Antiphishing.biz

A sophisticated Bank of America phishing campaign is active, using fake “account lock” alerts to steal online credentials, Social Security numbers, and OTP codes. The attack utilizes pixel-perfect clones of the Bank of America portal, often combined with telephone spoofing, to harvest full financial access. Users should avoid clicking links in alerts and instead navigate directly to bankofamerica.com to verify account status.

Security Notice: This malicious interface was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the hostile origin link has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Target: Customers of Bank of America (USA)
Threat Level: Critical (Full Account & Identity Takeover)
Phishing Method Description
In this attack, scammers use Advanced Credential Harvesting. The victim typically receives an urgent SMS or email stating that their account has been “locked due to suspicious activity.”
The link leads to a pixel-perfect clone of the Bank of America Online Banking login page. This multi-step phishing kit is designed to steal:
Online ID and Passcode
Social Security Number (SSN) (last 4 digits or full)
Email Address and Email Password (Claiming it’s for “identity verification”)
One-Time Passwords (OTP) intercepted in real-time.
Red Flags to Watch For
The Lookalike URL: The official domain is bankofamerica.com. Phishing sites often use deceptive addresses like bofa-online-security.com, bankofamerica-verification.net, or short links like bit.ly or t.co in the initial message.
Requesting Email Credentials: A legitimate bank will never ask for the password to your personal email account (Gmail, Yahoo, Outlook) to “verify” your identity.
Sensitive Personal Info: While banks may ask for a part of your SSN on their official site, a sudden request for your full SSN and card PIN on a page you reached via a link is a major red flag.
How to Protect Yourself
Use the Mobile App: Always use the official Bank of America Mobile Banking app for any alerts. If there is a real issue, you will see a notification inside the secure app environment.
“Sign-In ID” Check: Bank of America uses a “SiteKey” or persistent recognition features. If the login page looks “generic” and doesn’t recognize your browser/device as it usually does, close it immediately.
Protect Your Email: Enable Two-Factor Authentication (2FA) on your email account. Even if scammers steal your bank password, they won’t be able to access your email to reset it if your email is properly secured.
Reporting: You can report Bank of America phishing directly by forwarding suspicious emails to abuse@bankofamerica.com.

A phishing campaign targeting First Investment Bank (Fibank) in Bulgaria uses a fake “digital certificate update” to steal user credentials and one-time passwords (OTP). Scammers employ a “security scare” tactic, directing victims to a lookalike login portal that harvests login IDs, passwords, and OTPs for real-time account takeover.

Security Notice: This malicious interface was logged, cross-checked, and neutralized firsthand by the Antiphishing.biz security team during our standard URL vetting operations. To protect the public, the phishing source domain has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users detect replica fraud techniques before financial damage occurs.

Target: Customers of First Investment Bank (Fibank / ПИБ) in Bulgaria
Threat Level: High (Online Banking & SMS OTP Theft)
Phishing Method Description
This attack targets users of the “My Fibank” online portal. Scammers distribute links via Phishing Emails or SMS (Smishing) that look like official bank alerts. Common pretexts include “Security Update Required,” “Mandatory Account Synchronization,” or “Your Digital Certificate is Expiring.”
The fraudulent page is a pixel-perfect copy of the Bulgarian/English login interface. It is designed to capture:
Customer ID / Username (Потребителско име)
Login Password (Парола)
Mobile Phone Number
One-Time Password (OTP): The fake site often asks for the SMS code in real-time, allowing threat actors to authorize a fraudulent transaction immediately.
Red Flags to Watch For
The URL Discrepancy: The official domain is my.fibank.bg. Phishing sites often use deceptive addresses like fibank-bg.online, pib-login.net, or free hosting subdomains like my-fibank.github.io.
Requests for SMS Codes during Login: While some banks use SMS for login, be extremely wary if the site asks for multiple codes or a “Confirmation Code” just to view your balance.
SSL Certificate Check: Even if the site has a “lock” icon (HTTPS), clicking on it will often reveal a generic certificate or one issued to an unrelated entity, rather than “First Investment Bank AD.”
How to Protect Yourself
Use the Token/App: Fibank’s official Token or the My Fibank Mobile App are much more secure than SMS-based authorization. Always prefer biometric (FaceID/Fingerprint) login through the official app.
Check the Language: Many phishing kits for Bulgaria contain subtle translation errors or use Russian/English characters where Bulgarian (Cyrillic) should be.
Bookmark the Login: Save the official https://fibank.bg as a bookmark and only use that link to access your finances.
Suspicious Sender: If you receive a banking alert from a standard mobile number (+359 8…) instead of the “Fibank” sender ID, delete it immediately.

