Almost every phishing case I have looked at starts with the same mistake: the visitor reached the login page from a search result or an email link, not by typing the bank's address themselves. By the time the user is filling in their account number, they have already trusted a domain they have not looked at properly. This article is a checklist of the small details that separate a real bank login from a convincing fake.
1. Look at the URL bar — really look
The single most useful habit you can build is to read the address bar before you type. Not a glance — an actual read. Phishing pages live on domains that are almost-but-not-quite the bank's real domain. Common patterns:
- Extra word.
hsbc-secure-login.cominstead ofhsbc.com. The extra word — "secure", "online", "auth", "portal" — is the giveaway. Real banks rarely use a separate "security" domain for the login itself. - Hyphen swap.
chase-online.cominstead ofchase.com. The hyphen makes it look more "official" to a casual reader; in reality, the bank's own brand domain is shorter. - Different TLD.
natwest.coinstead ofnatwest.com. A two-letter TLD that looks like a country code can be a real country, a corporate domain, or a typosquat. - Subdomain trick.
hsbc.com.security-login.io— the real domain here issecurity-login.io, nothsbc.com. The bank name on the left is decoration.
The most useful rule of thumb: everything to the right of the last dot before the first slash is the real domain. Read that part out loud. If it is not your bank's name, you are not at your bank.
2. HTTPS is necessary, not sufficient
In 2026 almost every phishing page is also over HTTPS. The padlock icon means "the connection is encrypted" — it does not mean "this is your bank". I have seen perfectly clean-looking fake login pages on paid SSL certificates, and the lock icon was green on all of them.
What HTTPS does tell you: if the padlock is broken or your browser is shouting about a certificate problem, get off the page immediately. No real bank ships a broken certificate.
3. Check the page came from where you think
If you reached the login from an email or an SMS, treat it as a phishing attempt until proven otherwise. Open a new tab. Type the bank's address from memory, from the back of your debit card, or from the bank's app on your phone. Continue from there.
Yes, this is a small inconvenience. It is also why I have never had to write the "how I got my account back" version of this article.
4. Real bank logins do not need your full card number
A real online-banking login page asks for a customer number, a username, or a passcode you set up when you registered. It does not ask for your full 16-digit card number, your CVV, your PIN, or your date of birth, all on the same screen. A page that asks for all of those is harvesting cards for fraud, not logging you in.
5. If you are asked to "verify" something urgent, slow down
Phishing pages run on urgency. "Your account will be locked in 60 minutes." "Suspicious activity — verify now." "One-time refund pending — confirm details." Real bank messages almost never ask you to log in right now from a link. They ask you to call a number on the back of your card, or to open the bank's app on a phone you already have.
6. Two-factor authentication is your safety net, not your shield
Strong two-factor authentication helps when an attacker already has your password — they still cannot get in without your phone. But sophisticated phishing pages now forward the second factor in real time: they show you the bank's actual login screen via a proxy, ask you for the SMS code, and immediately use it to log into the real bank. The defence is still the same: do not type your credentials into a page you did not navigate to yourself.
If you think you have been phished
Call your bank from a number printed on a physical card or statement, not from any link or number you found on the suspicious page. They can lock the account, reverse fraudulent payments where possible, and reissue cards. Speed matters: the first few hours after a phishing event are the window where most accounts can still be saved.
If you spot a phishing site impersonating a bank, you can also report it to the bank directly (most have a "fraud" or "report a scam" page on their main domain) and to your country's national cybercrime body — for example, NCSC in the UK, or ReportFraud.ftc.gov in the US.
— The CeeTrust Editorial Team