Focused guide

Fake Bank Customer Service Chatbot Scam

Criminals deploy fake bank chatbot pages in paid search results and phishing emails to harvest online banking credentials and one-time SMS codes in real time.

Part of: Fake Customer-Service Chatbots

Last reviewed: 8 June 2026

Most major banks now offer live chat or AI-powered chat support through their official websites and apps. Scammers clone these chat interfaces and advertise them through paid search placements so they appear when users search for their bank's customer service number or help page.

Bank chatbot scams are particularly dangerous because the real-time interactive format creates a false sense of security — users feel they are having a conversation with a real institution rather than submitting data to a static phishing form. The chat can ask follow-up questions, respond to specific concerns, and mirror the tone of a genuine support interaction.

With banking credentials and a real-time SMS code, a scammer can log in to the victim's genuine online banking session within seconds, bypass two-factor authentication, and initiate transfers before the victim has even finished the chat.

How this scam works on the Your Bank brand

A user searches for 'Barclays live chat' or '[Bank Name] contact number' on Google or Bing. A paid ad at the top of results leads to a convincing fake help-centre page. A chat window opens, asks for the user's name and account query, then — framed as 'identity verification before escalating to a specialist' — requests online banking username, password, and the SMS code that just arrived on the user's phone.

Each credential is used in a real-time relay attack: as the user types their password, the scammer enters it on the real bank's login page. The SMS code request arrives at the exact moment the bank sends the genuine OTP, which the scammer then enters to complete the fraudulent login.

Once logged in, the scammer initiates a payment to an account they control, changes the registered mobile number or email address, and may add a new payee that can be used for follow-up transfers before the victim regains access.

Common red flags

The chat page was reached through a search engine advertisement rather than directly from the bank's domain.
The URL is not the bank's official domain.
The chat agent asks for your full online banking password.
You are asked to enter an SMS code that just arrived on your phone 'to confirm your identity.'
The chat asks you to download a file or install remote-access software.
The bank's genuine app shows a new login from an unfamiliar device while you are chatting.
The chat session stays open unusually long while 'connecting you to a specialist.'

How to protect yourself

Access your bank's chat support only through the official app or by typing the bank's URL directly in the browser.
Bookmark your bank's website and use the bookmark — never search each time.
Know that your bank's genuine support will never ask for your full password or a real-time OTP.
Enable login notifications so you are immediately alerted if your account is accessed from a new device.
Use an authenticator app rather than SMS for two-factor authentication where your bank supports it.

How to report it

Report the phishing site URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish.
Contact your bank's fraud team immediately if you entered credentials.
Report to the FTC at reportfraud.ftc.gov.
Report to the NCSC (UK) at report.ncsc.gov.uk.
File with ic3.gov if funds were transferred.

Frequently asked questions

How do I find my bank's genuine live chat?

Log in to your bank's app or navigate to your bank's official website directly (type it in the address bar). The chat function will be within the authenticated portal, not on an unauthenticated public search landing page.

Will my bank ever ask for my full password in a chat?

No legitimate bank will ask for your full password in any chat, call, or email. You may be asked to confirm partial memorable information for authentication, but never the complete password.

How do I report a fake bank website in search results?

Report to Google via safebrowsing.google.com/safebrowsing/report_phish. You can also report to the bank's fraud team and to the National Cyber Security Centre in the UK (report.ncsc.gov.uk).

How this scam works on the Your Bank brand

Common red flags

The chat page was reached through a search engine advertisement rather than directly from the bank's domain.

The URL is not the bank's official domain.

The chat agent asks for your full online banking password.

You are asked to enter an SMS code that just arrived on your phone 'to confirm your identity.'

The chat asks you to download a file or install remote-access software.

The bank's genuine app shows a new login from an unfamiliar device while you are chatting.

The chat session stays open unusually long while 'connecting you to a specialist.'

How to protect yourself

Access your bank's chat support only through the official app or by typing the bank's URL directly in the browser.

Bookmark your bank's website and use the bookmark — never search each time.

Know that your bank's genuine support will never ask for your full password or a real-time OTP.

Enable login notifications so you are immediately alerted if your account is accessed from a new device.

Use an authenticator app rather than SMS for two-factor authentication where your bank supports it.

How to report it

Report the phishing site URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish.

Contact your bank's fraud team immediately if you entered credentials.

Report to the FTC at reportfraud.ftc.gov.

Report to the NCSC (UK) at report.ncsc.gov.uk.

File with ic3.gov if funds were transferred.