United Overseas Bank Limited (UOB) phishing page revealed

A high-fidelity phishing campaign targeting United Overseas Bank (UOB) users in Southeast Asia utilizes fraudulent SMS and email links to harvest login credentials and SMS OTPs through cloned websites. These sites, often using lookalike domains like “uob-security-update.com,” aim to steal credentials and authorize fraudulent transactions by mimicking the UOB TMRW app or web portal. The scam uses urgency, claiming “digital token synchronization” or account suspension, and is aimed at stealing funds from personal internet banking accounts. Users are advised to never click links in UOB SMS messages, as the bank does not send them, and to only use the official TMRW app to verify alerts.

Security Notice: This spoofed page was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the dangerous destination URL has been safely deactivated within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Actual screenshot of "United Overseas Bank Limited (UOB) phishing page revealed" phishing interface captured during link moderation on our platform.
Figure 1: Live screenshot of the ongoing fraudulent campaign isolated on our infrastructure.
Actual screenshot 2 of "United Overseas Bank Limited (UOB) phishing page revealed" phishing interface captured during link moderation on our platform.
Figure 2: Live screenshot of the ongoing fraudulent campaign isolated on our infrastructure.
Actual screenshot 3 of "United Overseas Bank Limited (UOB) phishing page revealed" phishing interface captured during link moderation on our platform.
Figure 3: Live screenshot of the ongoing fraudulent campaign isolated on our infrastructure.
Actual screenshot 4 of "United Overseas Bank Limited (UOB) phishing page revealed" phishing interface captured during link moderation on our platform.
Figure 4: Live screenshot of the ongoing fraudulent campaign isolated on our infrastructure.
Actual screenshot 5 of "United Overseas Bank Limited (UOB) phishing page revealed" phishing interface captured during link moderation on our platform.
Figure 5: Live screenshot of the ongoing fraudulent campaign isolated on our infrastructure.
Actual screenshot 6 of "United Overseas Bank Limited (UOB) phishing page revealed" phishing interface captured during link moderation on our platform.
Figure 6: Live screenshot of the ongoing fraudulent campaign isolated on our infrastructure.

Target: Customers of United Overseas Bank (UOB) in Singapore and Southeast Asia
Threat Level: Critical (UOB TMRW App & Transaction Authorization Theft)
Phishing Method Description
This attack targets users of the UOB Personal Internet Banking and UOB TMRW mobile app. Scammers distribute fraudulent links via Smishing (SMS) or Phishing Emails, often claiming that the user’s “UOB Mighty/TMRW Digital Token” has expired or that an “unauthorized device” is attempting to access their account.
The link leads to a high-fidelity clone of the UOB “Login” portal. The phishing kit is specifically designed to harvest:
Username / NRIC / Passport Number
SecurePIN / Password
Mobile Phone Number
One-Time Password (OTP): The fake page intercepts the SMS OTP in real-time, allowing the attacker to link their device to the victim’s account as the primary Digital Token.

Red Flags to Watch For


Lookalike URL: The official domain is uob.com.sg. Phishing sites often use deceptive addresses like uob-online-security.com, secure-uob.net, uob-verification.online, or free subdomains like ://firebaseapp.com.
Direct Link in SMS: UOB has officially stated they will never include clickable links in SMS messages sent to customers. Any SMS containing a link to a login page is 100% a scam.
Grammatical Errors: Often, the fake pages or the initial messages contain subtle English grammar mistakes or use “Dear Customer” instead of your specific name.

How to Protect Yourself


Use the UOB TMRW App: Always perform banking and authorize transactions directly through the official UOB TMRW app. Never enter codes or credentials on a website you reached via a link.
The “No Link” Policy: If you receive an SMS alert, ignore the link. Manually type ://uob.com.sg into your browser or open the official app to check for any notifications.
Verify the Sender: Official banking SMS in Singapore usually come from a registered “UOB” sender ID. If the message comes from a standard mobile number or an unknown ID, it is a fraud.
Reporting: You can report suspicious UOB phishing by calling the official 24-hour fraud hotline at 1800 222 2121 (Singapore) or forwarding emails to uobgroup.security@uobgroup.com.

