Recent Santander phishing campaign – August 2020

Post hero image

Table of contents

As part of our ’Off the Hook’ series, we are reporting on emerging threats we come across. Recently, Santander scams have been hitting email inboxes hard. If you are following the threat landscape, you know that Santander has been a popular subject for phishing attacks and campaigns.  Even our threat analyst team members have been raising their eyebrows over these extremely well-crafted Santander phishing emails that we are about to show you.Banking phishing attacks are almost always designed to raise fear and make you feel like you need to take an urgent action. Often, these phishing emails relate to an unauthorized use of your bank account. Anyone of us would get a bit stressed and a rising heart rate reading that.Now, let’s take a look at our examples.

Santander phishing scams have been a favorite theme of attackers

”We suspect an unauthorized activity on your online banking account. Click here and verify your account”These emails we show you below are all sent from Sendgrid is a popular email platform used mainly for marketing - and phishing. Hackers can easily send emails using Sendgrid in the name of anyone to a massive group of people.

satander phishing example 1 hoxhunt

In our example, all of the emails end with Using this domain makes the emails look extremely real and many could believe that the message actually came from the bank. Especially because the address is a copy of Santander´s real domain, but the emails were actually sent from Spoofing detection (such as SPF, DKMIN, DMARC) fails to authenticate this email.

santander phishing example 2 hoxhunt

Usually, spoofing detection solutions are not easily available in typical email clients and discovery may require reading the email source information.

santander phishing example 3 hoxhunt

The spoofed pages look shockingly realistic

The images are screenshots from real threats. Once the victim clicked the link in the email, they were redirected to a page that looks like a webpage from Santander. All of the above images are from phishing emails that had a similar landing page behind the links.

santander phishing example 4 hoxhunt

All the pages were quite precise copies of the real Santander webpage. It looks extremely real: you can log in with personal, business, or corporate ID.

How can you tell that the page does not belong to Santander?

The best way to tell that these pages are not the real Santander site is to look at the URL: ’’  That doesn’t sound like something that belongs to Santander, does it?

Attackers use “Santander points” scams to make you act fast

Another Santander related phishing attack gently reminds you that you have enough “Santander points” to buy a TV, smartphone, or even a refrigerator. However, the points are expiring soon, so you better hurry!

santander phishing example 5 hoxhunt
santander phishing example 6 hoxhunt

This attack type is not new though – social engineers often play with people’s emotions. They want people to desire something enough so that they forget about being careful and out of haste they give away their credentials without thinking clearly. Remember to always be suspicious when something sounds too good to be true!

Do you like our 'Off the hook' threat stories?

We’ll be back soon with more interesting findings from our Threat Analysts! Stay tuned!

Read also our story on exceptionally difficult-to-spot Outlook 365 phishing >>

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this