Phishing examples on Antiphishing.biz

Booking.com phishing page detected

Booking.com “Internal Messaging” Phishing
Target: Travelers and Hospitality Partners Worldwide
Threat Level: Critical (Authorized Account Access & Financial Fraud)
Phishing Method Description
This is a Multi-Stage Attack that exploits a chain of trust. Unlike typical phishing, the fraudulent message arrives directly within the official Booking.com app or your reservation chat.
Phase 1 (The Initial Breach): Attackers first compromise a hotel’s professional account (Extranet) by sending malware to the staff, often disguised as a guest request.
Phase 2 (The Customer Lure): Once inside the hotel’s account, scammers see real reservation details (names, dates, prices). They then message the guests through the official Booking.com system, claiming there is a “payment verification error”.
Phase 3 (The Theft): The guest is urged to click a link to “re-verify” their card details to avoid cancellation. The link leads to a perfect clone of Booking.com that harvests full credit card data and even 2FA codes in real-time.

⚠️ Red Flags to Watch For
Requests for Payment via Chat: Booking.com and legitimate hotels will never ask you to provide credit card details or make a payment directly through a chat, email link, or WhatsApp.
Urgent & Threatening Tone: Phrases like “Verification required within 4 hours or your booking will be cancelled” are used to bypass your critical thinking.
The URL Check: Even if the message is in the app, the link itself will lead to a non-official domain (e.g., booking-verification.online instead of booking.com).

💡 Expert Security Tip: The “Booking Confirmation” Rule
The Method:
This case is a prime example of Brand Identity Abuse. Scammers use the actual infrastructure of a trusted platform to hide their tracks. Because the message comes from the “official” account of the hotel you actually booked, it is almost impossible to distinguish from a real request at first glance.

The Trap:
Attackers are exploiting social engineering rather than a flaw in Booking.com’s backend. They use your real travel dates and the hotel’s name to make the request feel 100% legitimate.

How to Protect Yourself:
Check the App’s Payment Status: If you have already paid or have a “pay at property” policy, any request for “pre-payment” is 100% a scam.
Call the Hotel Directly: If you receive an urgent payment request, do not use the link. Instead, find the hotel’s phone number on their official website (not from the chat message) and call them to verify the request.
Pay Only on the Platform: Legitimate payments should be handled only through the official Booking.com checkout process, not through third-party links like Stripe or PayPal sent via chat.
Enable 2FA Everywhere: If you are a hotelier or a traveler, multi-factor authentication is your final line of defense against account takeovers.

Raiffeisen bank phishing page detected

Raiffeisen Bank “Digital Security Update” Phishing
Target: Raiffeisen Bank Customers (Central and Eastern Europe)
Threat Level: Critical (Raiffeisen Identity & Digital Token Theft)
Phishing Method Description
This attack targets users of the Raiffeisen Online Banking and the Digital ID apps. Scammers distribute urgent notifications via SMS (Smishing) or Email, claiming that “New Security Regulations” or a “System Maintenance” requires the user to re-verify their profile to avoid account suspension.
The link leads to a high-fidelity clone of the Raiffeisen “Login” portal. This sophisticated phishing kit is specifically designed to harvest:
Customer ID / Username
PIN / Password
Mobile Phone Number
One-Time Password (OTP) / Push Authorization: The fake site prompts the victim to enter the code from their SMS or confirm a notification in their official Raiffeisen app in real-time. This allows the attacker to authorize a fraudulent transfer or link a new device to the account instantly.
⚠️ Red Flags to Watch For
The Lookalike URL: The official domains are raiffeisen.at, raiffeisen.ro, etc. Phishing sites use deceptive addresses like raiffeisen-securitate.online, verificare-raiffeisen.net, secure-raiffeisen-login.com, or free subdomains like raiffeisen.web.app.
Urgent & Threatening Tone: Phrases like “Immediate action required” or “Your access will be blocked within 24 hours” are classic social engineering tactics.
Link in SMS/Email: Raiffeisen Bank officially states they will never include a clickable link in an SMS or email that leads directly to a login page asking for your credentials.
💡 Expert Security Tip: The “Digital ID” Proxy Attack
The Method:
This case highlights a Real-Time Authentication Hijack. Scammers are not just looking for your password; they are acting as a “middleman” between you and the real bank server.
The Trap:
When you enter your credentials on the fake page, the attacker simultaneously enters them on the actual Raiffeisen website. This triggers a legitimate Push Notification or SMS OTP to your phone. The phishing site then asks you to “Confirm the notification to finish the update.” By doing so, you are not securing your account—you are signing a digital signature that authorizes the hacker to drain your funds.
How to Protect Yourself:
The “Context” Rule: Only confirm a notification or enter an OTP if YOU were the one who manually typed the official bank address into your browser. If a prompt appears after clicking a link, REJECT it.
Read the Prompt Carefully: If the notification on your phone says “Authorize a payment” or “Register a new device” but you are just trying to “log in,” it is 100% a scam.
Zero Trust for Links: Raiffeisen will never send you a link to “Log in” or “Update” your security credentials via SMS. Always use the official Raiffeisen Smart Mobile app.