Expert Security Tip:


This case clearly demonstrates how fraudsters attempt to hijack your Digital Token. Remember, your Digital Token acts as your personal digital signature for authorizing high-value transactions. Never attempt to activate, synchronize, or share your token through a link received via SMS or email. Legitimate banks will only manage token security within their official mobile app or through their verified website that you have accessed manually.

HSBC bank phishing page detected

A phishing campaign targeting HSBC Bank customers uses a fake “Secure Key” synchronization alert to steal login credentials and real-time, six-digit security codes. This sophisticated attack mimics official security procedures to bypass multi-factor authentication, directing victims to fraudulent, lookalike domains.

Threat Intel: This deceptive layout was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the dangerous destination URL has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users detect replica fraud techniques before financial damage occurs.

Actual screenshot of "HSBC bank phishing page detected" phishing interface captured during link moderation on our platform.
Figure 1: Actual screenshot of the live scam infrastructure intercepted by our security systems.

Target: HSBC Bank Customers (Global / UK / Hong Kong)
Threat Level: Critical (Physical & Digital Secure Key Hijacking)
Phishing Method Description
This attack targets the core security feature of HSBC banking: the Digital Secure Key (app-based) or the physical Secure Key (hardware token). Scammers distribute high-pressure alerts via SMS or Email claiming a “New Payee has been added” or “Your Secure Key requires a mandatory update to avoid account suspension.”
The link leads to a sophisticated Brand Impersonation portal. The phishing kit is designed to harvest:
Username / IB User ID
Memorable Answer (Secret questions)
Secure Key Codes: The fake site prompts the victim to generate a code on their physical device or app and enter it. This code is used by the attacker in real-time to authorize a large fraudulent transfer.

Red Flags to Watch For


Deceptive Domain: The official domain is hsbc.com (or local variants like hsbc.co.uk). Phishing sites use addresses like hsbc-online-security.net, secure-login-hsbc.com, or hsbc-verification.org.
Real-Time Interception: If the website asks for a Secure Key code immediately after you enter your username, it is a sign that a threat actor is attempting a concurrent login on the official site.
Generic Links: HSBC has a strict policy against sending direct links to login pages in security alert emails or SMS.

How to Protect Yourself


Trust the Physical Device: If you use a physical Secure Key, remember that it is designed to authorize specific actions. Never enter a code from your device onto a website unless you are 100% sure you are on the official HSBC site you accessed manually.
App Notifications: Use the HSBC UK Mobile Banking (or local) app. Authentic security alerts will appear as secure messages within the app.
The “Payee” Trick: If you get an alert about a “New Payee” you didn’t add, do not click the link to “cancel” it. Log in via the official app to verify your recent activity.
Reporting: You can report HSBC phishing by forwarding suspicious emails to hostingabuse@hsbc.com or suspicious SMS to the short code 7726.


Expert Security Tip:


This attack is designed to bypass Multi-Factor Authentication (MFA) by tricking you into providing a “one-time” code. Your HSBC Secure Key is your final line of defense; never use it to “verify” your identity on a page reached through a link. Treat any request for a security code as a request for your money.

Fake Vehicle tax renewal page detected

Scammers are targeting UK drivers with a fake DVLA vehicle tax renewal phishing campaign designed to steal personal and financial details. The attack uses urgent SMS or email messages to drive victims to a convincing, counterfeit GOV.UK site that demands payment and sensitive security information to avoid bogus fines. To stay safe, ignore unexpected notifications, only use the official gov.uk website to check tax status, and report suspicious messages to relevant authorities.

Analysis Memo: This scam layout was logged, cross-checked, and neutralized firsthand by the Antiphishing.biz security team during our automated link scanning workflows. To protect the public, the dangerous destination URL has been safely deactivated within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "Fake Vehicle tax renewal page detected" phishing interface captured during link moderation on our platform.
Figure 1: Verified screenshot of the live scam infrastructure captured during routine moderation.
Actual screenshot 2 of "Fake Vehicle tax renewal page detected" phishing interface captured during link moderation on our platform.
Figure 2: Verified screenshot of the live scam infrastructure captured during routine moderation.

