Antiphishing.biz

A phishing campaign targeting BBVA customers uses urgent SMS alerts warning of blocked accounts to steal login credentials and real-time 2FA codes. The scam directs victims to sophisticated clones of the official mobile banking portal, bypassing security measures by prompting users for immediate action. To stay safe, ignore unexpected security SMS messages with links and only use the official BBVA App or the bank’s official website to check for alerts.

BBVA “Security Key Synchronization” Smishing
Target: BBVA Bank Customers (Spain and Mexico)
Threat Level: Critical (Real-time OTP & Digital Token Theft)
Phishing Method Description
This attack is a highly effective Mobile-First Phishing campaign. Scammers send a “Smishing” (SMS) alert claiming that your “Clave de Acceso” (Access Key) has been blocked or that a “New Security Regulation” requires you to synchronize your account immediately.
The link leads to a mobile-optimized clone of the BBVA login portal. The phishing kit is specifically designed to perform a Man-in-the-Middle (MitM) attack, harvesting:
User ID / NIF / DNI
Access PIN / Password
Mobile Phone Number
SMS One-Time Password (OTP): The fake site prompts the victim to enter the security code in real-time. The attacker immediately uses this code on the actual BBVA server to authorize a fraudulent transfer or to register a new “Trusted Device.”

Red Flags to Watch For

The Lookalike URL: The official domain is bbva.es. Phishing sites use deceptive addresses like seguridad-cliente-bbva.online, verificar-acceso-pib.net, asistencia-bbva.com, or free subdomains like bbva-login.web.app.
Links in Security SMS: BBVA has a strict policy: they will never include clickable links in SMS messages regarding account security or “blocked” access.
Requesting OTP to “Synchronize”: A real bank will never ask you to enter an SMS code to synchronize or unblock an account through a link. SMS codes are strictly for authorizing transactions you started yourself.

How to Protect Yourself

Use the BBVA App: Always manage your security settings and notifications through the official BBVA App. It uses biometric login and secure push notifications which are much harder to phish.
The “No Link” Rule: If you receive a suspicious SMS, ignore the link. Open your browser and manually type www.bbva.es to log in safely.
Check the SMS Content: Read the text of the SMS containing the code. If it says “Code to authorize a payment” but you are just trying to “log in,” close the page immediately.
Immediate Action: If you have entered your credentials on a suspicious site, call the official BBVA fraud line at 900 102 801 (Spain) immediately.

Expert Security Tip:

This is a Session Hijacking attempt. Scammers create a fake “security problem” to make you panic. Remember: your SMS OTP is a digital signature. Never enter it on a website reached via a link. If you didn’t initiate a transaction, any request for a code is 100% a scam.

A phishing campaign targeting Bank Rakyat Indonesia (BRI) customers utilizes WhatsApp and SMS to trick users with a fake 150,000 IDR service fee increase. The attack uses a fraudulent “BRImo” portal to harvest credentials and real-time OTPs to seize control of mobile banking accounts.

Bank Rakyat Indonesia (BRI) “Service Fee Change” Scam
Target: Customers of Bank Rakyat Indonesia (BRI)
Threat Level: Critical (BRIMO Mobile Banking & OTP Theft)
Phishing Method Description
This attack uses a “Price Hike Scare” tactic. Scammers distribute fraudulent messages via WhatsApp or SMS (Smishing), claiming that BRI is updating its monthly service fee to a much higher amount (e.g., 150,000 IDR). To “keep the old rate” or “refuse the increase,” the victim is pressured to click a link and provide their details.
The link leads to a high-fidelity clone of the BRIMO (BRI Mobile) login portal. This phishing kit is specifically designed to harvest:
Username and Password
ATM/Debit Card Number
Mobile Phone Number
SMS OTP (One-Time Password): The fake site prompts the victim for the 6-digit code in real-time. The attacker uses this code to authorize a fraudulent transfer or to register the victim’s account on their own device.

Red Flags to Watch For

The Deceptive URL: The official domain is bri.co.id. Phishing sites use lookalikes such as bri-tarif-baru.com, konfirmasi-bri.net, update-layanan-bri.online, or free subdomains like brimo-login.web.app.
Urgent WhatsApp Messages: BRI officially communicates through verified channels. If you receive a fee-change notice from a random mobile number on WhatsApp, it is 100% a scam.
Requesting your PIN/OTP: BRI will never ask for your mobile banking PIN or SMS OTP through a website link to “cancel a fee.”

How to Protect Yourself

Use the BRIMO App: Trust only the notifications and settings found inside your official BRIMO mobile app.
The “No Link” Rule: BRI states they will never send links via WhatsApp or SMS asking for personal login credentials. Always type www.bri.co.id manually into your browser.
Verify with Contact BRI: If you receive a suspicious message, call the official BRI hotline at 1500017 or visit an official branch to verify any policy changes.
OTP Security: Treat your SMS OTP as a secret key. Never share it, and never enter it on a page reached through a link.