Bankinter phishing page in Portuguese revealed

Bankinter Portugal “Security Alert” Phishing
Target: Bankinter Customers in Portugal
Threat Level: Critical (Real-time Account Takeover & SMS OTP Theft)
Phishing Method Description
This attack targets users of Bankinter Particulares (Online Banking). Scammers use a “Fraud Alert” pretext, sending out Smishing (SMS) messages claiming that an “unauthorized access” or “unusual purchase” has been detected. To “cancel” the transaction or “secure” the account, the user is pressured to click a link immediately.
The link leads to a high-fidelity clone of the Bankinter.pt portal. This sophisticated phishing kit is designed to harvest:
User ID / NIF (Número de Identificação Fiscal)
Access Password (Multichannel Key)
Mobile Phone Number
SMS One-Time Password (OTP): The fake site prompts the victim to enter the security code in real-time. The attacker immediately uses this code on the actual Bankinter server to authorize a fraudulent wire transfer or to register their own device as the primary security key.
⚠️ Red Flags to Watch For
The Lookalike URL: The official domain is bankinter.pt. Phishing sites use deceptive addresses like seguranca-bankinter.online, verificar-acesso-bankinter.net, bankinter-portugal.com, or free subdomains like bankinter-login.web.app.
Urgent & Alarming Tone: Phrases like “Acceso no autorizado detectado” or “Bloqueo preventivo” are used to bypass critical thinking and force an impulsive click.
Link in SMS/Email: Bankinter officially states they will never include a clickable link in an SMS message regarding account security or “blocking” access.
💡 Expert Security Tip: The “Cancellation” Deception
The Method:
This case highlights a Social Engineering Trick known as the “Cancellation Scam.” Scammers create a fake “security threat” to make you panic.
The Trap:
When you enter an SMS OTP on a fake site to “cancel a fraudulent transaction,” you are actually doing the exact opposite. Because the attacker is logged into your real account in the background, they have just triggered a new fraudulent transfer. The code you just entered is the final digital signature they need to move your money out of the bank.
How to Protect Yourself:
OTP is for Authorization ONLY: A real bank will never ask you to enter an SMS code to cancel or block something. SMS codes are strictly for authorizing actions you started yourself.
The “Manual Entry” Rule: If you receive a security alert via SMS, ignore the link. Open your browser and manually type www.bankinter.pt to log in safely.
Read the SMS Content: Carefully read the text accompanying the code. If it says “Code to authorize a transfer of 1,000 €” but you are trying to “secure your account,” it is 100% a scam.

OTP bank phishing page detected

OTP Bank “Account Access Verification” Phishing
Target: OTP Bank Customers (Hungary, Russia, Romania, Serbia, etc.)
Threat Level: Critical (Real-time OTP Interception & Account Hijacking)

Phishing Method Description
This attack relies on Psychological Pressure. Victims receive a Smishing (SMS) or Email claiming that their “OTPdirekt access has been suspended” or that a “Suspicious login attempt” was detected from a new device.