Target: Vehicle Owners in the UK and Ireland
Threat Level: High (Credit Card Skimming & Identity Theft)
Phishing Method Description
This attack uses Government Impersonation to mimic the official DVLA (Driver and Vehicle Licensing Agency) or Department of Transport portals. Victims receive an urgent SMS (Smishing) or Email stating that their “Vehicle Tax has expired” or that a “Tax Refund” is waiting to be claimed.
The link leads to a highly convincing clone of the official government website. To “renew” the tax or “claim the refund,” the victim is prompted to enter:
Vehicle Registration Number (To build trust)
Full Name and Home Address
Date of Birth
Credit/Debit Card Details (Number, Expiration Date, and CVV)
Mother’s Maiden Name (Used for further identity theft)

Red Flags to Watch For


The URL Trap: Official UK government sites always end in .gov.uk. Phishing sites use deceptive addresses like renew-tax-service.com, dvla-refund-online.net, vehicle-tax-gov.org, or free hosting platforms.
Urgent & Threatening Tone: Messages often say, “Your vehicle is no longer taxed” or “Failure to pay will result in a fine,” forcing the victim to act without verifying the source.
Unexpected Refunds: Be wary of any “Tax Refund” notifications. Governments rarely send unsolicited links via SMS to distribute money; they usually credit your bank account or send a cheque.

How to Protect Yourself


The .gov.uk Rule: Before entering any data, check the address bar. If it doesn’t end in .gov.uk, it is 100% a scam.
Access via Official Portal: If you are unsure about your tax status, go directly to www.gov.uk/check-vehicle-tax. Never use a link from an SMS.
The SMS Sender Check: Official government alerts don’t come from personal mobile numbers. If the sender is an unknown 10-digit number, delete it.
Report the Scam: You can report UK government phishing by forwarding suspicious emails to report@phishing.gov.uk or SMS to the short code 7726.


Expert Security Tip:


Government agencies like the DVLA will never send you a link via text message to ask for your bank details or to offer a refund. Treat any unsolicited SMS regarding “Vehicle Tax” as a threat. Real tax renewals are handled via post or the official secure portal you access yourself.

TFBank phishing page detected

A phishing campaign targeting TF Bank customers in Germany, Austria, and Scandinavia uses “security update” phishing emails and SMS to harvest login credentials and real-time OTPs. The attack, often involving fake “Meine Karte” portals, aims to steal personal data and access credit lines by mimicking legitimate brand identity

Security Notice: This scam layout was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the dangerous destination URL has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "TFBank phishing page detected" phishing interface captured during link moderation on our platform.
Figure 1: Live screenshot of the live scam infrastructure isolated on our infrastructure.
Actual screenshot 2 of "TFBank phishing page detected" phishing interface captured during link moderation on our platform.
Figure 2: Live screenshot of the live scam infrastructure isolated on our infrastructure.

Target: TF Bank Customers (Germany, Austria, Sweden, Norway)
Threat Level: High (Credit Card & Mastercard Identity Check Theft)
Phishing Method Description
This attack focuses on Credit Card Credential Harvesting. Scammers send out Phishing Emails or SMS (Smishing) claiming that the user’s “Meine Karte” online access or “Mastercard Identity Check” needs to be updated to prevent account suspension.
The link leads to a high-quality clone of the TF Bank login portal. The phishing kit is specifically designed to harvest:
Customer ID / Email
Online Banking Password
Full Credit Card Details (Number, Expiry, CVV)
Mobile Phone Number
One-Time Password (OTP): The fake site attempts to intercept the SMS code in real-time, allowing the attacker to authorize a fraudulent transaction or add the card to a mobile wallet (Apple Pay/Google Pay).

Red Flags to Watch For


Deceptive Domain: The official domain is tfbank.de (or .at, .se). Phishing sites use lookalikes like tfbank-meinekarte.online, sicherheit-tfbank.net, or tf-kunden-service.com.
Urgent Verification: Messages claiming “Unusual activity detected” or “Mandatory security update” are used to create a sense of panic.
Generic Salutations: Official bank communications usually include your name. Phishing emails often start with “Dear Customer” or “Guten Tag.”

