A new online scam recently targeted Pakistani banking customers through ads on Facebook promoting a fake version of the Habib Bank Limited (HBL) mobile application. Marketed as the “updated 2025 version” of HBL’s official app, the fraudulent platform was designed to harvest sensitive card information. According to an update, the malicious sign-up link connected to the ad has now been removed, but the incident underscores the risks posed by deceptive online campaigns to ordinary users.
The scam mimicked the official HBL branding to convince unsuspecting customers that they were engaging with a legitimate service. Facebook ads showed the HBL logo and even images of HBL debit and credit cards to appear authentic. Once users clicked on the link, they were directed to a phishing site whose URL was entirely different from HBL’s genuine address, which remains “https://www.hbl.com/”. On that fake page, victims were prompted to enter highly sensitive details such as card number, CVV security code, expiry date, cardholder name and mobile number. After submission, the site displayed a message telling users that the bank would contact them within one to two hours for OTP verification, creating a false sense of authenticity and urgency.
HBL confirmed that it had nothing to do with this campaign. Ali Habib, spokesperson for HBL, stated that it was a fake app and reiterated that HBL continually educates its clients to only download the official HBL Mobile App from trusted sources such as Google Play or the Apple App Store. He added that data security remains a top priority for HBL and that customers should always verify any new communication or product through official channels. The incident has also prompted reminders to report suspicious ads or websites to both HBL and relevant authorities such as PTA.
Security professionals are advising customers to remain vigilant, especially with apps promoted through social media ads or unfamiliar websites. Users should avoid downloading applications via links that do not originate from official app stores, verify that website domains match official banking addresses, and never share sensitive card details with unverified sites. HBL has not released any separate “2025 version” of its mobile app, and the only safe channels for accessing its digital services remain its verified website and its listed apps on Google Play Store and Apple App Store.
Although the malicious URL has now been taken down, the campaign highlights how easily cybercriminals can exploit social media platforms to spread fraudulent services at scale. By imitating the look and feel of trusted brands, these scams attempt to trick users into handing over critical financial information. Authorities and financial institutions are working to strengthen user awareness and digital oversight to prevent similar incidents. For Pakistani customers, this episode is a timely reminder of the importance of cautious online behavior and verifying any banking-related communication through legitimate channels before acting.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