Expert Security Tip:

This is a Social Engineering & Real-time Interception attack. Scammers create a fake “financial threat” (the new fee) to make you panic and give up your OTP. Remember: Banks do not ask you to “log in and verify” to cancel a service fee. If a site asks for your Username and OTP at the same time, it is a phishing trap.

A phishing campaign targeting Bancolombia users employs fake “account blocked” alerts via SMS to steal credentials for the Bancolombia Personas mobile application, including usernames and real-time OTPs. The attack uses fraudulent websites to impersonate the bank’s login portal and pressures victims into entering sensitive information.

This phishing campaign against Bancolombia uses urgent SMS messages to lure victims to a fake “Sucursal Virtual Personas” portal. Attackers utilize a Man-in-the-Middle (MitM) method to harvest user credentials and dynamic keys, facilitating unauthorized access to financial accounts.

Expert Security Tip: Real-Time Dynamic Key Interception
The Method:
This Bancolombia phishing attack is a high-level Man-in-the-Middle (MitM) exploit. Scammers aren’t just looking for your password; they are waiting in real-time to intercept your Clave Dinámica (Dynamic Key).
The Trap:
When you enter your credentials on this fake page, the attacker simultaneously logs into the actual Bancolombia server. The moment the bank asks for your 6-digit security code, the phishing site prompts you to enter it. By providing that code, you are giving the hacker a “one-time pass” to authorize a fraudulent transfer or register a new device to your account.
How to Protect Yourself:
The “Context” Rule: If a website asks for your Dynamic Key (Clave Dinámica) immediately after you enter your password — without you performing a specific transaction — it is 100% a phishing trap.
App-Only Authorization: Treat your Dynamic Key as a digital signature. Only use it inside the official Bancolombia App or on the bank’s official website that you accessed by typing ://bancolombia.com manually.
Zero Trust for Links: Bancolombia will never send you a link via SMS or Email to “synchronize” or “update” your security keys. Any such request is a scam.

A phishing campaign targeting First Citizens National Bank customers uses a fake “System Update” page to perform real-time MFA bypass and account hijacking. Attackers utilize lookalike URLs to harvest credentials and SMS codes, allowing them to instantly access authentic banking sessions.

This phishing campaign against First Citizens National Bank uses fake “security sync” emails and SMS to drive victims to a spoofed, high-fidelity login page. It employs a man-in-the-middle technique to steal credentials and intercept real-time MFA codes to take over accounts, urging users to check for suspicious URLs and never enter MFA codes on linked pages.

First Citizens National Bank “Security Maintenance” Phishing
Target: Customers of First Citizens National Bank (USA)
Threat Level: High (Credential Harvesting & MFA Bypass)
Phishing Method Description
This attack targets the Digital Banking users of First Citizens National Bank. Scammers use a “Security Alert” or “Mandatory Update” pretext, sending out Smishing (SMS) or Phishing Emails claiming that an “Unauthorized Device” has logged into the account or that a “Security Maintenance” procedure is required to keep the account active.
The link leads to a high-fidelity clone of the official First Citizens login portal. The phishing kit is specifically designed to harvest:
Access ID / Username
Password
Multi-Factor Authentication (MFA) Codes: The fake site prompts the victim to enter the SMS or Email code in real-time. The attacker immediately uses this code on the actual bank site to gain full access and initiate fraudulent transfers.

Red Flags to Watch For

Deceptive Domain: The official domain is firstcitizens-bank.com or FirstCitizens.com. Phishing sites use lookalikes such as firstcitizens-secure.online, login-firstcitizens.net, or free hosting subdomains like firstcitizens.web.app.
Requests for MFA during Login: If a site asks for an MFA code immediately after you enter your password on an unfamiliar page you reached via a link, it is a sign of a real-time interception attack.

Expert Security Tip:

The “Middleman” MFA Interception
The Method:
This case highlights a sophisticated Real-Time Proxy Attack. Scammers are not just stealing your password; they are acting as a “middleman” (Man-in-the-Middle). When you enter your credentials on this fake page, the attacker simultaneously enters them on the actual bank’s server.
The Trap:
The bank then sends a legitimate Multi-Factor Authentication (MFA) code to your phone. The phishing site immediately asks you for that code. By providing it, you aren’t “securing” your account—you are handing the final key to the hacker, allowing them to authorize a new device or empty your account in seconds.
How to Protect Yourself:
Read the SMS Carefully: If you receive an MFA code, read the full text. It often says: “Do not share this code with anyone. If you didn’t request this, contact us immediately.”
MFA is for YOU, not them: Never enter an MFA code on any website that you reached through a link in an email or text message.
The “Manual Entry” Rule: Always access your bank by typing the official address manually into your browser. If there is a real security issue, you will see a notification after a safe login.