How to Protect Yourself


Use the Official App: Manage your TF Bank Mastercard only through the official TF Bank Mobile App. Authentic security updates will be handled within the secure app environment.
The “No Link” Rule: TF Bank states they will never ask you for sensitive data (like your PIN or CVV) via an email link. Always type the address manually into your browser.
Check the SMS Content: If you receive an OTP, read the text carefully. If the SMS says “Code for adding card to Apple Pay” but you are just trying to “log in,” it is a scam.
Report Phishing: You can report TF Bank phishing by forwarding suspicious emails to service@tfbank.de.


Expert Security Tip:


Scammers use TF Bank phishing to bypass 3D Secure (Mastercard Identity Check). Your 6-digit SMS code is a “digital signature” for a transaction. Never enter an OTP on a website reached via a link. If a site asks for your CVV and an OTP at the same time during a “login” or “update,” close the tab immediately.

Fake Refund of your personal income tax (Erstattung Ihrer persönlichen Einkommensteuer) with bank phishing revealed

A phishing campaign impersonating German tax authorities (Finanzamt/ELSTER) is targeting taxpayers with fraudulent “Erstattung Ihrer persönlichen Einkommensteuer” (Income Tax Refund) emails and SMS, directing them to a fake portal designed to steal banking credentials (PINs/TANs). The attack uses a “Multi-Bank” approach, presenting a list of major German banks to intercept credentials in real-time, often using lookalike URLs.

Threat Intel: This malicious interface was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our standard URL vetting operations. To protect the public, the dangerous destination URL has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Actual screenshot of "Fake Refund of your personal income tax (Erstattung Ihrer persönlichen Einkommensteuer) with bank phishing revealed" phishing interface captured during link moderation on our platform.
Figure 1: Actual screenshot of the ongoing fraudulent campaign intercepted by our security systems.
Actual screenshot 2 of "Fake Refund of your personal income tax (Erstattung Ihrer persönlichen Einkommensteuer) with bank phishing revealed" phishing interface captured during link moderation on our platform.
Figure 2: Actual screenshot of the ongoing fraudulent campaign intercepted by our security systems.
Actual screenshot 3 of "Fake Refund of your personal income tax (Erstattung Ihrer persönlichen Einkommensteuer) with bank phishing revealed" phishing interface captured during link moderation on our platform.
Figure 3: Actual screenshot of the ongoing fraudulent campaign intercepted by our security systems.

Target: Taxpayers in Germany
Threat Level: Critical (Tax Fraud & Multi-Bank Phishing)
Phishing Method Description
This attack uses Government Impersonation to deceptive tactic the annual tax return season. Victims receive a professional-looking email with the subject “Erstattung Ihrer persönlichen Einkommensteuer” (Refund of your personal income tax), claiming that a significant tax overpayment is waiting to be claimed.
The link leads to a sophisticated “Gateway” Page. Instead of mimicking just one bank, this phishing kit shows a list of major German financial institutions (Sparkasse, Deutsche Bank, Postbank, Volksbanken Raiffeisenbanken, etc.). Once the victim selects their bank, they are redirected to a pixel-perfect clone of that specific bank’s login portal.
The site is designed to harvest:
Full Personal Identity (Name, Address, Tax ID)
Online Banking Credentials (PIN, Customer ID)
PhotoTAN / PushTAN / SMS OTP: The fake site intercepts the authorization code in real-time, allowing the attacker to empty the account or authorize fraudulent transfers under the guise of “confirming the refund.”

Red Flags to Watch For


The Lookalike Gateway URL: Official tax refunds in Germany are handled via ELSTER (elster.de) or by post. The phishing site will use deceptive domains like finanzamt-erstattung.online, steuer-deutschland.net, or bundesfinanzministerium.com.
Method of Delivery: The German Tax Office (Finanzamt) never sends notifications about tax refunds via email or SMS containing clickable links for bank details. Official communication is always sent via the secure ELSTER inbox or by physical mail.
Bank Selection Menu: A real government site will never ask you to click on your bank’s logo to log in and “receive” money. Refunds are automatically sent to the IBAN already on file with the tax office.

