February 14, 2020

Inside Look Into Phishing Campaign Targeting Mobile Banking

Women in office working on smartphone.
Threat Type
Threat Type
Entry Type
Threat Summary
Platform(s) Affected
Threat Summary

Nearly 4,000 victims fall for off-the-shelf, mobile-only phishing attack

Consumers are increasingly using mobile banking apps as their primary means to manage their finances, transfer funds, deposit checks and pay bills. In fact, 89% of survey respondents from the Business Insider Intelligence's Mobile Banking Competitive Edge Study reported they use mobile banking. Unfortunately, this trend has not gone unnoticed by cybercriminals who are starting to exploit it as a new attack vector.


Heat map showing the spread of IP locations of victims of this phishing campaign. Over 3,900 unique IP addresses were captured over a seven month period.

With the increase in multi-factor authentication for many apps, including those used for mobile banking, consumers are increasingly accustomed to banks communicating using SMS messages. Since mobile users are typically on the move and less likely to scrutinize the authenticity of an SMS message, text messages have become an attractive new attack vector.

In fact, Lookout Phishing AI recently discovered a phishing campaign targeting customers via SMS messaging to lure them to fake websites of well-known Canadian and American banks. The phishing campaign, primarily spread through SMS messages, mirrors the login pages of the banks in an effort to capture the user’s banking credentials and other sensitive login information. Some of the banks affected by this phishing campaign include Scotiabank, CIBC, RBC, UNI, HSBC, Tangerine, TD, Meridian, Laurentian, Manulife, BNC, and Chase, all of which were notified prior to publishing.

Mobile-only phishing attack

Our research indicates that this phishing campaign solely targets mobile users. The web pages are built to look legitimate on mobile, with login pages mirroring mobile banking application layouts and sizing, as well as including links like, “Mobile Banking Security and Privacy” or “Activate Mobile Banking.”

Screenshots of fake mobile banking sites used in this campaign.

In addition, the discovery of an automated SMS tool linked to the phishing kit shows that the attacker can create a unique message, and then easily send that message out to as many phone numbers as they want, further indicating a mobile-first attack strategy.                    


Automated SMS sender seen across the phishing sites, enabling the actor to efficiently spread malicious links.

Many of the pages in this campaign appear legitimate through actions like taking the victim through a series of security questions, asking them to confirm their identity with a card’s expiration date or double-checking the account number.

Screenshots of fake mobile banking sites used in this campaign.

Lookout has identified over 200 phishing pages that were part of this campaign, and has notified all banks affected. As of today, the campaign is now offline. When the attack was discovered, the Lookout Phishing AI engine was able to find the victim’s IP addresses and dates on which the current deployment of the phishing kit recorded the clicks. This revealed a campaign against consumers of these banks, as well as the success of the attack, ongoing since June 2019.      



How to protect against mobile phishing attacks

Customers of banks targeted by phishing campaigns are at risk of having their banking credentials stolen, which could lead to serious financial loss. However, spotting phishing attacks on mobile devices can be much more difficult than on a laptop or desktop computer. The features, functionality, and even the screen size of today’s mobile devices make it harder for a person to determine what is real versus what is fake.

If you receive a text message from your bank, do not click on it. Instead, go directly to the bank’s website or the app.

Colleagues standing in an open meeting area and sharing a humorous moment

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Other Related Threats


September 15, 2023

Scattered Spider

Scattered Spider, aka UNC3944, was able to successfully target and gain access to the infrastructure of Caesars Entertainment in its latest campaign

January 3, 2023

How Scammers Are Impersonating Singapore Post and Singtel With Phishing Messages

November 30, 2022

Lookout Discovers Hundreds of Predatory Loan Apps on Google Play and Apple App Store