Cybercriminals are running a large-scale phishing campaign targeting Turkish banks through fake banking websites, fraudulent advertisements, and scam loan offers. Researchers found more than 8,400 phishing domains and over 6,600 malicious advertisements on Facebook and Instagram designed to steal banking credentials and personal information.
The investigation also identified more than 23,000 victim complaints, highlighting the scale of the operation and its impact on customers across Turkey.
How the Campaign Works
Attackers use sponsored social media advertisements that impersonate legitimate banks and promote fake loan offers or financial services. Victims who click these ads are redirected to phishing websites that closely resemble official banking portals, where they are asked to enter login credentials, one-time passwords (OTPs), and other sensitive information.
Researchers found that the attackers frequently change their phishing infrastructure. Domains, advertisements, and hosting services are rotated regularly, sometimes within minutes, making it difficult for security teams to block the attacks before new ones appear.
The campaign also relies on a phishing toolkit sold through underground marketplaces. This toolkit allows cybercriminals to quickly create convincing phishing pages targeting multiple Turkish banks and government services, lowering the barrier for launching large-scale attacks.
Recommendations for Banks and Customers
Financial institutions should strengthen their defenses by continuously monitoring for phishing domains, fake social media advertisements, cloned websites, and brand impersonation attempts.
Recommended security measures include:
- Monitor for newly registered phishing domains and fake banking websites.
- Track fraudulent advertisements across social media platforms.
- Detect and remove fake mobile apps and cloned banking portals.
- Monitor suspicious account activity that may indicate money mule operations.
- Accelerate takedown requests with domain registrars, hosting providers, and online platforms.
- Educate customers about phishing and social engineering attacks.
Customers can also reduce their risk by following these best practices:
- Access online banking only through official banking apps or trusted websites.
- Avoid clicking banking links shared through advertisements, emails, or text messages.
- Never share passwords, one-time passwords (OTPs), or banking credentials with anyone.
- Verify loan offers and financial promotions directly with your bank before responding.
- Report suspicious websites or advertisements to your bank immediately.
This campaign demonstrates how cybercriminals are combining phishing websites, social media advertising, and financial fraud into highly organized operations. Staying vigilant, verifying banking communications, and maintaining strong security controls remain essential for protecting both financial institutions and their customers.