How to Protect Yourself


The ELSTER Rule: If you are expecting a refund, log in directly to your official ELSTER account at www.elster.de. If there is a notification, it will be there.
Don’t Click, Just Wait: Official tax assessments (Steuerbescheid) always arrive by post. If you haven’t received a letter, the email is 100% a scam.
Never Log In via Links: If an email asks you to log into your bank to “verify a deposit,” it is a trap. Banks do not require you to log in to receive an incoming wire transfer.
Report the Scam: Forward suspicious tax-related emails to the official Federal Central Tax Office or use the 7726 short code for SMS reporting.


Expert Security Tip:


This is a Multi-Bank Phishing Kit. By offering a choice of banks, scammers cast a wide net to catch any victim regardless of where they hold an account. Remember: The Tax Office already has your bank details. They will never ask you to “log in and choose your bank” to send you money.

RWE (Rheinisch-Westfälisches Elektrizitätswerk) fake page with bank phishing detected

A phishing campaign targeting RWE AG customers in Germany uses fake energy refund emails to steal sensitive personal and financial data, including online banking credentials, via a fraudulent portal. The scam pressures users with urgent deadlines to claim a “refund for overpaid electricity costs” and directs them to malicious domains, such as kunden-rwe.net, to enter credentials. To protect against this threat, customers should only log in through the official rwe.com portal and report suspicious messages.

Threat Intel: This scam layout was logged, cross-checked, and neutralized firsthand by the Antiphishing.biz security team during our standard URL vetting operations. To protect the public, the dangerous destination URL has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "RWE (Rheinisch-Westfälisches Elektrizitätswerk) fake page with bank phishing detected" phishing interface captured during link moderation on our platform.
Figure 1: Actual screenshot of the ongoing fraudulent campaign captured during routine moderation.
Actual screenshot 2 of "RWE (Rheinisch-Westfälisches Elektrizitätswerk) fake page with bank phishing detected" phishing interface captured during link moderation on our platform.
Figure 2: Actual screenshot of the ongoing fraudulent campaign captured during routine moderation.
Actual screenshot 3 of "RWE (Rheinisch-Westfälisches Elektrizitätswerk) fake page with bank phishing detected" phishing interface captured during link moderation on our platform.
Figure 3: Actual screenshot of the ongoing fraudulent campaign captured during routine moderation.

Target: RWE AG Customers and Energy Consumers in Germany
Threat Level: High (Financial Identity & Bank Access Theft)
Phishing Method Description
This attack leverages Utility Provider Impersonation. Scammers send out Phishing Emails or SMS (Smishing) claiming that due to a billing error or a government energy subsidy, the customer is entitled to a “Refund” (Guthaben) or “Climate Bonus.”
The link leads to a sophisticated fake page that mimics the RWE “Meine RWE” customer portal. To “receive the refund,” the victim is prompted to:
Select their Bank (using a multi-bank gateway menu)
Enter Online Banking Login Credentials (PIN and Username/ID)
Provide a TAN/OTP Code: The fake site intercepts the authorization code in real-time, allowing attackers to authorize fraudulent outgoing transfers instead of depositing a refund.

Red Flags to Watch For


Deceptive Domain: The official domain is rwe.com. Phishing sites use lookalikes such as rwe-erstattung.online, energie-guthaben.net, rwe-kundenportal.com, or compromised third-party URLs.
The “Refund” Hook: Energy companies usually settle refunds by crediting them toward your next bill or automatically transferring them to the IBAN already on file. They never send links asking you to log in to your bank to “receive” money.
Generic Communication: While the page looks professional, the initial email often lacks your specific customer contract number (Vertragskontonummer).

How to Protect Yourself


Check Your Bill: If you are expecting a refund, check your last physical or digital bill. If there is a credit, it will be clearly stated there.
The “No Bank Login” Rule: Never log into your bank via a link provided in a utility email. If RWE needs your bank details, they will ask you to update them securely within their official portal that you access manually.
Verify the Sender: Check the sender’s email address. Official RWE communications come from @rwe.com. Be wary of addresses that look “similar” but are slightly off (e.g., @rwe-service.de).
Direct Access: Always type ://rwe.com manually into your browser to access the “Meine RWE” area.


