
KeyBCA (Physical Token) Response: The fake site prompts the victim to generate a code on their physical KeyBCA device (using APPLI 1 or APPLI 2) and enter it. The attacker uses this code in real-time to authorize a massive fraudulent transfer.
⚠️ Red Flags to Watch For
The Deceptive URL: The official domain is bca.co.id or klikbca.com. Phishing sites often use lookalike addresses such as bca-update-layanan.com, tarif-bca-baru.net, klikbca-konfirmasi.online, or free subdomains like bca-login.web.app.
Urgent Call-to-Action: Messages that demand you “Agree” to a fee change or “Confirm” your account within a few hours are classic social engineering tactics.
Requesting KeyBCA Codes: BCA will never ask you to enter a KeyBCA token code just to “cancel a fee” or “verify your identity” through a link sent via WhatsApp.
🛡️ How to Protect Yourself
Use the BCA Mobile App: Only trust notifications that appear inside your official BCA Mobile or Halo BCA app.
The “No Link” Rule: BCA officially states they will never send links via SMS or WhatsApp asking for your personal data or PIN. Always type ://klikbca.com manually into your browser.
Verify with Halo BCA: If you receive a suspicious message, contact the official BCA call center at 1500888 or use the official Halo BCA app to verify the information.
KeyBCA Security: Treat your physical KeyBCA token as the “key to your safe.” Never use it on any website that you did not access yourself by typing the address.

💡 Expert Security Tip:
This is a Social Engineering & Token Interception attack. Scammers create a fake problem (like a high monthly fee) to make you panic and give up your KeyBCA codes. Remember: Your token codes are only for authorizing transactions you started. Never use your KeyBCA to “cancel” something or “log in” from a link.

A phishing campaign targeting Banco Cuscatlán users in El Salvador and Guatemala uses fraudulent “digital profile update” notifications to steal netbanking credentials and OTP codes. The attack, which directs victims to a pixel-perfect replica of the legitimate site, aims to perform real-time account takeovers via deceptive domains and urgent, alarming messaging. Customers are advised to use the official Banco Cuscatlán app and to never enter security tokens on websites reached via SMS or email links.

Target: Customers of Banco Cuscatlán (El Salvador / Guatemala)
Threat Level: Critical (NetBanking Access & Digital Token Theft)
Phishing Method Description
This attack uses Data Synchronization as a pretext. Victims receive a Phishing Email or SMS (Smishing) claiming that their “Digital Key” (Clave Digital) has expired or that their personal information must be updated to comply with new banking security standards.
The link leads to a pixel-perfect replica of the Banco Cuscatlán “NetBanking” portal. The phishing kit is specifically designed to harvest:
Username / User ID (Usuario)
Password (Contraseña)
Mobile Phone Number
One-Time Password (OTP) / Digital Token: The fake site prompts the victim to enter the code from their SMS or security app in real-time. The attacker uses this intercepted code on the actual bank site to perform fraudulent transfers or change account settings.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is bancocuscatlan.com. Phishing sites often use lookalike addresses such as cuscatlan-sv.online, bancocuscatlan-actualizacion.net, or free subdomains like cuscatlan-login.web.app.
Urgent & Threatening Tone: Phrases like “Acceso restringido temporalmente” (Access temporarily restricted) or “Evite el bloqueo de su cuenta” (Avoid account blockage) are used to force the victim to act impulsively.
Link in SMS/Email: Banco Cuscatlán explicitly states they will never send links in messages asking for your login credentials or security codes.
🛡️ How to Protect Yourself
Use the Official App: Manage your finances only through the official Banco Cuscatlán mobile app. Authentic security alerts will be handled within the secure app environment.
The “Manual Entry” Rule: Always type ://bancocuscatlan.com manually into your browser’s address bar. Never click on links provided in unexpected emails or text messages.
Verify the SMS Sender: Official alerts usually come from registered bank IDs. If you receive a message from a standard mobile number, treat it as a scam.
Immediate Action: If you have entered your credentials on a suspicious page, call the official Banco Cuscatlán fraud line immediately at 2212-2000 (El Salvador).

💡 Expert Security Tip:
This is a Session Hijacking attempt. The scammers are trying to steal your Digital Key while you are “syncing” your account. Remember: Your security codes are for authorizing actions you started. Never use your OTP or Token to “unblock” or “verify” an account through a link sent to you.

A June 2025 phishing campaign targeting Bank of America users employs a “Compliance & Maintenance” pretext, claiming an “incomplete profile update” to steal credentials and bypass two-factor authentication [1]. The fraudulent site, often hosted on deceptive domains, attempts to capture online banking IDs, passcodes, email credentials, and real-time one-time passcodes (OTP). Users should be wary of urgent, high-fidelity clones and are advised to verify accounts only through the official banking app or by directly typing the URL.

