Fake Bank Online Portal Phishing
Criminals build pixel-perfect replicas of popular bank online-banking portals and drive victims to them via SMS, email, or search-engine ads — harvesting full login credentials, security answers, and OTPs to take over accounts.
Part of: Phishing
Last reviewed: 7 June 2026
Bank portal phishing is one of the most mature and well-resourced categories of online fraud. Criminals invest significantly in creating convincing replicas of bank login pages because a single successful credential harvest may provide access to a current account, savings account, and credit card simultaneously.
The delivery mechanism varies: smishing (fake bank SMS messages), phishing emails, or fraudulent paid search advertisements. All roads lead to the same destination — a fake version of the bank's online banking login page that captures everything the victim enters. The page is often hosted on a lookalike domain with an SSL certificate (the padlock icon), which many users incorrectly treat as proof that a site is legitimate.
Phishing kits targeting major banks are sold commercially in criminal marketplaces, meaning even technically unsophisticated criminals can deploy convincing bank-login clones rapidly. New kits often include automatic updates to match the real bank's latest design changes.
How this scam works on the Your Bank brand
Your bank's real online banking portal is accessed directly by typing your bank's web address (e.g. bankname.com) into a browser. Banks publish their login URLs on the backs of cards, in statements, and in their official apps — there is no legitimate reason to reach your online banking through a link in a text message or email.
Phishing portals often use domains that resemble the bank's real domain with minor modifications: added hyphens, extra words, or country-code top-level domains used instead of .com. They may include the bank's name as a subdomain of an unrelated domain (e.g. bankname.secureverify.net). The presence of an SSL certificate (https://) simply means the connection to the fake server is encrypted — it does not mean the site is the real bank.
After the victim enters their credentials, the fake portal may display a 'maintenance' message or redirect to the real bank's site. Some sophisticated versions forward the credentials to the real bank in real time — the victim is authenticated successfully and sees their real account, while the attacker captures the session token for later use.
Common red flags
- A bank login page you reached via a link in a text message or email
- The URL is not exactly your bank's registered domain — even if it contains the bank name
- The page asks for more information than usual: full card number, PIN, or security answers all at once
- An OTP from your bank arrives during the login on the fake page — the attacker is logging in simultaneously
- The login sequence feels slightly different from your normal experience
- An SSL padlock is present but the domain name next to it is not your bank's official domain
- After login, you are presented with security questions your bank has not asked before
How to protect yourself
- Always type your bank's web address directly into the browser — never follow a link
- Save your bank's official URL as a browser bookmark and use only that
- Use a password manager that auto-fills only on the genuine bank domain, which refuses to fill on phishing pages
- Enable multi-factor authentication on your online banking account
- Check the full URL — not just the padlock — before entering any credentials
- Keep your device and browser up to date; modern browsers flag many known phishing domains
- Register for your bank's genuine push alerts so you see real login events
How to report it
- Call your bank's fraud line using the number on the back of your card
- Report the phishing URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/
- Forward phishing emails to your bank's security email (published on the bank's official site)
- Forward smishing texts to 7726 (SPAM) in the US and UK
- Report to the FTC at reportfraud.ftc.gov or Action Fraud at actionfraud.police.uk
Frequently asked questions
Does a padlock icon mean a banking website is safe?
The padlock means the connection between your browser and the server is encrypted — not that the server belongs to your real bank. Phishing sites routinely have valid SSL certificates. Always verify the domain name, not just the padlock.
Can phishing pages really look identical to my bank's real site?
Yes. Commercial phishing kits can replicate a bank's login page with high accuracy, including the bank's current design, logos, and fonts. The only reliable way to tell them apart is the URL — your real bank's domain must match exactly.
What should I do if I entered my banking credentials on a fake page?
Call your bank's fraud line immediately using the number on the back of your card. Ask them to lock your account, change your online banking password from a trusted device, and review recent activity for unauthorised transactions.