Phishing Campaign targeting State Bank of India users

Shreshta Threat Intelligence has uncovered a massive phishing campaign targeting State Bank of India users. 

State Bank of India (SBI) is an Indian multinational public sector bank and financial services statutory body headquartered in Mumbai, Maharashtra. SBI is the 48th largest bank in the world by total assets and ranked 221st in the Fortune Global 500 list of the world’s biggest corporations of 2020, being the only Indian bank on the list.1

State Bank of India users have been a common prey of phishing attacks

The phishing campaign is targeting  State Bank of India users. This campaign involves sending phishing URLs to users via various channels such as email, SMS and WhatsApp. 


The phishing websites are lazily crafted, containing images from the official login page of State Bank of India website. We believe the phishing websites are specifically designed for mobile banking, as evident from the structure and design of the website.


The motive of the threat actors is to harvest the Personally Identifiable Information (PII) of the user, specifically, the user’s Internet banking credentials, Aadhar Card number, PAN card number and date of birth. 

State Bank of India Phishing campaign Technical Analysis

Phishing websites impersonating State Bank Of India

Figure 1 – Screenshot of the phishing website impersonating State Bank of India.

Notably, a large part of the phishing website has been developed by using images from the official website –

Figure 2 –  The SBI logo and the settings menu are included as an image.

Figure 3 – Security instructions included in the phishing website are also in the form of an image

After clicking on the “Continue to Login” button, the user is redirected to a login page.

Figure 4 – Screenshot of the login page on the phishing website 

Figure 5 – The Image CAPTCHA (image verification)Captcha and the Audio CAPTCHA don’t work since they are mere placeholder images


Figure 6 – New User and Forgot Username and Password links don’t work because they are placeholder images 

After the user submits their internet banking login credentials, the user is redirected to the OTP request page.

Figure 8 – Image screenshot of the OTP page.

Figure 10 – The “Click here to resend the OTP” is an image

      • Figure 11 The phishing page prompts the user to enter their account holder name and date of birth.

    Figure 12 – After the user enters the account holder name and the date of birth, an OTP page is presented to the user

    Figure 13 – The phishing website then redirects, prompting the user to enter their full name as per their PAN card and their PAN card number

    Figure 15 – The page prompts the user to enter their Aadhaar number and their full name as per the Aadhaar card.


    Figure 16 – This page prompts the user to enter the OTP 

    Figure 17 – After submitting the OTP, the phishing website indicates that it is verifying the details, but after some time it times out. 


    Safety Recommendations

    1.  An SMS/email/Whatsapp message with a tone of urgency should be dealt with with extreme caution. This is true, especially in the case of any message from the bank.


    2. Always reach out directly to the bank and verify suspicious messages/emails before taking any action.


    3. If you become a victim of cybercrime, particularly financial crime, call  the national (India) cybercrime helpline 1930 or file a complaint at


    4. Shreshta Protective DNS blocks phishing, malware and other malicious communication in real-time. For enterprises, please email for a free 30-day trial. 


    With the growing cyber threat landscape, it’s important to stay vigilant and not fall prey to phishing scams.  Threat actors continue to operate phishing campaigns at scale   



    Free 30-day trial of our threat intelligence

    Threat actors constantly optimise and evolve their attacks to steal credentials and data and infiltrate networks. Our threat intelligence feeds are highly actionable and curated to protect against phishing, malware, C2 and newly registered domain names. 


    Interested? Please send us an email to for a free 30-day trial. 



    Website | + posts
    Website | + posts