Target: Bank of America Customers (USA)
Threat Level: Critical (Identity Theft & Full Account Hijacking)
Phishing Method Description
This attack uses an Account Verification pretext. Victims receive an urgent email or SMS stating that their “Security Profile” is outdated or that “New Security Measures” must be accepted to maintain online access.
The link leads to a multi-step phishing portal that mimics the official Bank of America login flow. Unlike simpler scams, this one is designed to harvest:
Online ID and Passcode
Social Security Number (SSN) (Full or last 4 digits)
Security Challenge Questions & Answers (Mother’s maiden name, childhood pet, etc.)
Email Account Credentials (Scammers often ask for your email password under the guise of “Synchronizing your alerts”)
⚠️ Red Flags to Watch For
Deceptive Domain Name: The official domain is strictly bankofamerica.com. Phishing sites often use variations like bofa-online-verify.com, bankofamerica-support.net, or free hosting subdomains like bofa-security.web.app.
Requests for Sensitive Personal Data: A legitimate bank will rarely ask you to provide your full SSN and answers to all your security questions on a single page, especially after clicking a link.
Aggressive Urgency: Messages claiming “Immediate action required” or “Failure to comply will result in permanent account closure” are classic social engineering tactics.
🛡️ How to Protect Yourself
The “Manual Entry” Rule: Always access Bank of America by typing the URL manually into your browser. Never use links from emails or text messages.
Use the Mobile App: Official alerts will appear within the secure Bank of America Mobile Banking app. If the app doesn’t show a notification, the email is a scam.
Never Share Security Answers: Your security questions are a secondary password. Banks will never ask for them in a bulk “update” form.
Enable Advanced 2FA: Use a hardware security key or an authenticator app if supported. If you receive an unexpected 2FA code via SMS, do not enter it on any website.

💡 Expert Security Tip:
This is an Identity Harvesting Kit. Scammers are not just trying to log in once; they are gathering enough data to bypass your security questions and reset your password at any time. Never provide the answers to your challenge questions on a page you reached via a link.

A sophisticated phishing campaign targeting Argenta Bank customers in Belgium and the Netherlands utilizes fraudulent “Digipass synchronization” to perform real-time session hijacking and fund theft. Attackers use phishing sites to harvest login credentials and security codes, prompting users with fake urgent security alerts to bypass two-factor authentication.

Argenta Bank “New Debit Card” Phishing
Target: Customers of Argenta Bank (Belgium and the Netherlands)
Threat Level: Critical (Physical Card Replacement & Account Takeover)
Phishing Method Description
This attack uses a “Card Expiration” pretext. Victims receive a Phishing Email or SMS (Smishing) claiming that their current bank card is outdated or no longer compliant with new security standards. To “request a new card for free,” the victim is pressured to click a link.
The link leads to a professional clone of the Argenta “Argenta Bankieren” portal. This sophisticated phishing kit is designed to harvest:
Log-in Credentials (User ID and Password)
Full Debit Card Details (Card Number and Expiry)
Phone Number
Security Signatures (Digipass codes): The fake site prompts the victim to use their physical Digipass (token reader) and enter the generated codes in real-time. This allows the attacker to authorize a new device or a large fraudulent transfer immediately.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is argenta.be. Phishing sites use lookalikes such as argenta-veiligheid.online, nieuw-kaart-argenta.net, secure-argenta.com, or free subdomains like argenta-login.web.app.
Urgent Card Replacement: Argenta will never send you a link via SMS or email to “order” a new card. New cards are usually sent automatically or managed via the secure internal mailbox.
Requesting Digipass Codes for “Updates”: Your Digipass is for authorizing your transactions only. If a site asks for a Digipass code to “verify your identity” or “apply for a card,” it is a scam.
🛡️ How to Protect Yourself
Use the Argenta App: Perform all your banking and card management through the official Argenta App. It is much more secure than the web portal reached via external links.
The “No Link” Rule: Argenta explicitly states they will never include a direct link to a login page in an SMS or email. Always type the address manually into your browser.
Check the Language: While the phishing pages are often well-translated into Dutch/French, look for subtle errors or font inconsistencies compared to the official site.
Reporting: You can report Argenta phishing by forwarding suspicious emails to [email protected].

💡 Expert Security Tip:
This is a Card Replacement Scam. Scammers want you to think you are getting a “new, safer card,” but they are actually stealing the Digipass signatures needed to empty your current account. Never use your Digipass reader on a website you reached via a link.

A phishing campaign targeting BNP Paribas customers in Europe uses a “Restricted Access” pretext to steal credentials, mobile numbers, and digital tokens for the “Mon Compte” system. Attackers use sophisticated fake portals with fake virtual keypads, aiming to intercept real-time authorization codes to hijack online banking accounts.

