Skip to content
All posts

[SCAM ALERT 049] - Banco Sabadell


Banco de Sabadell, S.A. is a Spanish multinational financial services company headquartered in Alicante and Barcelona, Spain. It is the 4th-largest Spanish banking group. It includes several banks, brands, subsidiaries and associated banks.

During our PreCrime internet scout of September 29th 2022 we identified suspicious markers across multiple vectors. One of those was this website spoof that could be targeting unsuspecting Banco Sabadell customers.

The Attack


Robinhood customers and clients or generally people interested in cryptocurrency.

Possible threats:

  • Phishing/smishing campaign - luring sabadell customers to the site by sending them a text message impersonating Banco Sabadell with a link to the malicious domain. Most likely indicating that users must sign in now due to an issue to make victims feels a sense of urgency.
  • Credential harvesting and financial gain - After luring users to the site they will be asked to expose their personal information (username, password, bank details).
  • Malware - by infecting a victims devices with malicious software to steal their sensitive information
real : / scam :

Technical Breakdown

Threat Indicators

  • Malicious domain impersonating Banco Sabadell
  • Domain not registered under the same registrar as Banco Sabadell
  • Newly registered site - September 23 2022
  • SSL certificates expire after three months


Detection and Threat Analysis

The malicious domain, bancsabadell-recibos[.]com has been targeting Banco Sabadell, the fourth largest Spanish banking group. The malicious domain was created September 23 2022 and detected by September 24 2022.

  • The malicious domain directs the victim to a replica of the legitimate Banco Sabadell login page. This indicates that the scam is most likely an attempt to gain access to Banco Sabadell customer bank accounts to steal their personal information and money.
  • The registered SSL certificates expire after three months and one of them is issued by a non-trusted certificate issuer (Let’s Encrypt), indicating malicious intent.
  • The IP address has some malicious traffic with .APK malicious files communicating with it.



WhoIs Record


IP address

How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Bfore.Ai’s recommendations

Every day, adversarial tactics become more collaborative, technologically advanced, and rapid - and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :

  • Pay close attention to the URL
  • Check connection security indicators (the lock)
  • Read emails carefully
  • Look for trust seals



This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.