A phishing campaign targeting MidFirst Bank customers utilizes a “Security Update” pretext, employing SMS or email to prompt users to sync accounts on a fraudulent website. This high-level threat harvests login credentials and real-time One-Time Passcodes (OTP) via a clone of the official MidFirst login page, enabling immediate account takeover.

MidFirst Bank “Personal Banking Security” Phishing
Target: Customers of MidFirst Bank (USA)
Threat Level: Critical (Identity Theft & Full Account Takeover)
Phishing Method Description
This attack targets the Personal Banking users of MidFirst Bank. Scammers use a “Security Update” or “Unauthorized Login” pretext, sending out Smishing (SMS) or Phishing Emails claiming that an “Unauthorized Device” has logged into the account or that a “Security Maintenance” procedure is required to keep the account active.
The link leads to a high-fidelity clone of the official MidFirst login portal. This sophisticated phishing kit is specifically designed to harvest:
Online Banking ID / Username
Password
Social Security Number (SSN) (Full or last 4 digits)
Security Challenge Questions & Answers: The fake site prompts the victim to provide answers to their secret questions (e.g., Mother’s maiden name, childhood pet).
MFA / One-Time Passcodes (OTP): Intercepted in real-time to bypass two-factor authentication.

Red Flags to Watch For

Deceptive Domain: The official domain is midfirst.com. Phishing sites use lookalikes such as midfirst-secure-login.com, midfirst-online-verify.net, or free hosting subdomains like midfirst-portal.web.app.
Excessive Information Requests: A legitimate bank will never ask you to provide your full Social Security Number and answers to all your security questions on a single page just to “log in.”
Requests for MFA during Login: If a site asks for an MFA code immediately after you enter your password on an unfamiliar page you reached via a link, it is a sign of a real-time interception (MitM) attack.

How to Protect Yourself

The “Manual Entry” Rule: Always access MidFirst Bank by typing ://midfirst.com manually into your browser’s address bar. Never use links from unexpected emails or text messages.
Use the Mobile App: Manage your accounts through the official MidFirst Bank Mobile App. Authentic security alerts will be delivered inside the secure app environment.
Never Share Security Answers: Treat your security question answers like secondary passwords. No bank will ask for them via an unsolicited link.
Verify the SMS Source: Official alerts come from short codes. If you receive a banking alert from a standard 10-digit mobile number, treat it as a scam.

Expert Security Tip:

Security Question Harvesting
The Method:
This case highlights an Identity Profiling Attack. Scammers are not just looking for your password; they want to harvest your Security Challenge Questions.
The Trap:
By providing these answers, you are giving the hackers a permanent “backdoor” to your account. Even if you change your password, they can use these stolen answers to reset it or bypass future security checks.
How to Protect Yourself:
Treat Security Answers as Passwords: Never enter them on any website that you reached through a link.
The “Context” Rule: A bank already knows your security answers; they should only ask for one at a time for verification, never all of them at once in a bulk “update” form.
MFA is Your Shield: Always use an app-based authenticator if possible, as it is much harder to phish than SMS codes or secret questions.

This phishing case targets Sparkasse customers in Germany using a sophisticated “PushTAN/S-ID-Check” scam. Attackers utilize smishing and email to direct users to fraudulent, pixel-perfect sites, harvesting credentials and using Man-in-the-Middle techniques to trick users into authorizing fraudulent device registration through the official app. Protection involves disregarding links, using only the official app, and carefully verifying push notifications.

Sparkasse “S-pushTAN Activation” Phishing
Target: Customers of Sparkasse Banks (Germany)
Threat Level: Critical (Real-time Account Takeover & pushTAN Hijacking)
Phishing Method Description
This attack uses a Security Compliance pretext. Victims receive an SMS (Smishing) or Email claiming that their “S-pushTAN access is expiring” or that a “New Security Standard” requires an immediate update to their digital signature method.
The link leads to a high-fidelity clone of the Sparkasse “Online-Banking” portal. This sophisticated phishing kit is designed to perform a Man-in-the-Middle (MitM) attack, harvesting:
Anmeldename / Legitimations-ID (Login ID)
PIN (Online banking password)
Mobile Phone Number
pushTAN / SMS-TAN Codes: The fake site prompts the victim to authorize a “test” or “synchronization” in their pushTAN app. In reality, the victim is authorizing the attacker to link a new device to the account or to perform a large wire transfer.