Expert Security Tip:


This is a Payment Gateway Scam. By asking you to “select your bank,” scammers are not trying to send you money—they are trying to gain access to your bank account. Real utility companies already have your bank details if you pay by SEPA direct debit. They will never ask you to “log in to your bank” to process a refund.

One Nevada Credit Union phishing page detected

A phishing campaign impersonating One Nevada Credit Union targets members via SMS and email, aiming to harvest login credentials, security answers, and sensitive personal information like SSNs through a cloned, fraudulent portal. Attackers deceptive tactic regional brand trust to create urgency around “security verification,” targeting the legitimate onenevada.org domain with sophisticated lookalike URLs. To protect against this fraud, users should rely only on the official One Nevada app, avoid clicking links in unsolicited messages, and verify any alerts directly through official, trusted channels.

Threat Intel: This deceptive layout was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the phishing source domain has been safely deactivated within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Actual screenshot of "One Nevada Credit Union phishing page detected" phishing interface captured during link moderation on our platform.
Figure 1: Actual screenshot of the ongoing fraudulent campaign isolated on our infrastructure.

Target: Members of One Nevada Credit Union (USA)
Threat Level: High (MFA Bypass & Full Account Takeover)
Phishing Method Description
This attack targets the Digital Banking users of One Nevada Credit Union. Scammers use a Security Alert pretext, sending out Smishing (SMS) or Phishing Emails claiming that an “Unauthorized Device” has logged into the account or that a “MFA Security Update” is mandatory.
The link leads to a high-fidelity clone of the One Nevada online banking portal. The phishing kit is specifically designed to harvest:
Username / Member Number
Password
Multi-Factor Authentication (MFA) Codes: The fake site prompts the victim to enter the SMS or Email code in real-time. The attacker immediately uses this code on the real banking site to gain full access.
Personal Identity Info: Social Security Number (SSN) fragments and phone numbers for identity verification.

Red Flags to Watch For


Deceptive Domain: The official domain is onenevada.org. Phishing sites use lookalikes such as onenevada-verify.net, secure-onenevada.com, or onenevada-login.online. Note that credit unions almost always use .org extensions.
Urgency & Pressure: Language like “Your access will be restricted” or “Unauthorized transfer detected” is used to bypass the victim’s critical thinking.
Requests for MFA during Login: If a site asks for an MFA code immediately after you enter your password on an unfamiliar page, it’s a sign of a real-time interception attack.

How to Protect Yourself


Use the Mobile App: Always perform your banking through the official One Nevada Mobile Banking app. Secure alerts will be delivered inside the app’s secure mailbox.
The “No Link” Rule: One Nevada Credit Union will never send you a text message or email containing a link to a login page asking for your credentials. Always type the address manually into your browser.
Verify the SMS Source: Official alerts come from short codes. If you receive a banking alert from a standard 10-digit mobile number, treat it as a scam.
Immediate Action: If you have entered information on a suspicious page, call the official Member Services at (702) 457-1000 or (800) 388-3000 immediately to lock your account.


Expert Security Tip:


This is a Real-Time MFA Proxy Attack. The scammers are acting as a “middleman” between you and the bank. Your One-Time Passcode (OTP) is the final key to your money. Never enter a code on a website you reached via a link. If the bank sends you a code, read the text carefully—it often says “Do not share this code with anyone.”

Banco BBVA phishing page detected

A widespread phishing campaign targeting BBVA bank customers in Spain and Latin America uses high-pressure smishing tactics to steal login credentials and SMS OTP codes. Fraudulent websites mimic the legitimate BBVA portal to intercept security codes for unauthorized transactions. Users are advised to avoid clicking links in suspicious messages and to use the official BBVA app for account management.

Analysis Memo: This spoofed page was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our standard URL vetting operations. To protect the public, the hostile origin link has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.

Actual screenshot of "Banco BBVA phishing page detected" phishing interface captured during link moderation on our platform.
Figure 1: Verified screenshot of the active phishing operation intercepted by our security systems.

