AI Chatbot Phishing Scam Impersonating a Bank's Brand
A convincing AI chatbot dressed up in a bank's colors, logo, and tone answers questions like a real support assistant, then guides customers into a fake 'secure verification' flow that steals login credentials.
Part of: AI Chatbot Phishing Assistant Scam
Last reviewed: 5 July 2026
Because online banking support increasingly happens through chat, a fake assistant that copies a bank's branding down to greeting style and color scheme can feel indistinguishable from the real thing, especially embedded in a cloned login page.
How this scam works on a bank's brand
A phishing email or text links to a fake bank login page featuring an AI chat widget in the corner that greets the visitor by a generic version of the bank's real name and offers to 'help verify your account.' The bot answers general banking questions plausibly and asks the visitor to log in through the embedded form to 'confirm identity' before proceeding, capturing username and password the moment they're typed.
In more advanced versions, the chatbot then asks for a one-time passcode sent by the real bank, relaying it in real time to log into the victim's actual account elsewhere, effectively using the fake chat interface as a live phishing relay rather than a static credential harvester. Because the conversational format feels more personal and responsive than a plain fake login page, some victims trust it enough to hand over the second-factor code even after initial hesitation.
Common red flags
- A bank chat widget appears on a page reached through an email or text link rather than by typing the bank's known web address directly
- The bot asks you to log in or enter a one-time passcode directly within the chat window
- URL in the address bar doesn't match the bank's real domain, even if the page and chatbot look convincing
- The bot pushes urgency, such as claiming your account will be locked unless you verify immediately
- Requests for a full password or OTP code rather than directing you to the bank's own app
- No padlock or mismatched security certificate details on the page hosting the chat
How to protect yourself
- Always reach your bank's website by typing the address directly or using your saved bookmark, never through an email or text link
- Never enter your login credentials or one-time passcode inside a chat widget, even if it's branded convincingly
- Treat any request to 'verify' by logging in through a chat window as fraudulent, since real banks don't authenticate customers this way
- Check the browser address bar and certificate details carefully before entering any information
- Contact your bank directly through its official app or verified phone number if you're unsure whether a message is genuine
- Enable transaction alerts so you're notified immediately of any unauthorized login or transfer
How to report it
- Report the phishing page and chatbot to the real bank's fraud or security team immediately
- Forward phishing emails or texts to your bank's dedicated abuse reporting address
- Report the fake domain to your browser's phishing reporting tool and your national cybercrime center
- Change your password and enable additional account monitoring if you entered any credentials
Frequently asked questions
Can a fake bank chatbot really relay my one-time passcode in real time?
Yes, some phishing operations use the fake chat as a live relay, immediately using any code you provide to log into your real account before it expires.
How do I know I'm on my bank's real website?
Type the bank's address directly into your browser or use a saved bookmark rather than clicking any link, and verify the domain and security certificate match exactly.