The link leads to a high-fidelity clone of the OTP Bank login page. This sophisticated phishing kit is designed for a Man-in-the-Middle (MitM) attack, harvesting:

User ID / Account Number (HAZ / ID)
Password / PIN
Mobile Phone Number
Mobile Signature (SMS OTP): The fake site prompts the victim to enter the 6-digit security code received via SMS in real-time. The attacker immediately uses this code on the actual bank site to authorize a fraudulent transfer or link their own device to the account.

⚠️ Red Flags to Watch For
Deceptive Domain: The official domains are otpbank.hu, otpbank.ru, otpbanka.rs, etc.. Phishing sites use lookalikes such as otpbank-security.online, verific-otp.net, or free subdomains like otp-login.web.app.
Requesting OTP for “Blocking” or “Updates”: A real bank will never ask you for an SMS code to cancel a transaction or unblock an account. Codes are strictly for authorizing actions you started yourself.
Urgent Tone: Messages demanding you “Act within 2 hours” to avoid a total block are clear signs of a scam.

🛡️ How to Protect Yourself
Use the Mobile App: Manage your security exclusively through the official OTP SmartBank or m-bank app.
The “Manual Entry” Rule: Always type the official address manually into your browser’s address bar. Never click on links in bank messages.
Verify the SMS Source: Official alerts come from registered bank IDs. If a message comes from a standard mobile number, delete it.
Immediate Action: If you have entered data on a suspicious site, call the official OTP Bank support immediately at +36 1 3666 666 (Hungary) or +7 495 783-54-00 (Russia) to freeze your account.

💡 Expert Security Tip: The “Live Proxy” Hazard
The Method:
This case highlights the Real-Time Token Relay tactic. Scammers use automated kits that act as a “live bridge” between you and the real bank.

The Trap:
When you enter your Mobile Signature SMS code on the fake site, you aren’t “verifying” anything. You are providing the final authorization for a transaction the hacker has already prepared in the background.

How to Protect Yourself:
Read the SMS Content Carefully: If the SMS says “Code to authorize a transfer of X amount” while you are just trying to “log in,” do not enter it.
Switch to Biometric Auth: Use Fingerprint or FaceID inside the official app. These methods are much harder to phish than 6-digit SMS codes.
One-Time Rule: An OTP is meant for one specific action. If the site asks you to enter multiple codes in a row for a single “verification,” close the page—they are draining your account transaction by transaction.

PayPal phishing page detected

PayPal “Account Suspension Alert” Phishing
Target: PayPal Users Worldwide
Threat Level: Critical (Financial & Full Identity Theft)
Phishing Method Description
This attack uses a “High-Pressure Security” pretext. Victims receive an email or SMS (Smishing) claiming that “Your account has been temporarily suspended” or that “Unusual activity was detected on your account.” To “restore full access” or “cancel a fraudulent payment,” the victim is pressured to click a link and complete a verification process.
The link leads to a sophisticated, multi-step phishing portal that mimics the official PayPal login flow. This “Fullz” kit is designed to harvest:
PayPal Credentials (Email and Password)
Full Personal Identity (Name, Date of Birth, and Home Address)
Credit/Debit Card Details (Number, Expiration Date, and CVV)
Bank Account Information
Security Challenge Answers: Intercepted to bypass future password recovery attempts.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is strictly paypal.com. Phishing sites use lookalikes such as verify-paypal-secure.com, account-resolution-paypal.net, or free subdomains like paypal-limit.web.app.
Generic Salutation: Official PayPal emails almost always address you by your full name. Be wary of emails starting with “Dear Customer,” “Dear Member,” or just your email address.
Requesting Card Details to “Unlock”: PayPal will never ask you to enter your full credit card number and CVV code just to “verify” your identity or unlock a login.
🛡️ How to Protect Yourself
The “Login Direct” Rule: Never click a link in an email to log into PayPal. Always open a new browser tab and manually type ://paypal.com or use the official PayPal App.
Check the Message Center: If there is a real issue with your account, a notification will always be waiting for you in the secure “Message Center” inside your PayPal account.
2FA is Mandatory: Enable Two-Factor Authentication (2FA). Even if scammers steal your password, they won’t be able to log in without the code from your authenticator app or SMS.
Forward to Spoof: You can report PayPal-branded phishing by forwarding the suspicious email or link to [email protected].
💡 Expert Security Tip: The “Fullz” Harvesting Hazard
The Method:
This case highlights a Full Identity (Fullz) Extraction. Scammers are not just trying to steal your PayPal balance; they are gathering enough data to impersonate you permanently.
The Trap:
By providing your CVV code, SSN/National ID, and Security Answers, you are giving the hackers the power to open new credit lines in your name or take over your other financial accounts.
How to Protect Yourself:
CVV is for Buying, Not Logging: Your CVV (the 3 digits on the back) is only for authorizing a purchase. Never enter it on a page that claims to be for “identity verification” or “account unlocking.”
Zero Trust for Links: A “Locked Account” message is the most common bait. Always verify account status by logging in through the official app only.
Use Virtual Cards: For online services like PayPal, use a virtual card with a spending limit. This protects your main bank account even if your card details are phished.

