'CIH Bank: your account will be blocked' — the bank-impersonation SMS scam that costs Belgian victims €50 million a year

An SMS arrives with your bank's name. It warns of a suspicious transaction and gives you a link to 'secure' your account. By the time you click and 'log in', the scammer has your password. Here's how the bank-impersonation phishing scam works, what real messages look like, and how to spot the fake before you tap.

You're walking to your car when your phone buzzes. An SMS from your bank: "CIH Bank: A suspicious transaction of MAD 3,500 was detected on your account. If this wasn't you, secure your account immediately: cih-securite.com/verify."

Your stomach drops. You tap the link. The page looks exactly like your bank's. You enter your login. Maybe the SMS code too. Maybe even your card details to "verify identity."

You've just handed your bank account to a criminal. They were already in by the time you locked your phone.

This is smishing — SMS phishing impersonating a bank — and it now drains nearly €50 million a year from Belgian victims alone, according to Belga News Agency. In France, Cybermalveillance.gouv.fr places phishing as the #1 threat to individuals. In Morocco, the DGSN's E-Blagh platform was launched in May 2024 in direct response to surging financial cybercrime.

What the message looks like

The scammers know exactly which bank you use because either (a) they bought a leaked database, or (b) they're spraying every bank name and one will eventually match. Typical messages:

"CIH Bank: Tentative de connexion suspecte sur votre compte. Si ce n'est pas vous, sécurisez immédiatement : cih-securite.ma/auth"

"BMCE: Votre carte bancaire sera désactivée. Validez votre identité sous 24h pour éviter le blocage : bmce-validation.com"

"Attijariwafa: Un virement de 4 500 DH a été initié depuis votre compte. Cliquez ici pour le contester : attijari-paiement.online"

"BNP Paribas: Nouvelle connexion détectée depuis Casablanca. Si ce n'est pas vous : bnp-securisation[.]net/login"

"Banque Populaire: Échec d'authentification. Réactivez votre compte en 24h : bp-confirm-fr.com"

The structure is always:

Bank name as the sender (often spoofed in the SMS header, so it really looks like it came from your bank)
A scary trigger — suspicious transaction, login from new device, account block, expired card
A short deadline — "24h", "before midnight", "immediately"
A link that looks bank-ish but isn't your bank's real domain

Tap the link → fake login page → you type your credentials → game over.

The lookalike domain trick

The link is the smoking gun. Real banks have one main domain that you should know by heart:

| Bank | Real domain | |---|---| | BMCE Bank of Africa | bmcebankofafrica.com | | Attijariwafa Bank | attijariwafabank.com | | CIH Bank | cihbank.ma | | Banque Populaire | gbp.ma | | Crédit du Maroc | creditdumaroc.ma | | BNP Paribas | mabanque.bnpparibas | | Société Générale FR | societegenerale.fr |

What the scammers use:

Hyphens added: bmce-secure.com, attijari-paiement.ma, cih-securite.com
Wrong TLD: cihbank.online, bmcebank.xyz, attijariwafa.tk
Subdomain disguise: mabanque.bnpparibas.account-verify.net — the actual domain is account-verify.net, not bnpparibas
Character swap: paypaI.com (capital I instead of lowercase l), attijariwâfa.com (with diacritic)

Bank phishing always uses an unfamiliar domain. If the URL doesn't exactly match the domain you'd type yourself from memory, it's a scam.

Real cases

Belgium, 2024: Belga News Agency reports phishing — most of it bank impersonation — netted criminals €50 million in Belgium in 2024 alone.
France, 2024: Cybermalveillance.gouv.fr's 2024 report lists phishing as the #1 assistance request, with constant evolution including SMS variants and increasing AI-generated polish.
Morocco, 2023-2024: Médias24 documents a national wave of online fraud including bank impersonation, prompting the DGSN to launch the E-Blagh online reporting platform on May 18, 2024.
Morocco, ongoing: SNRT News reports the DGSN handled 13,643 cybercrime cases linked to modern technologies and blackmail in a single recent reporting period — a substantial share involving banking/financial impersonation.

The 7 red flags

Treat any of these as a scam by default:

SMS arrives with a link. Banks effectively never send active links by SMS — they tell you to log in to the app.
The link domain doesn't exactly match the bank's main site (the one you'd type yourself).
Urgency: "24h", "immediately", "before midnight". Real bank notices don't expire on the day.
A monetary threat: account block, card deactivation, lost €X. Designed to panic you.
Generic salutation: "Cher client" / "Dear customer". Your bank knows your name.
Spelling or punctuation errors in the message (less common with AI translation now, but still happens).
The reply-to or sender looks slightly wrong: a long string of digits, a foreign country code, or an alphanumeric sender that's just almost right ("BMCEBank-FR" instead of "BMCE").

The single rule that beats this scam

Never tap a link in an SMS that claims to be from your bank.

Open your banking app instead. If there's a real alert, it'll be in the app's notifications.

If there's no alert in the app, the SMS is a scam. End of decision.

This rule has zero exceptions and protects you for life. It costs nothing to follow and renders the entire smishing industry useless against you.

What to do if you receive a phishing SMS

Don't tap the link. Even just clicking can sometimes load tracking pixels confirming your number is active.
Verify via the app. Open your bank's app, log in normally, check for real alerts.
Forward the SMS to the reporting number. In France: 33700 (free, signal-spam.fr). In Belgium: 8484. In Morocco: send a screenshot to the DGSN E-Blagh platform or contact your bank's fraud line.
Block the sender. Long-press the message → Block.
Delete the SMS so you don't accidentally tap it later.

If you already entered your details on the fake page

Time matters. Move in this order:

Call your bank's official fraud line immediately (the number on the back of your card, not one in the SMS). Block the card. Freeze the account.
Change your bank password and any password you reuse. Especially if you typed it on the fake page.
Set up SMS or app push alerts for every transaction so you spot any unauthorized debits in real time.
File a criminal complaint. France: Pré-plainte en ligne + nearest commissariat. Morocco: nearest commissariat + E-Blagh. Belgium: local police + safeonweb.be report.
Watch for "recovery scammers" — once your number is in their database, you'll get calls from "fraud agents" offering to recover the money for a fee. Same criminals, second pass.

What banks actually do

Real banks have a few patterns you can recognize:

They contact you in the app, with an alert + a "Confirm" or "Reject" button. No external link.
They send confirmation emails after you initiated an action (transfer, card request, login from new device).
They never ask for your password, PIN, full card number, or SMS code by any channel — phone, SMS, email, in person.
If they suspect fraud, they block the transaction and call you on a known number — they don't tell you to act yourself.

If something doesn't match this pattern, it's not your bank.

Get a second opinion in 5 seconds

If you're staring at a bank SMS right now and not sure, forward it to Digiscam on WhatsApp or paste it into our check box. AI verdict in seconds, with the same red-flag heuristics regulators publish. Free, anonymous, EN/FR/AR.

Open the app. Don't tap the link.

Sources: Belga News Agency — Phishing losses Belgium 2024 · Cybermalveillance.gouv.fr 2024 annual report (PDF) · Médias24 — DGSN E-Blagh launch · SNRT News — Morocco cybercrime statistics