Target: BBVA Bank Customers (Spain, Mexico, Colombia, Peru)
Threat Level: Critical (Real-time Account Takeover & OTP Theft)
Phishing Method Description
This attack uses High-Pressure Social Engineering. Victims receive an SMS (Smishing) claiming that an “unauthorized login from a new device” has been detected or that their “security account needs to be synchronized” immediately to avoid permanent blockage.
The link leads to a pixel-perfect replica of the BBVA “Banca Móvil” or web portal. The phishing kit is specifically designed to harvest:
Customer ID / DNI / NIF (Identification Number)
Access Password (Contraseña)
Mobile Phone Number
One-Time Password (OTP): The fake site prompts the victim to enter the SMS code in real-time. The attacker uses this intercepted code on the actual BBVA site to authorize fraudulent transfers or link their own device to the account.

Red Flags to Watch For


Deceptive Domain: The official domain is bbva.es (Spain) or bbva.mx (Mexico). Phishing sites use lookalikes such as bbva-seguridad.online, verificar-acceso-bbva.net, bbva-asistencia.com, or free subdomains like ://firebaseapp.com.
Urgent & Alarming Tone: Language like “Acceso no autorizado detectado” or “Bloqueo preventivo” is used to bypass critical thinking.
Links in SMS: BBVA has a strict policy: they will never include clickable links in SMS messages sent to customers regarding account security or login issues.

How to Protect Yourself


Use the BBVA App: Perform all your banking and notifications through the official BBVA App. The app uses biometric login and secure push notifications which are much harder to phish.
The “No Link” Rule: If you receive a security alert via SMS, ignore the link. Manually type www.bbva.es (or your local BBVA address) into your browser to check your account status.
Verify the Sender: Official alerts from BBVA usually come from a registered “BBVA” sender ID. If the message comes from a standard 10-digit mobile number, it is 100% a fraud.
Immediate Action: If you have entered your data on a suspicious page, call the official BBVA 24-hour fraud line immediately: 900 102 801 (Spain) or 55 5226 2663 (Mexico).


Expert Security Tip:


This is a Real-time Man-in-the-Middle (MitM) attack. The scammers are acting as a “bridge” between you and the real bank. Your SMS OTP is the final key to your money. Never enter a code on a website you reached via a link. If the bank sends you a code, read the text carefully—it often explicitly warns: “No compartas este código con nadie.”

PayPal phishing page revealed

This phishing campaign against PayPal users utilizes fraudulent “Account Suspension” notifications to direct victims to a high-fidelity cloned site. The multi-step funnel steals user credentials, personal information, and credit card data, often employing deceptive domains and urgent demands to bypass security measures.

Security Notice: This spoofed page was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our standard URL vetting operations. To protect the public, the dangerous destination URL has been safely deactivated within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Actual screenshot of "PayPal phishing page revealed" phishing interface captured during link moderation on our platform.
Figure 1: Live screenshot of the live scam infrastructure intercepted by our security systems.

Target: PayPal Users Worldwide
Threat Level: Critical (Financial & Identity Theft)
Phishing Method Description
This attack uses a “Restricted Account” pretext. Scammers send out deceptive emails or SMS messages claiming that “Your account has been temporarily limited” or that there is “Unusual activity on your PayPal account.” To “restore access,” the victim is pressured to click a link and complete a security check.
The link leads to a high-fidelity clone of the PayPal login portal. Once the victim enters their credentials, the phishing kit directs them through a series of additional forms designed to harvest:
Email Address and Password
Full Name, Date of Birth, and Home Address
Credit/Debit Card Details (Number, Expiration Date, CVV)
Bank Account Information
Mother’s Maiden Name (to bypass security questions)

Red Flags to Watch For


The Deceptive URL: The official domain is strictly paypal.com. Phishing sites often use lookalikes such as verify-paypal-accounts.com, paypal-security-center.net, service-paypal.info, or free subdomains like login-paypal.web.app.
Urgent & Threatening Language: Phrases like “Action Required immediately” or “Your account will be permanently closed” are classic social engineering tactics.
Non-Personalized Greetings: Official PayPal emails almost always address you by your full name (as registered on your account), not “Dear Customer” or “Valued Member.”