TymeBank phishing campaigns target South African customers through SMS and email alerts claiming account suspension, directing victims to a fake portal designed to steal ID numbers, PINs, and real-time OTPs. These attacks deceptive tactic the bank’s digital-only model, urging users to use official applications and ignore suspicious links.

Incident Report: This malicious interface was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the phishing source domain has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Target: Customers of TymeBank (South Africa)
Threat Level: High (Digital Banking Access & Identity Theft)
Phishing Method Description
This attack targets users of TymeBank, a leading digital-only bank in South Africa. Scammers deceptive tactic the bank’s paperless nature by sending SMS (Smishing) or emails claiming that the user’s “Smart ID” verification has failed or that their “Everyday Account” requires an urgent security update.
The fraudulent page is a sophisticated clone of the TymeBank web login. It is specifically designed to harvest:
South African ID Number
Mobile Phone Number (linked to the account)
Internet Banking Password / PIN
OTP (One-Time PIN): The fake site intercepts the SMS code in real-time to authorize fraudulent transfers or link a new device to the account.
Red Flags to Watch For
Deceptive Domain: The official domain is tymebank.co.za. Phishing sites often use variations like tymebank-login.com, secure-tyme.net, or free hosting URLs like tyme-portal.web.app.
Unexpected OTP Prompts: If the website asks for an OTP (One-Time PIN) immediately after you enter your password — without you performing a transaction — it is a sign that a threat actor is trying to log in simultaneously.
Insecure Connection: While many phishing sites use HTTPS, always check if the certificate is actually issued to “Tyme Bank Limited.” If it’s a generic “Let’s Encrypt” certificate for a random domain, it’s a scam.
How to Protect Yourself
Use the TymeBank App: Always perform banking through the official TymeBank App from the Google Play Store, Huawei AppGallery, or Apple App Store. The app uses secure device binding which is much harder to phish.
Never Share Your PIN: TymeBank will never ask for your secret PIN or OTP over the phone, via SMS, or through a link in an email.
The “Official Channel” Rule: If you receive a suspicious alert, log out and call the official TymeBank support line at 0860 TymeBank (896 3226) to verify the status of your account.
Public Kiosks: Be extra cautious if you recently used a TymeBank kiosk in a retail store (like Pick n Pay or Boxer). Scammers sometimes time their attacks to coincide with physical interactions.

A phishing campaign targeting Intesa Sanpaolo users employs fraudulent pages mimicking the “MyKey” security system to steal user codes, PINs, and real-time OTPs. These phishing sites, often distributed via SMS or email, impersonate the bank to authorize fraudulent SEPA transfers.

Security Notice: This spoofed page was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the hostile origin link has been safely deactivated within our infrastructure. We document and analyze these live visual patterns to help security researchers and users detect replica fraud techniques before financial damage occurs.

Target: Customers of Intesa Sanpaolo (Italy)
Threat Level: Critical (Mobile Banking & O-Key Smart Theft)
Phishing Method Description
This attack targets users of the “MyKey” security system used by Intesa Sanpaolo. Scammers distribute fraudulent links via Smishing (SMS) or Phishing Emails, often using an alarming tone: “Your account has been restricted for security reasons” or “An unauthorized login was detected from a new device.”
The link leads to a high-fidelity clone of the Italian login portal. The phishing kit is specifically designed to harvest:
Codice Titolare (Owner Code)
PIN Code
Mobile Phone Number
O-Key Smart / SMS OTP: The fake page intercepts the security code in real-time, allowing the attacker to authorize a fraudulent transfer or change the associated phone number.
Red Flags to Watch For
The Deceptive URL: The official domain is intesasanpaolo.com. Phishing sites often use lookalike addresses such as secure-intesasanpaolo.com, mykey-is.net, is-assistenza.online, or free subdomains like intesa-login.web.app.
Urgent Call-to-Action: Messages like “Action Required within 24 hours” or “Click here to avoid permanent block” are designed to bypass your critical thinking.
Direct Link to Login: Intesa Sanpaolo officially states they will never include a direct link to the login page in an SMS or email.
How to Protect Yourself
Use the “O-Key Smart” App: Always authorize transactions and logins directly through the official Intesa Sanpaolo Mobile app. Never enter the generated codes on a website you reached via a link.
Type the Address: If you receive an alert, ignore the link. Manually type https://intesasanpaolo.com into your browser or use the official app to check your notifications.
Check the Language: While the phishing pages are often well-translated, look for subtle errors in the Italian text or fonts that look different from the official corporate style.
Reporting: You can report suspicious activity directly to the bank at assistenza.hbo@intesasanpaolo.com or call the official toll-free number 800.303.303 (from Italy).