Blocket fake page in Swedish detected

Blocket “Safe Payment / Shipping” Phishing
Target: Buyers and Sellers on Blocket (Sweden)
Threat Level: Critical (Bank Account Takeover & BankID Hijacking)
Phishing Method Description
This attack targets users of the Swedish marketplace Blocket. Scammers usually contact a seller or buyer via WhatsApp or SMS, claiming they want to use “Blocket Paket” (shipping service) or a fake “Direct Payment” system to complete the deal.
The link leads to a high-fidelity clone of the Blocket or BankID verification page. The phishing kit is specifically designed to harvest:
Personal Identity Number (Personnummer)
Credit/Debit Card Details (Number, Expiry, CVV)
BankID Authentication: The fake site triggers a real BankID or Mobile BankID request on the victim’s phone. Thinking they are “verifying the payment,” the victim enters their PIN, which actually authorizes the attacker to log into their real bank account or sign a fraudulent transaction.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is blocket.se. Phishing sites use lookalikes such as blocket-betalning.online, verifera-blocket.net, frakt-blocket.com, or free subdomains like blocket-portal.web.app.
Off-Platform Communication: If a buyer or seller insists on moving the conversation from Blocket’s internal chat to WhatsApp or SMS, it is a major warning sign.
Urgent Payment Links: Blocket will never send you a link via SMS or WhatsApp asking you to “enter your card details to receive money.”
🛡️ How to Protect Yourself
Stay on the Platform: Use only the official Blocket Paket and payment systems integrated directly into the Blocket app or website.
The “No Link” Rule: Never click on links sent by other users to “confirm a payment” or “track a package.” If the payment is real, it will show up in your official Blocket account.
Verify BankID Context: Before entering your PIN in the BankID app, always check the “Requester” (Mottagare) and the action. If you are selling an item, you should not be “signing” or “authenticating” a login to your bank.
Zero Trust for Card Requests: You do not need to provide your CVV code to receive money. If a site asks for it to “verify your account for a payout,” it is a scam.
💡 Expert Security Tip: The “BankID Relay” Attack
The Method:
This case highlights a Real-Time Authentication Relay. Scammers are acting as a “live bridge” between the victim and their bank.
The Trap:
When you enter your Personnummer on the fake Blocket site, the attacker enters it on the real bank website. You receive a BankID notification. If you sign it, you aren’t “confirming a sale”—you are signing the attacker into your bank account.
How to Protect Yourself:
Check the App carefully: In the BankID app, it will show who is requesting the identification (e.g., “Logga in på [Din Bank]”). If you see your bank’s name while you are supposedly on “Blocket,” cancel immediately.
Never trust “Verification” links: Blocket and banks in Sweden will never ask you to identify yourself via BankID through a link sent in a private message.

Fake French Police page revealed

French National Police (ANTAI) “Unpaid Fine” Phishing
Target: Residents and Visitors in France
Threat Level: Critical (Real-time Credit Card Skimming & Identity Theft)
Phishing Method Description
This attack impersonates the ANTAI (Agence Nationale de Traitement Automatisé des Infractions), the official agency for traffic and parking fines in France. Victims receive a “Smishing” (SMS) or Phishing Email claiming they have an unpaid fine (often 35€ or 135€) that will increase if not settled immediately.