Red Flags to Watch For

The Lookalike URL: The official domain structure is sparkasse.de or specific city domains like berliner-sparkasse.de. Phishing sites use deceptive addresses like s-pushtan-aktualisierung.com, sparkasse-sicherheit.net, meine-sparkasse-login.online, or free subdomains like sparkasse.web.app.
Urgent Deadlines: Messages like “Action required by midnight to avoid account lock” are classic social engineering tactics.
Requesting a TAN for “Security Updates”: A real bank will never ask you for a TAN (Transaction Number) just to “update” your profile or “verify” your identity. TANs are strictly for authorizing outgoing payments or sensitive changes.

How to Protect Yourself

The “Manual Entry” Rule: Always access your bank by typing the address of your local Sparkasse manually into your browser. Never follow links from SMS or emails.
Use the Official App: Manage your finances and security settings only through the official Sparkasse and S-pushTAN apps.
Read the TAN Content: Before confirming any pushTAN request on your phone, read the description carefully. If it says “New Device Registration” or shows a transaction amount you didn’t initiate, REJECT it immediately.
Immediate Action: If you have entered your data on a suspicious page, call the central emergency blocking number in Germany: 116 116.

Expert Security Tip:

The “pushTAN” Hijack
The Method:
This case highlights a Device Binding Scam. Scammers are not just after your password; they want to steal your pushTAN authorization.
The Trap:
By tricking you into “synchronizing” your security, they are actually trying to register their own smartphone as the authorized device for your account. Once they have successfully linked their device, they can empty your account without needing any further codes from you.
How to Protect Yourself:
Never “test” your TAN: Banks do not conduct “test” synchronizations via web links.
Zero Trust for SMS Links: Sparkasse will never send you an SMS with a link to a login page. If there is a link, it is a scam.

An Interac phishing campaign, often targeting Canadian bank customers, uses a sophisticated gateway to impersonate the instant money transfer system and harvest banking credentials, security questions, and OTP codes. Victims are lured via SMS or email to fake portals that perfectly clone major financial institutions to facilitate account takeovers.

This phishing campaign targeting Canadian bank customers, particularly through Interac e-Transfers, lures victims with fake “unexpected money” notifications via SMS or email to harvest credentials. Victims are directed to a spoofed “Interac e-Transfer” portal that clones major Canadian bank login pages, allowing attackers to steal User IDs, passwords, security answers, and 2FA codes in real-time. Users are advised to enable Autodeposit and avoid clicking links in unexpected transfer notifications to avoid this credential harvesting attack.

Interac e-Transfer “Deposit Notification” Phishing
Target: Canadian Bank Customers (RBC, TD, Scotiabank, BMO, CIBC, etc.)
Threat Level: Critical (Bank Account Takeover & Identity Theft)
Phishing Method Description
This attack uses Financial Bait. Victims receive an SMS (Smishing) or Email claiming that an “Interac e-Transfer” is waiting for them (e.g., a tax refund, a utility rebate, or a payment from a contact).
The link leads to a fake Interac Gateway page that looks identical to the real portal. It presents a list of major Canadian banks. Once the victim selects their bank, they are redirected to a pixel-perfect clone of that bank’s login page. This kit is designed to harvest:
Online Banking Credentials (Card Number/Username and Password)
Security Challenge Questions & Answers
Mobile Phone Number (for intercepting 2FA codes in real-time)

Red Flags to Watch For

The URL Trap: Official Interac transfers use domains like interac.ca or links directly from your bank’s official domain. Phishing sites use interac-deposit-mobile.com, e-transfer-notify.net, or free subdomains like interac.web.app.
Unexpected Money: If you aren’t expecting a transfer, any “surprise” money notification is a scam.
Direct Bank Selection: Real Interac notifications usually allow you to select your bank, but phishing sites often have “broken” buttons for all but the major banks they are targeting.

Expert Security Tip:

The “Autodeposit” Defense
The Method:
This case highlights a Credential & Security Question Harvesting attack. Scammers are not just trying to log in; they want the answers to your secret questions so they can bypass future security checks and change your contact information.
The Trap:
By clicking “Deposit,” you are voluntarily walking into a trap designed to steal your entire banking identity. Once they have your credentials and security answers, they can drain your account in minutes.
How to Protect Yourself:
Enable Interac Autodeposit: This is your best defense. If you have Autodeposit enabled in your official banking app, any legitimate e-Transfer will go straight into your account without you ever needing to click a link or answer a security question. If you have Autodeposit on and you still get a link to “deposit” money, it is 100% a scam.
Never Click SMS Links: If you receive an e-Transfer notification via SMS, ignore the link. If you think it’s real, log into your official banking app directly to see if the funds are there.
Identity is Key: Your bank will never ask you to “verify your identity” by answering all your security questions just to receive a deposit.