BNP Paribas “Digital Key Verification” Phishing
Target: Customers of BNP Paribas (France and International)
Threat Level: Critical (Mobile Access & Digital Key Takeover)
Phishing Method Description
This attack targets the “Clé Digitale” (Digital Key) security system. Scammers distribute urgent notifications via SMS (Smishing) or Email, claiming that the user’s account will be restricted unless they “synchronize their security device” or “confirm their identity” due to a new security protocol.
The link leads to a high-fidelity clone of the BNP Paribas “Accès Client” portal. This sophisticated phishing kit is specifically designed to harvest:
Numéro Client (10-digit customer ID)
Personal Secret Code (Password entered via a fake interactive numeric keypad)
Mobile Phone Number
Authorization Codes: The fake site prompts the victim to enter the validation code received via SMS or generated by their app. This allows the attacker to register their own smartphone as the primary “Digital Key” for the victim’s account.
⚠️ Red Flags to Watch For
The Lookalike URL: The official domain is mabanque.bnpparibas. Phishing sites use deceptive addresses like bnpparibas-securite.online, mabanque-connexion.net, verification-bnp.com, or free subdomains like bnpparibas.web.app.
Numeric Keypad Anomalies: While the fake site mimics the official virtual keypad, it is often a static image or a script that captures your clicks in real-time. If the keypad looks “blurry” or loads slowly, it’s a scam.
Link in SMS/Email: BNP Paribas officially states they will never send a link in an email or SMS to ask for your login credentials or security codes.
🛡️ How to Protect Yourself
Use the Official App: Manage your accounts and Digital Key exclusively through the official “Mes Comptes” app from BNP Paribas.
The “Manual Entry” Rule: Always type the address manually into your browser. Never follow links from messages.
Verify the SMS Sender: Official alerts in France usually come from short codes. If the message comes from a standard 10-digit mobile number, it is 100% a fraud.
Immediate Action: If you have entered your data on a suspicious page, call the official BNP Paribas fraud department immediately at 01 60 17 70 00 (France).

💡 Expert Security Tip:
This is a Device Binding Attack. The scammers aren’t just after your password; they want to steal your Digital Key to bypass all future security checks. Your bank will never ask you to “synchronize” or “verify” your security key through a web link.

A phishing campaign targeting Bank Syariah Indonesia (BSI) customers leverages fake “system migration” or “new fee” notifications sent via SMS and WhatsApp to steal mobile banking credentials. The fraudulent sites prompt users to input their BSI Mobile phone number, 6-digit PIN, and OTP, allowing attackers to hijack accounts.

Bank Syariah Indonesia (BSI) “New Service Fee” Phishing
Target: Customers of Bank Syariah Indonesia (BSI)
Threat Level: Critical (Mobile Banking & OTP Interception)
Phishing Method Description
This attack uses a “Policy Update” pretext to induce panic. Scammers distribute fraudulent messages via WhatsApp or SMS (Smishing), claiming that BSI is changing its monthly service fee to a high amount (e.g., 150,000 IDR). To “opt-out” or “keep the old rate,” the victim is pressured to click a link and “confirm” their choice.
The link leads to a high-fidelity clone of the BSI Mobile login or a fake verification portal. This phishing kit is specifically designed to harvest:
ATM/Debit Card Number
Mobile Banking PIN
Phone Number
SMS OTP (One-Time Password): The fake site prompts the victim for the 6-digit code in real-time. The attacker uses this code to register the victim’s account on their own device, granting them full control over the funds.
⚠️ Red Flags to Watch For
The Deceptive URL: The official domain is bankbsi.co.id. Phishing sites use lookalikes such as tarif-bsi-baru.info, konfirmasi-bsi.online, update-layanan-bsi.com, or free subdomains like bsi-mobile.web.app.
Urgent & Alarming Tone: Messages demanding you “Agree” or “Refuse” a fee change within minutes are classic social engineering tactics.
Requesting your PIN/OTP: BSI will never ask for your mobile banking PIN or SMS OTP through a website link to “cancel a fee.”
🛡️ How to Protect Yourself
Use the BSI Mobile App: Trust only the notifications that appear inside your official BSI Mobile app.
The “No Link” Rule: BSI officially states they will never send links via WhatsApp or SMS asking for personal credentials. Always type the official address manually into your browser.
Verify with Bank BSI: If you receive a suspicious message, contact Bank BSI Call at 14040 or visit an official branch to verify any changes in service fees.
OTP Security: Treat your SMS OTP as a secret key. Read the SMS carefully—it usually says “DO NOT SHARE THIS CODE.” If you didn’t start a transaction, any OTP request is a scam.

💡 Expert Security Tip:
This is a Fee-Scare Scam (Tarif Baru). Scammers create a fake financial “threat” (a high fee) to make you act impulsively. Remember: Banks do not ask you to “log in and verify” to cancel a fee change. If a site asks for your PIN and OTP at the same time, it is 100% a phishing trap.