The link leads to a highly realistic clone of the official French government portal, often displaying the “Marianne” and ANTAI logos. The phishing kit harvests:

Personal Identity Data: Name, address, and email.
Payment Details: Full credit/debit card information (Number, Expiry, CVV).
3D-Secure / OTP Codes: The fake site intercepts verification codes in real-time, allowing attackers to authorize large, fraudulent purchases instead of a small fine payment.

⚠️ Red Flags to Watch For
The URL Trap: The only official website for paying fines in France is www.amendes.gouv.fr. Scam sites use lookalikes such as portails-amendes-gouv.com, antai-fines.net, or amendes-gouv-infractions.fr.
No SMS for Reminders: ANTAI only sends SMS messages for immediate payment during a direct interaction with an officer on the ground. They never send unsolicited SMS reminders for old or “unpaid” fines.
Generic Sender Addresses: Real emails from ANTAI always end in @antai.gouv.fr (specifically [email protected]). Be wary of senders with .mu, .br, or free domains.

🛡️ How to Protect Yourself
The “Manual Entry” Rule: Never click on a link to pay a fine. Always type www.amendes.gouv.fr manually into your browser or use the official amendes.gouv app.
Wait for the Paper Copy: Genuine fine notices are almost always sent via physical mail to the address on your vehicle registration (carte grise). If you haven’t received a letter, the message is likely a scam.
Report Smishing: In France, you can forward fraudulent SMS messages to 33700 or report them to signal-spam.fr.

💡 Expert Security Tip: The “Real-Time Fine” Verification
The Method:
This case highlights a Real-Time Token Relay attack. Scammers are banking on the fact that drivers are often stressed by the threat of increased fines and legal action.

The Trap:
When you enter your card details on a fake ANTAI site, the attackers are simultaneously using that data on a real payment gateway for a high-value purchase. The OTP/3D-Secure code you enter to “pay your fine” is actually the final signature the hackers need to empty your bank account.

How to Protect Yourself:
Use the Reference Number: Every legitimate fine has a 14 or 18-digit reference number. If the website doesn’t ask for this specific number or doesn’t show your car registration plate, it is 100% a scam.
Zero Trust for QR Codes: Be cautious of QR codes on fake physical tickets left on windscreens, a new tactic used to bypass digital spam filters.
Check the App Context: If your bank’s authorization app asks you to “confirm a payment” of a different amount than the fine while you are on a “government” site, cancel immediately

Phishing DHL email

The link above leads to the phishing site:

DHL Package Delivery Scam (Smishing/Email Phishing)

This phishing campaign impersonates the international shipping company DHL. The email informs the recipient that a package cannot be delivered due to a problem with the address or a failed delivery attempt, creating a sense of urgency.

How it works:
The email contains a link that leads to a fake DHL tracking page (as shown in your screenshot). If the victim clicks the link, they are taken to a fraudulent website designed to collect personal and financial information. The final step of the scam typically asks for credit or debit card details under the guise of a small “redelivery fee” or “customs processing fee.” Once entered, the card information is stolen and can be used for fraudulent transactions.

Red Flags to Watch For:

Sender’s email address: The email often comes from a generic or misspelled domain, not an official @dhl.com address.

Generic greeting: Legitimate DHL communications usually include your name or a reference number; phishing emails often start with “Dear Customer” or “Dear User.”

Spelling and grammar: Look for awkward phrasing or minor errors in the subject line and body.

The link: Hover over the link without clicking—if the URL does not match dhl.com or contains unusual characters, it is a phishing site.

Request for payment: DHL does not ask for payment via a link in an email for redelivery. Always log in to the official DHL website or app directly to verify any outstanding charges.

What to Do if You Receive This Email:

Do not click any links or download any attachments.

Do not enter any personal or banking information.

If you are expecting a package, go directly to the official DHL website (dhl.com) and use your tracking number to verify its status.

Report the phishing attempt to DHL and forward the email to your local anti-phishing authorities (e.g., in the US: [email protected]).

By understanding these tactics, you can avoid falling victim to this type of scam and protect your financial information.

