Antiphishing.biz

A sophisticated TD Bank phishing campaign targets Canadian and US customers using fraudulent SMS and emails to harvest EasyWeb credentials, security answers, and real-time OTP codes. The phishing kit, dubbed “EasyWeb Security Update,” utilizes a high-fidelity clone of the login portal to bypass multi-factor authentication, with scammers aiming for full account takeover via stolen security questions. Users are urged to avoid links in messages and to only access banking services by typing the official td.com URL.

This phishing campaign targets TD Bank customers in North America via fraudulent “EasyWeb Security Sync” alerts, aiming to steal credentials, 2FA codes, and security answers. The scam utilizes lookalike domains to steal sensitive information through a simulated security update process.

TD Bank “EasyWeb Account Alert” Phishing
Target: Customers of TD Bank (Canada and USA)
Threat Level: Critical (Full Identity & EasyWeb Access Hijacking)
Phishing Method Description
This attack targets users of the TD EasyWeb online banking portal. Scammers distribute urgent notifications via SMS (Smishing) or Email, claiming that “Your account has been temporarily disabled” or that “A new device has accessed your EasyWeb profile.” To “restore access,” the user is pressured to click a link.
The link leads to a high-fidelity clone of the TD EasyWeb login page. This multi-step phishing kit is designed to harvest:
Username / Access Card Number
Password
Security Challenge Questions & Answers: The fake site systematically asks for your secret questions (e.g., your first pet’s name, your mother’s maiden name).
Mobile Phone Number (for intercepting 2FA codes in real-time).

Red Flags to Watch For

Lookalike URL: The official domain is td.com or tdcanadatrust.com. Phishing sites use deceptive addresses like td-online-verification.net, secure-td-bank.com, easyweb-access-update.online, or free subdomains like tdbank.web.app.
Requesting Multiple Security Answers: TD Bank will never ask you to provide the answers to all your security questions on a single page or as a part of a “login update.”
Urgent & Alarming Tone: Phrases like “Immediate action required” or “Failure to verify will lead to permanent account closure” are classic social engineering tactics.

How to Protect Yourself

The “Manual Entry” Rule: Always access your bank by typing the address manually into your browser. Never use links from unexpected emails or text messages.
Use the TD App: Manage your accounts through the official TD Bank mobile app. Authentic security alerts will be delivered inside the secure app environment.
Never Share Security Answers: Treat your security question answers like secondary passwords. No bank will ask for them via an unsolicited link.
Verify by Phone: If you receive a suspicious alert, call the official TD customer service number (usually on the back of your card) to verify the status of your account.

Expert Security Tip:

The “Identity Restoration” Trap
The Method:
This case highlights a Complete Credential & Recovery Data Theft. Scammers are not just looking for your password; they are harvesting the recovery data (security questions) used to reset your password.
The Trap:
By providing your security answers, you are giving the hackers a permanent “backdoor” to your account. Even if you change your password later, they can use these stolen answers to impersonate you, call the bank’s support, or reset your credentials again.
How to Protect Yourself:
Questions are Passwords: Treat your security answers with the same level of secrecy as your main password. Never enter them on a page you reached via a link.
The Context Check: A real bank already knows your answers. If a site asks you to “update” or “confirm” them for no reason, it is 100% a scam.
Enable Two-Step Verification: Always use the strongest form of 2FA available (like the TD MySpend app or hardware tokens) to add an extra layer of defense.

A high-fidelity Arvest Bank phishing campaign targets U.S. customers using SMS and email to steal credentials and intercept real-time MFA codes via fraudulent “sync” pages. Scammers use lookalike domains to trick users into providing login IDs, passwords, and security codes to bypass two-factor authentication, with official, manual access to arvest.com being the primary defense.

This phishing campaign targeting Arvest Bank customers uses fraudulent SMS or email alerts claiming account security issues to direct victims to a spoofed, high-fidelity login portal. Scammers utilize a real-time proxy attack to harvest usernames, passwords, Social Security Numbers, and multi-factor authentication (MFA) codes, allowing them to bypass security and seize full account control.