A Bank of America phishing campaign employs a “System Maintenance” pretext to solicit user credentials and Social Security Numbers under the guise of security synchronization. The attack utilizes deceptive domains to mirror the official portal, aiming to capture sensitive information, including real-time, one-time passcodes (OTP).

Threat Intel: This spoofed page was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the dangerous destination URL has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Target: Bank of America Customers (USA)
Threat Level: Critical (Identity & Full Account Takeover)
Phishing Method Description
This sophisticated attack goes beyond simple password theft. Scammers use a Multi-Step Credential Harvesting technique. The victim is often directed to this page via a “security alert” email or SMS claiming that their online access is out of sync with new federal banking regulations.
The fake site mimics the official Bank of America secure login environment. Once the victim enters their initial credentials, the phishing kit triggers a second page designed to harvest highly sensitive personal data used for identity recovery:
Online ID & Passcode
Security Challenge Questions & Answers (Mother’s maiden name, first pet, etc.)
Social Security Number (SSN)
Email Account Access (to intercept 2FA codes in real-time)
Red Flags to Watch For
The URL Mask: While the page looks perfect, the address bar will show a domain like bofa-verification-portal.com, bankofamerica-support.net, or a compromised third-party site. The official domain is strictly bankofamerica.com.
Excessive Information Requests: A legitimate bank login will rarely ask for your full Social Security Number and answers to all your security questions in a single session unless you are manually resetting your password.
Broken “Security” Links: On these fake pages, links like “Privacy,” “Security,” or “Locations” are usually inactive or redirect back to the same phishing form.
How to Protect Yourself
Never Share Security Answers: Treat your security question answers like passwords. Never enter them on a site you reached via a link.
Use the Mobile App: Bank of America’s official app uses device-level security. If there is a real “synchronization” issue, the app will notify you through a secure in-app message.
Enable Advanced 2FA: Switch from SMS-based codes to an authenticator app or a hardware security key if your bank supports it.
Direct Access: If you receive a suspicious alert, close your browser, open a new tab, and manually type https://bankofamerica.com to log in safely.

A phishing campaign targeting German Deutsche Bank customers uses a fake “PhotoTAN” activation page to steal login credentials and authorize unauthorized transactions [1]. The attack, often delivered via phishing emails or SMS, directs users to a high-fidelity clone of the bank’s portal, requesting branch codes, account numbers, PINs, and QR code scans.

Threat Intel: This scam layout was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the dangerous destination URL has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Target: Customers of Deutsche Bank (Germany)
Threat Level: Critical (Transaction Authorization Theft)
Phishing Method Description
This attack uses a highly sophisticated Security Process Impersonation. Scammers send out Phishing Emails or SMS (Smishing) claiming that the user’s PhotoTAN app needs to be reactivated, synchronized, or updated due to a new security regulation (e.g., “PSD2 compliance”).
The link leads to a perfect replica of the Deutsche Bank “Meine Bank” login portal. The phishing kit is designed to harvest:
Branch Code (Filiale) and Account Number (Konto)
Sub-account Number (Unterkonto)
Online Banking PIN
PhotoTAN Activation Graphics: The fake site often displays a QR code and asks the victim to scan it with their official app. In reality, the victim is scanning a code that authorizes the attacker’s device or a fraudulent transaction.
Red Flags to Watch For
Deceptive Domain: The official domain is deutsche-bank.de. Phishing sites use lookalikes like meine-deutsche-bank.online, db-phototan-aktivierung.com, or sicherheit-db.net.
Requests to Scan QR Codes: Deutsche Bank will never ask you to scan a PhotoTAN QR code to “log in” or “update your profile” on a page you reached via a link. QR codes are strictly for authorizing specific actions you initiated yourself.
Language Nuances: Look for subtle errors in German grammar or the use of generic greetings instead of your specific name.
How to Protect Yourself
Manual Entry Only: Always access your banking by typing www.deutsche-bank.de directly into your browser. Never follow links from emails or SMS.
PhotoTAN Security: Treat every PhotoTAN scan as a real money transfer. Before scanning, always check your app’s screen to see exactly what you are authorizing. If it says “Activation” or shows an unfamiliar transaction amount, cancel immediately.
Hardware Token Option: For maximum security, consider using a physical PhotoTAN reader instead of a smartphone app.
Report Suspicious Content: Forward any suspicious emails to pishing@db.com to help the bank’s security team take down the fraudulent sites.