Etsy phishing page detected

Etsy Seller Payment Scam (Fake Order Notification)

This phishing page is designed to target Etsy sellers by impersonating a legitimate order notification. The page mimics Etsy’s interface and claims that a buyer has purchased an item—in this case, “Jeans schwarz mit …” for €79.50—and that the payment is awaiting release.

How it works:
The victim (an Etsy seller) receives an email or a direct message with a link to this page, claiming a buyer has placed an order. The page shows fake buyer details (name, address), a fabricated order summary, and a “Payment status: Receiving funds” message. To “proceed to receiving” the funds, the seller is prompted to enter sensitive financial information—most likely credit card details, bank account information, or login credentials on the next screen.

The goal:
Instead of receiving a legitimate order, the seller unknowingly hands over their payment credentials or login details to the attacker. Because the page looks like a genuine Etsy order confirmation, sellers who frequently manage orders may click through without suspicion.

Red flags to watch for:

Unsolicited link: The page is accessed via a link from an email or message, not through the official Etsy dashboard or app.

Fake payment status: Etsy does not display “Receiving funds” in this manner; legitimate payment processing occurs within your seller dashboard, not on a standalone page accessed via an external link.

Buyer details: The name and address shown (e.g., “Ernestine Herz”) are often fabricated or generic.

“Proceed to receiving” button: This is a fake call-to-action designed to lead to the credential-harvesting form. On the real Etsy site, sellers do not need to click an external button to “receive” funds—payments are automatically processed.

URL mismatch: The page is hosted on antiphishing.biz (your own site), but in a real attack, it would be on a fraudulent domain. Sellers should always check that the URL matches etsy.com before entering any information.

What to do if you encounter this:

Do not click “Proceed to receiving” or enter any personal, banking, or login information.

If you are an Etsy seller, always log in to Etsy directly by typing etsy.com into your browser and checking your Shop Manager → Finances → Payment account for real orders.

Report the phishing attempt to Etsy’s trust and safety team by forwarding the original email or link to [email protected].

This scam exploits the trust sellers place in order notifications. Staying vigilant about checking URLs and verifying orders directly through the official platform can prevent account takeover and financial loss.

Banco BISA phishing page detected

Banking Phishing – Fake Virtual Keyboard & Credential Harvesting

This phishing page impersonates the online banking portal of Banco BISA (a Bolivian bank). The page is designed to steal customers’ login credentials by mimicking the bank’s legitimate authentication interface.

How it works:
The victim receives a phishing email, SMS, or other fraudulent message claiming there is an issue with their account, a security alert, or a promotion. The link leads to this fake login page. The page requests the user’s “usuario” (username) and features a “Teclado virtual” (virtual keyboard) button—a common security feature used by Latin American banks to protect against keyloggers.

The twist:
Cybercriminals replicate the virtual keyboard to trick users into thinking the page is legitimate. When the victim clicks the virtual keyboard button and enters their credentials, the information is captured and sent directly to the attacker. The fake “Siguiente” (Next) button then leads to a second page that likely requests additional sensitive data, such as a password, security token, or one-time code.

Red flags to watch for:

URL mismatch: The page is not hosted on the official bank domain. Banco BISA’s legitimate online banking URL would be something like www.bisa.com or a secure subdomain—not a random or unrelated address.

Generic promotion: The footer text about “Ahorro Plus” (earning 3.85% interest) is copied from the real bank’s marketing, but phishing pages often use outdated or slightly mismatched promotional content.

Virtual keyboard context: While many banks do use virtual keyboards, phishing pages replicate them. Always verify you are on the official site before interacting with any login form.

Lack of personalization: Legitimate banking portals often display a partial account number, security image, or personal greeting after entering the username—this fake page does not.

What to do if you encounter this:

Do not enter your username, click the virtual keyboard, or press “Siguiente.”

If you are a Banco BISA customer, always type the official bank URL directly into your browser or use the official mobile banking app.

Report the phishing page to Banco BISA’s fraud department so they can work to have it taken down.

Why this scam is dangerous:
Once the attacker obtains the username and password, they can attempt to log in to the victim’s real bank account. If the bank uses two-factor authentication (2FA), the phishing site may also ask for the 2FA code on a subsequent page, allowing real-time account takeover.