Bank Phishing And Brand Fraud: How Financial Institutions Are Responding To Attacks Against Their Customers

A bank's customer does not need to make any technical mistake to become a fraud victim. All it takes is trust. Trust in an SMS that seems to have come from the bank, in a page that looks identical to the usual online banking site, in an Instagram profile with the right logo offering easy credit. The attack does not exploit a system vulnerability, it exploits the trust the bank itself spent years building with that customer.

This is the most critical, and hardest to eliminate, vector faced by financial institutions today: fraud that weaponizes the bank's own brand against its customers.

The Scale Of The Problem In Brazil

The numbers make clear this is not a marginal risk. According to Serasa data, Brazil recorded 6.9 million fraud attempts in the first half of 2025 alone, one every 2.3 seconds, and banks and cards were the target of more than half of those cases, many involving malicious links sent through SMS, WhatsApp, or social media.

CERT.br, officially responsible for monitoring security incidents in Brazil, maintains public statistics on fake pages used in phishing attempts aimed at obtaining direct financial gain, precisely the category that includes banks, credit cards, and payment methods. This ongoing tracking exists because the volume and persistence of this type of attack made a dedicated tracking system necessary, separate from general incident statistics.

Febraban data reinforces the pattern: among the most common financial scams applied against Brazilians are contactless card cloning, accounting for about 40% of reported fraud, the cloned WhatsApp scam, at 28%, and the fake bank call center scam, in which criminals pose as bank employees to induce transfers or data leaks.

Fake Online Banking Pages: The Classic That Keeps Working

The most traditional bank phishing technique remains one of the most effective: visually replicating a bank's login page, hosting it on a domain resembling the official one, and distributing the link through channels that appear legitimate.

A well documented historical case in Brazil illustrates how quickly this type of attack can reach scale. Criminals illegally used the names of Santander and Banco do Brasil to spread a scam via SMS, telling victims their card had been blocked or that their security token had expired. According to research by security labs specialized in fighting cybercrime, the scam claimed more than 33,000 victims in a single week, with the potential to reach over 400,000 people. The message led to a fake page that induced the victim to provide their national tax ID, full credit card details, and passwords.

Santander, in its own educational content on the topic, advises that its official emails are sent exclusively from the @santander.com.br domain and that any link received from a different sender should be treated as suspicious. The institution itself publicly acknowledges that fake pages identical to the original site are the most common bait used against its customers, and it maintains a direct channel ([email protected]) so that any suspicious communication made in the bank's name can be reviewed by its security team. To deceive users, criminals do not rely only on completely random URLs. They use typosquatting (registering common typos, such as santander-suporte.com.br) or more advanced techniques such as the IDN homograph attack. In this latter technique, attackers register domains containing characters from Cyrillic alphabets that are visually identical to Latin characters (for example, replacing the Western letter "a" with a Cyrillic "а"). On the customer's phone screen, the bank's name looks 100% correct, but the link points to a criminal server.

"Easy Loan" Scams: Phishing That Doesn't Even Need To Mimic The App

A particularly effective variation of brand fraud in the financial sector does not always depend on technically replicating a banking system. A social media profile with the institution's logo and an attractive offer is enough.

The pattern is consistent: criminals create fake profiles or ads on social media impersonating legitimate banks and lenders, offering credit with very favorable terms, guaranteed approval, or release without a credit check. After the first contact, they ask for advance payment of a fee, insurance, or tax to "release" the funds. Once the payment is made, the criminals disappear, and in many cases the scam repeats, with new charges alleging pending issues with the release.

The Central Bank and Febraban are categorical on this point: no financial institution authorized by the Central Bank can charge upfront fees to release credit, and financial institutions do not actively seek out customers by offering money through messages or social media. When an institution promotes a real credit campaign, it is announced through the press and the brand's own official channels, not through direct, individual outreach via WhatsApp or Instagram.

The damage from this scam goes beyond the immediate financial loss. Many victims end up sharing personal documents during the process, data that can later be used to open accounts or take out real loans in the victim's name, expanding the damage far beyond the amount of the initial "fee" paid to the scammer.

Fraudulent Apps: When The Official Store Doesn't Guarantee Origin

Another growing vector is the publication of fake apps that mimic legitimate banking apps, sometimes even within official app stores. These apps often use names or logos very similar to the originals, with small differences in spelling, color, or developer name that go unnoticed by hurried users.