Arvest Bank “Account Verification” Phishing
Target: Customers of Arvest Bank (USA – Arkansas, Oklahoma, Missouri, Kansas)
Threat Level: Critical (Online Banking Access & Personal Data Theft)
Phishing Method Description
This attack targets users of Arvest Online Banking. Scammers use a “Service Interruption” or “Security Alert” pretext to create a sense of urgency. Victims typically receive a Phishing Email or SMS (Smishing) stating that their account has been “locked for security reasons” or that they must “validate their profile” to comply with new federal banking regulations.
The link in the message directs the victim to a high-fidelity clone of the official Arvest Bank login portal. This sophisticated phishing kit is designed to perform a multi-step harvesting process:
Initial Credentials: The site captures the Online Banking Login ID and Password.
Identity Verification: Once the login is “submitted,” the victim is redirected to a second form asking for highly sensitive data: Social Security Number (SSN), Date of Birth, and Mothers Maiden Name.
Real-Time 2FA Bypass: The fake site prompts for the Secure Access Code (MFA). The attacker intercepts this code in real-time to gain full control of the actual account.

Red Flags to Watch For

Domain Irregularities: The official Arvest Bank website is arvest.com. Phishing sites use deceptive lookalikes such as arvest-online-secure.net, verify-arvest.com, login-arvest-bank.org, or free subdomains like arvest.web.app.
Excessive Data Requests: Arvest Bank will never ask you to provide your full Social Security Number or all your security challenge answers in a single session just to “verify” your identity via a link.
Inconsistent Branding: Look for subtle differences in the logo resolution, font styles, or broken links in the footer (e.g., the “Privacy” or “Locations” buttons often do not work on fake sites).

How to Protect Yourself

The “Manual Entry” Rule: Always access your accounts by typing ://arvest.com manually into your browser. Never use links from unexpected emails or text messages.
Use the Arvest App: Manage your banking through the official Arvest Go mobile app. Real security notifications will be delivered inside the secure app environment.
Verify by Phone: If you receive a suspicious alert, call the official Arvest customer service at (866) 952-9523 before taking any action.

Expert Security Tip:

The “Data Over-Collection” Red Flag
The Method:
This Arvest Bank case is a prime example of Full Identity Harvesting. Scammers are not just looking for a one-time login; they are looking to steal your Full Identity (Fullz).
The Trap:
By asking for your SSN and Security Questions alongside your password, the hackers are building a comprehensive profile that allows them to bypass future security checks, open new credit lines in your name, and even take over your other financial accounts.
How to Protect Yourself:
The “Minimalist” Rule: A legitimate bank already knows your SSN and your security answers. They will never ask you to provide all of them at once in a bulk “update” form.
MFA Awareness: Treat every Secure Access Code as the “keys to the kingdom.” If you receive a code that you did not personally trigger by logging in via the official app/site, delete it immediately—it means a hacker is trying to get into your account right now.
Zero Trust for Links: If an email or text message contains a link to a sensitive login page, it is almost certainly a scam. Banks send notifications, not links.

A sophisticated Man-in-the-Middle (MitM) phishing campaign targeting Swedbank customers across the Baltic and Nordic regions, utilizing fraudulent Smart-ID and BankID authentication requests to steal credentials in real-time [1]. Attackers deploy malicious clones of the Swedbank login portal to harvest Personal Identity Numbers, phone numbers, and PINs, using them instantly on the legitimate site to hijack sessions and authorize fraudulent transfers.

Swedbank “Security Synchronization” Phishing
Target: Customers of Swedbank (Sweden & Baltic States)
Threat Level: Critical (Smart-ID / BankID Interception)
Phishing Method Description
This attack targets the Digital Banking users of Swedbank. Scammers use a “Security Alert” or “Account Update” pretext, sending out Smishing (SMS) or Phishing Emails claiming that your “Personal Identification” is expiring or that “Unusual activity” requires a manual login to verify your identity.
The link leads to a pixel-perfect replica of the Swedbank login portal. This sophisticated phishing kit is specifically designed to harvest:
Personal Identity Number (Personnummer / Isikukood)
Security Method Selection (Smart-ID, BankID, or Mobile BankID)
Authentication Codes: The fake site triggers a real authentication request on the victim’s phone (Smart-ID or BankID app). The victim, thinking they are logging in, enters their PIN1 or PIN2 on their mobile device, which effectively signs a fraudulent transaction or authorizes a session for the attacker.

Red Flags to Watch For

Deceptive Domain: The official domain is swedbank.se (Sweden), swedbank.ee (Estonia), etc. Phishing sites use lookalikes such as swedbank-verifying.online, secure-swedbank-login.net, or free hosting subdomains like swedbank.web.app.
Unexpected App Prompts: If your Smart-ID or BankID app suddenly asks for a PIN when you didn’t manually type the official bank address into your browser, it is a 100% phishing attempt.
Links in Security Messages: Swedbank has a strict policy: they will never include clickable links in SMS messages regarding account security or login verification.