A sophisticated phishing campaign targeting La Banque Postale customers in France uses a fake “Certicode Plus” security update to bypass two-factor authentication. Scammers use smishing and phishing to steal credentials and register their own devices, granting full access to victims’ accounts.

Analysis Memo: This deceptive layout was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the hostile origin link has been safely deactivated within our infrastructure. We document and analyze these live visual patterns to help security researchers and users detect replica fraud techniques before financial damage occurs.

Target: Customers of La Banque Postale (France)
Threat Level: Critical (Mobile Authentication & Funds Theft)
Phishing Method Description
In this attack, scammers use a Security Compliance pretext. Victims receive a Phishing Email or SMS (Smishing) stating that their “Certicode Plus” service (the bank’s strong authentication system) is expiring or needs to be re-activated to comply with European banking regulations.
The link leads to a pixel-perfect replica of the La Banque Postale login portal. The phishing kit is specifically designed to harvest:
Identifiant ID (10-digit customer ID)
Personal Password (entered via a fake numeric keypad to mimic the real site)
Mobile Phone Number
Certicode Plus Activation Codes: The fake site attempts to intercept the activation or validation codes in real-time, allowing the attacker to link their device to the victim’s bank account.
Red Flags to Watch For
The Deceptive URL: The official domain is labanquepostale.fr. Phishing sites often use lookalike addresses such as connexion-labanquepostale.com, certicode-plus-activation.net, lbp-securite.online, or free subdomains like la-banque-postale.web.app.
The Numeric Keypad: While the fake site mimics the official virtual keypad, pay attention to the speed and responsiveness. If the layout of the numbers changes or looks “blurry,” it may be a captured image used for phishing.
Urgent Warnings: Messages like “Your access will be suspended in 48 hours” are classic social engineering tactics to induce panic.
How to Protect Yourself
Never Click Login Links: La Banque Postale explicitly states they will never send an email or SMS containing a link to the login page. Always type the address manually or use the official “La Banque Postale” mobile app.
App Notifications Only: Manage your Certicode Plus settings only within the official app. If you receive a request to “validate” something you didn’t initiate, ignore it and check your app directly.
Verify the Sender: Official banking SMS in France usually come from short-codes (e.g., 38004). If the message comes from a standard mobile number (+33 6… or +33 7…), it is 100% a scam.
Reporting: You can report La Banque Postale phishing by forwarding suspicious emails to alertes.pishing@labanquepostale.fr or SMS to the number 33700.

A Bank of America phishing campaign utilizes a multi-stage “identity verification” process to harvest full user credentials, including Social Security numbers, card details, and email passwords. Scammers use high-pressure SMS and emails directing users to fake sites designed to steal full identities rather than just login credentials.

Incident Report: This spoofed page was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our standard URL vetting operations. To protect the public, the phishing source domain has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Target: Bank of America Customers (USA)
Threat Level: Critical (Full Identity & Financial Takeover)
Phishing Method Description
This attack utilizes a “Social Engineering” pretext, where the victim is told their account access has been limited due to a “missing regulatory update” or “unusual activity.” Unlike simple login phishers, this kit leads the user through a series of official-looking screens to build trust.
The malicious site is a high-fidelity clone of the Bank of America portal, specifically designed to harvest:
Online ID & Passcode
Social Security Number (SSN) (Full or last 4 digits)
Date of Birth
Credit/Debit Card Details (Number, CVV, and Expiration Date)
ATM PIN: The ultimate red flag, as banks never ask for your physical ATM PIN on a website.
Red Flags to Watch For
The URL Mask: The official domain is strictly bankofamerica.com. Phishing sites often use deceptive addresses like bofa-update-center.net, bankofamerica-support.org, or compromised third-party domains ending in .xyz or .info.
Requesting the ATM PIN: This is a definitive sign of fraud. A legitimate bank website will never ask you to type your 4-digit ATM PIN into a web form for “verification.”
Inconsistent Branding: Look for small details—if the logo is slightly blurry, the fonts look “off,” or the footer links (Privacy, Security) don’t work, it’s a fake.
How to Protect Yourself
Ignore SMS/Email Links: Bank of America will never send you a link directly to a sensitive verification page. Always go to the official site by typing the address manually.
The PIN Rule: Your ATM PIN is for ATMs and point-of-sale terminals only. Never enter it on any website, regardless of how official it looks.
Use the Mobile App: If there is a real issue with your account, a notification will appear inside the secure Bank of America Mobile Banking app.
Immediate Action: If you have already entered your information on such a page, call the official Bank of America fraud department immediately at 1.877.388.5030 to freeze your accounts.