Signs that help identify this type of fraud include inconsistent reviews, an unusually low number of downloads, requests for excessive device permissions, and the absence of clear information about the institution responsible for the app. Cases of cloned apps available in official stores have already generated dozens of reports filed by users, according to accounts from the digital security sector.

Added to this, there has also been growing use of legitimate remote access applications, such as AnyDesk and TeamViewer, as fraud tools: criminals call pretending to be bank representatives and convince the victim to install these programs under the pretext of technical support, gaining full control of the device and, as a result, direct access to bank accounts. Because these are widely recognized applications legitimately used for technical assistance, their presence on the phone does not usually raise immediate suspicion.

Why This Vector Is So Hard To Eliminate At The Root

Unlike a technical vulnerability in a system, which can be fixed with a patch, brand fraud exploits an asset the bank does not directly control: the trust the institution's own name carries. The bank can protect its servers, but it cannot directly stop a criminal from registering a similar domain, creating a fake social media profile, or buying a phone number to spoof a call center. In the fake call center scam, criminals use VoIP services configured to perform caller ID spoofing. This means they can mask the call's originating number so that, on the victim's phone screen, the real toll free number or card services number of their institution appears exactly as it should. The customer answers, fully believing in the legitimacy of the contact because of the caller ID.

This calls for a different response than what is normally associated with banking cybersecurity. It is not enough to protect the institution's technical perimeter, it is necessary to continuously monitor the external environment, the internet, social media, app stores, in search of unauthorized uses of the brand, and to act quickly to neutralize each occurrence before it reaches scale, as demonstrated by the case of 33,000 victims in a single week.

How Financial Institutions Are Structuring Their Response

The most mature institutions in tackling this problem have adopted a combination of practices:

Proactive communication and ongoing customer education. Banks like Santander and Banco do Brasil maintain public educational pages explaining exactly how to recognize official communications, detailing legitimate email domains and reinforcing that the institution never asks for a password, verification code, or full card details through a link, message, or phone call.

Dedicated channels for reporting brand fraud. Having a specific email or channel for reporting phishing (such as [email protected]) allows customers themselves to become part of the detection system, quickly flagging new fraudulent campaigns before they spread.

Identity verification within the app itself. The suspicious call identification feature built into the banking app, mentioned by Santander, lets the customer confirm within the official environment whether a call is legitimate before sharing any information, reversing the trust logic that the fake call center scam tries to exploit.

Continuous monitoring of domains, profiles, and apps using the brand. Early detection of fake pages, fraudulent social media profiles, and cloned apps is what allows action before a campaign reaches thousands of victims, instead of only responding after the damage is already done.

Coordinated takedown action. Identifying a phishing page is not enough, a structured removal request process is needed with hosting providers, domain registrars, and social media platforms, reducing the active exposure time of the threat.

How QuimeraX Operates In This Landscape

The Phishing module, part of QuimeraX's Brand Protection suite, continuously monitors the internet for pages with structural and visual similarity to legitimate financial institution domains, identifying online banking replicas before they reach the scale of victims seen in historical campaigns like the one that affected Santander and Banco do Brasil.

The Fake Social Media module identifies fake social media profiles that use the institution's visual identity, exactly the pattern used in "easy loan" scams, analyzing name, image, description, and posting patterns to classify risk before the profile gains significant reach. The Brands module, in turn, monitors misuse of the brand in app stores and public pages, helping identify fraudulent apps that mimic official banking apps.

Once a threat is identified, the Takedown module centralizes the collected evidence and structures the removal request process with providers, domain registrars, and digital platforms, tracking the full cycle through to confirmed removal. The differentiator lies in reducing the time between first detection and effective neutralization of the threat, the metric that matters most when a fraudulent campaign can reach thousands of customers within days.

Want to know if your institution's brand is already being used in fraud campaigns you haven't detected yet? Schedule a demo with the QuimeraX team and see how the Brand Protection and Takedown modules work in practice against bank phishing and identity fraud.

Conclusion

Brand fraud in the financial sector is not a problem solved simply by strengthening the bank's internal system security. It happens in the public space of the internet, on domains the bank did not register, on profiles the bank did not create, on apps the bank did not publish, but that carry its name and exploit the trust it built over years.

The documented cases in Brazil, from the tens of thousands of victims of fake SMS in a single week to loan scams that keep claiming victims years after being repeatedly flagged by the Central Bank, show that this vector does not disappear with one off awareness campaigns. It demands continuous monitoring of the external environment and rapid response capability, the only real way to shrink the window of time in which a fraudulent campaign can freely operate using the name of an institution the customer trusts.