How to Protect Yourself

The “Manual Entry” Rule: Always access your bank by typing the official address manually (e.g., www.swedbank.se). Never click links in messages.
Check the App Context: Before entering your PIN in the Smart-ID/BankID app, check the control code (the 4-digit number). It must match the one shown on a website you personally accessed.
Never Confirm Unsolicited Requests: If an app prompt appears “out of the blue,” Cancel it immediately. It means someone has already entered your ID number on a fraudulent site.

Expert Security Tip:

The “Invisible Authorization” Trap
The Method:
This case highlights an Advanced Session Hijacking attack. Scammers are not just stealing a password; they are tricking you into using your Smart-ID or BankID to let them in.
The Trap:
When you enter your ID on the fake site, the hackers trigger a legitimate login request to the real bank. You then receive a notification on your phone. If you enter your PIN, you are not “verifying your identity” on the fake site—you are signing a digital signature that hands over full control of your real bank account to the attacker in seconds.
How to Protect Yourself:
Control Codes are Key: Always verify that the Control Code on the website matches the one in your app. If you are on a phishing site, the codes might match (because the hacker is mirroring the real bank), but the context is wrong.
The “Initiator” Rule: Only enter your PIN if YOU were the one who initiated the login process via a trusted browser or the official app.
Zero Trust for Links: Swedbank and other Baltic/Nordic banks will never send you a link to “Log in” or “Update” your security credentials via SMS or email.

A sophisticated Banco Bradesco phishing campaign targeting Brazilian users through fake “security re-registration” messages to steal account credentials and security tokens in real time. This critical-level threat employs lookalike domains and smishing to intercept Agency/Account numbers, PINs, CPF numbers, and mobile token codes for full account takeover.

метода фишинга на основе скриншота? Чтобы люди были осведомлены, предупреждены, и не попались на обман.

A high-severity phishing campaign targeting Banco Bradesco customers in Brazil uses fraudulent “Security Key Update” alerts to steal login credentials and security tokens (Chave de Segurança) in real-time, enabling account takeovers. Attackers distribute malicious links via SMS or WhatsApp, leading to phishing sites that clone the official Bradesco portal to harvest Agência, Conta, and Token Digital codes. Users should avoid clicking links, verify URLs, and only manage accounts through the official Bradesco app, as the bank never requests security tokens for profile updates.

This Banco Bradesco phishing case highlights a sophisticated Man-in-the-Middle (MitM) attack designed to intercept security tokens in real-time, bypassing multi-factor authentication for full account hijacking. The attack uses SMS/email lures directing users to a fake portal, demanding a 6-digit ‘Chave de Segurança’ to authorize fraudulent PIX transfers immediately.
Expert Security Tip: Real-time token hijacking often involves scammers using stolen credentials to log into the legitimate banking site while the user is on the fake site, using the provided token to approve unauthorized actions. Never provide security token codes on websites reached through external links; treat any prompt for a token during login as an active phishing attempt.

A phishing campaign targeting Banca Intesa Beograd customers uses fraudulent SMS and email messages to harvest login credentials and real-time SMS OTPs via a spoofed login page. This Man-in-the-Middle attack aims to steal credentials for the Banca Intesa Mobi app, with fake links often leading to lookalike domains rather than the official bancaintesa.rs site.

This phishing case targets Intesa Sanpaolo customers, employing smishing/phishing techniques to steal “MyKey” login credentials and real-time security codes to authorize fraudulent transactions. Scammers utilize realistic fake portals and phishing kits to bypass 2FA by acting as a middleman, prompting users to enter legitimate O-Key SMS/app codes directly into the malicious site.
Expert Security Tip: Always manually enter the bank’s URL, and never input O-Key SMS codes on a website, as the attacker is likely proxying your credentials to a live, official banking session.

A sophisticated phishing campaign targeting BAC Credomatic customers uses “Token Synchronization” to steal credentials and real-time OTP codes via fake banking portals, often distributed through Smishing or email. The attackers use high-fidelity clones of the bank’s portal to trick users into entering their username, password, and Código BAC, aiming to bypass multi-factor authentication for fraudulent transactions. To avoid this, users are advised to never follow links in security messages and only enter tokens when initiating transactions within the official app.

This case highlights a critical phishing threat targeting BAC Credomatic users, employing a “Digital Security Update” pretext to steal credentials, credit card details, and real-time Banca Móvil/Código BAC security codes. Scammers act as a “middleman,” utilizing intercepted OTP codes immediately to authorize fraudulent transfers or register new devices to the victim’s account. To protect against this, never enter security tokens to verify or unblock an account, and always use the official app rather than clicking links in alerts.