How to Protect Yourself


The “Login Direct” Rule: Never log into PayPal via a link in an email or SMS. Always open a new browser tab and manually type ://paypal.com or use the official PayPal App.
Check the Message Center: If there is a real problem with your account, a notification will be waiting for you in the secure “Message Center” inside your PayPal account.
Watch for Redirection: Phishing kits often redirect you to the real PayPal website after you’ve submitted your data to make the experience feel legitimate. If the site suddenly “refreshes” or looks different, your data may have been stolen.
Reporting: You can report PayPal phishing by forwarding suspicious emails to spoof@paypal.com or suspicious SMS to the short code 7726.


Expert Security Tip:


This is a Full Info (Fullz) Phishing Kit. The scammers aren’t just after your PayPal balance; they want your Credit Card and Identity. PayPal will never ask you to enter your full credit card number and CVV just to “verify” your account login. If a site asks for your card details to “unlock” your account, close the tab immediately.

Bank Central Asia phishing page detected

A phishing campaign targeting Bank Central Asia (BCA) customers in Indonesia uses WhatsApp-based smishing to direct victims to fraudulent sites mimicking the KlikBCA login portal. Attackers aim to harvest User IDs, PINs, and KeyBCA token codes, enabling real-time, fraudulent transaction authorization. The attack is a “Token Interception” method, utilizing spoofed domains like klikbca-update.online to bypass security and steal user funds.

Security Notice: This deceptive layout was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during our standard URL vetting operations. To protect the public, the phishing source domain has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

Actual screenshot of "Bank Central Asia phishing page detected" phishing interface captured during link moderation on our platform.
Figure 1: Live screenshot of the live scam infrastructure intercepted by our security systems.


Target: Customers of Bank Central Asia (BCA) in Indonesia
Threat Level: Critical (KlikBCA & Individual Access Theft)
Phishing Method Description
This attack targets users of KlikBCA Individual and the BCA Mobile app. Scammers distribute fraudulent links via WhatsApp or SMS (Smishing), often using an “official-looking” announcement about a “New Service Fee Policy” (e.g., changing the monthly fee to 150,000 IDR) or a “Security Feature Update.”
The link leads to a pixel-perfect replica of the BCA login portal. The phishing kit is specifically designed to harvest:
User ID / Username
Internet Banking PIN
Mobile Phone Number
KeyBCA (Physical Token) Response: The fake site prompts the victim to generate a code on their physical KeyBCA device (using APPLI 1 or APPLI 2) and enter it. The attacker uses this code in real-time to authorize a massive fraudulent transfer.

Red Flags to Watch For


The Deceptive URL: The official domain is bca.co.id or klikbca.com. Phishing sites often use lookalike addresses such as bca-update-layanan.com, tarif-bca-baru.net, klikbca-konfirmasi.online, or free subdomains like bca-login.web.app.
Urgent Call-to-Action: Messages that demand you “Agree” to a fee change or “Confirm” your account within a few hours are classic social engineering tactics.
Requesting KeyBCA Codes: BCA will never ask you to enter a KeyBCA token code just to “cancel a fee” or “verify your identity” through a link sent via WhatsApp.

How to Protect Yourself


Use the BCA Mobile App: Only trust notifications that appear inside your official BCA Mobile or Halo BCA app.
The “No Link” Rule: BCA officially states they will never send links via SMS or WhatsApp asking for your personal data or PIN. Always type ://klikbca.com manually into your browser.
Verify with Halo BCA: If you receive a suspicious message, contact the official BCA call center at 1500888 or use the official Halo BCA app to verify the information.
KeyBCA Security: Treat your physical KeyBCA token as the “key to your safe.” Never use it on any website that you did not access yourself by typing the address.


Expert Security Tip:


This is a Social Engineering & Token Interception attack. Scammers create a fake problem (like a high monthly fee) to make you panic and give up your KeyBCA codes. Remember: Your token codes are only for authorizing transactions you started. Never use your KeyBCA to “cancel” something or “log in” from a link.