Scammers Use FBR to Trap Online Bank Account Holders

scamScammers have come up with new technique to hunt online bank accounts in Pakistan to snatch their usersname and password and then to ultimately use these details to empty these accounts.

Previously these Phishing Attacks used to involve an email from bank itself, redirecting the users to fake bank website and to collect username/password information of the target.

Now, these attackers are sending emails from FBR, telling the users that there is a tax refund that they can claim by clicking an link which should lead to FBR website, but in reality it takes the user to attackers’ website.

Check below the email:


When a user clicks on the link provided in the email, it takes him/her to this webpage:

Where user is presented with a list of banks (with fake pages) to proceed for the tax refund. Upon clicking the link of any bank, user is taken to the fake page of that bank – which looks identical to original bank website – asking the username and password.


All the data input on this fake website is automatically sent to attacker who can use your username/password to use your internet-bank account at his/her will.

Message for General Users:

  • NEVER respond to any email that asks Password, Pin Code, Security answer or any similar information that you may not want to share with anyone.
  • Immediately report any such email to your bank
  • Register a complaint with FIA

Need for Awareness

Banks are sending out mass-emails to their users, explaining them what phishing attacks are and how not to respond to them. This is helpful in many ways, but banks probably need to do more. Maybe State Bank can take this initiative and do a mass-level campaign for users’ awareness.

Message for Banks!

  • With increasing trend of mobile banking and net-banking, there should be a comprehensive awareness campaigns by banks to educate their customers of such phishing attacks.
  • Enhance your security and intelligence to detect and deal with such criminal activities.

Message for NR3C

  • Tracking these websites is easy. Simply do a reverse IP lookup and see what other websites are hosted on same server
  • Contact details from host, or from other websites can get you to the culprits, simple and easy.
  • This is exactly how we tracked a friend who DDoS attacked us back in 2010

Tech reporter with over 10 years of experience, founder of ProPakistani.PK

  • Some responsibility lies with our selves as well, I had received one such email which was redirecting to fake bank site to grab details. I had forwarded that to NR3C’s complaint email. I didn’t got any reply but I think i had done my part.

    Also when it comes to bank/money and email be careful and don’t provide any personal info in any case. Also do have an eye on address bar while entering details to confirm you are on genuine website.

  • Whenever you transfer money to other account or add a new beneficiary, the bank generates a TPIN Code which is sent on your mobile/email simultaneously. If the hacker doesn’t have that, how will he transfer funds???

  • FIA IS Joke they dont care about Cyber Crimes they dont understand what the cyber crime is and taking charge of cyber Cell!!.

  • For funds transfer few banks send 2 Tpins 1 @ email Id and 1 at your registered cell number I think it is impossible to transfer funds without that my number has changed since then I cant transfer fund even if I want to

  • Normally all financial and sensitive websites have their websites on https and have certificate from companies like VeriSign , so whenever you find this type of redirection always look for the URL and at least check the URL is same as given by the service providers reliable source

  • As for advice to inform FIA,the ageny through forgery withdrew PKR.300,000/-onlyfromSCB on 19thjune2004 PLS/AC 18-6051863-01.The establishment was harassing me for exposing conspiracy against Z A BHUTTO.

  • >