BANKING PHISHING

Sparkasse pushTAN phishing: is the re-activation email real?

A message claiming your S-pushTAN app must be re-registered, or that your Sparkasse account will be blocked under new security rules, is a near-perfect clone built to steal your online-banking login and your TAN approval.

SB

SafeBrowz Threat Research Security ResearchJune 20, 20269 min read

The German terms, in plain English

This scam works because it wears the vocabulary of Germany's biggest bank group. Sparkasse, the Sparkassen-Finanzgruppe, is the largest banking group in Germany, with hundreds of independent local savings banks. Here is the short glossary you need to follow the rest of this article.

• Sparkasse is the savings-bank brand. There is a central portal and search at sparkasse.de, and every region has its own local Sparkasse, which is a genuine, independent member of the group.
• S-pushTAN is the Sparkasse app that approves your online-banking transactions. You enter a transfer on the banking side, the app shows you the details, and you confirm with a swipe. It is required for transfers, standing orders, and securities orders.
• TAN is the one-time approval for a single banking action. pushTAN and photoTAN are the two app-based methods Sparkasse uses.
• AGB means the terms and conditions. "AGB-Update" and "neues Sicherheitsverfahren" (new security procedure) are the fake reasons scammers give for why you supposedly must re-confirm everything now.

Why this wave is everywhere in 2026

This is not a stray email. Germany's consumer-protection body, the Verbraucherzentrale Phishing-Radar, has repeatedly listed Sparkasse pushTAN-update messages among its active warnings and classified them as high danger. Reporting through June 2026 points to a large, ongoing wave hitting inboxes and phones across the country, often timed with deadlines like "confirm your data by a fixed date or your account is temporarily blocked."

Germany Digital, the public-private awareness initiative Deutschland sicher im Netz, has documented the pushTAN-expiry SMS variant in detail: fraudsters exploited real service disruptions and sent texts, including to people who are not even Sparkasse customers, claiming the pushTAN app will soon expire and must be urgently updated through a link. The Federal Office for Information Security, the BSI, gives the public the same core rule for every brand: a real bank does not ask you to confirm sensitive data or approve a device through a link in a message. AI now makes these fakes look more professional than ever, which is why the structural tells below matter more than how polished the message reads.

How S-pushTAN actually works, and why that breaks the scam

The whole defense rests on one fact: a real pushTAN approval only ever happens inside the genuine S-pushTAN app, for an action you started yourself. When you make a transfer in online banking, the app shows you the exact transaction details, and you confirm with a swipe. The bank never sends you an email or SMS link that opens a login form, and it never asks you to "re-activate" the procedure by entering your credentials on a web page.

The dangerous part of this scam is what the criminals are really after. The setup of pushTAN starts with a registration letter and an activation step. If attackers can trick you into entering your online-banking login and then approving a fresh "re-registration," what you are actually doing is linking the attacker's device to your account. Security experts warn that a successful pushTAN phishing lets criminals register their own phone against your account and then authorize transfers themselves, independently and undetected. That is why the message pushes you so hard to "confirm" or "re-activate": the approval you give is the attacker's entry, not a routine update.

What the scam message actually says

The wording rotates, but the skeleton is stable. A typical email, SMS, or even printed letter carries one of these stories:

• "Update erforderlich: Ihre pushTAN-App ist abgelaufen" (update required: your pushTAN app has expired). You must re-activate the app within 24 to 48 hours through the link or online banking is blocked.
• "Neues Sicherheitsverfahren / AGB-Update" (new security procedure or terms update). Under new regulation you must confirm your data and re-register your TAN method, or your account will be limited.
• "Ihr Konto wird gesperrt" (your account will be blocked). Your card or account will be blocked unless you verify your details by a fixed deadline.
• "Bitte bestaetigen Sie diese Ueberweisung" (please confirm this transfer). A payment you do not recognise must be confirmed or rejected through the link.

Each link leads to a near-perfect Sparkasse clone in the familiar red-and-white styling, with the logo, the official wording, and the online-banking login fields. You are asked to log in, then to confirm a pushTAN re-registration or scan a QR code to "reactivate" the app. Everything you enter is harvested, and the approval you give can be used to bind the attacker's device to your account. There is no real update at the end of it, because the message never came from your Sparkasse at all.

The QR-code variant: Quishing by email and by letter

A growing version of this attack hides the link inside a QR code. The Verbraucherzentrale calls this Quishing, a blend of QR code and phishing. Fraudsters favour QR codes because spam filters often ignore image content, so a code can slip through where a raw link would be flagged. The code arrives in a forged email, a PDF attachment, or, increasingly, a printed letter that looks like genuine Sparkasse post. Scan it and you land directly on the same fake login page. The lesson is simple: a QR code in a message that asks you to log in or re-activate pushTAN deserves exactly the same suspicion as a raw link. Do not scan it to reach your bank. Open the app or type the address yourself.

The domain nuance: not every "sparkasse" address is fake

Here is where Sparkasse is genuinely tricky, and where bad advice can backfire. The central portal is sparkasse.de, but thousands of legitimate local savings banks run their own sites in the form sparkasse-<city>.de. Addresses like sparkasse-koeln-bonn.de or your own regional Sparkasse are real. So the tell is not simply "the word sparkasse appears in the domain." Telling people every sparkasse-something address is a scam would have them distrust their own real bank. Instead, learn the structural tells below. The examples here are illustrative lookalikes only; your real bank is sparkasse.de or your local sparkasse-<city>.de:

• sparkasse-sicherheit-update.com
• sparkasse-pushtan-aktivierung.xyz
• mein-sparkasse-login.pages.dev

The pattern is a brand word plus a transactional word ("sicherheit," "update," "pushtan," "aktivierung," "login"), landing on a cheap top-level domain or a free-hosting suffix like .pages.dev, .vercel.app, or .netlify.app that a real bank would never use. A genuine local Sparkasse uses a clean sparkasse-<city>.de, not a keyword-stuffed string on a throwaway host. When in doubt, do not judge the domain at all: close the message and open your banking app or type the address from memory.

Red flags that give it away every time

You do not need to know German banking law to spot this. The tells are structural.

• It asks you to re-activate or re-register pushTAN through a link. This is the single biggest tell. A real pushTAN setup or change never starts from an emailed or texted link. It starts in the app and with a registration letter you requested.
• There is a countdown. "Within 24 hours," "letzte Erinnerung," "account will be blocked." Real banking changes run over weeks and arrive inside your banking inbox or by genuine post, not with a ticking clock.
• It asks you to confirm a pushTAN approval you did not initiate. A pushTAN prompt should only ever appear for a transfer or change you just started. An approval requested out of nowhere is someone else trying to move your money or bind their device.
• The link is odd or mismatched. A keyword-stuffed address, a free-hosting suffix, or a domain that is not your bank's clean sparkasse.de or sparkasse-<city>.de. A QR code that hides the destination gets the same suspicion.
• It asks for login and TAN together. No real bank flow has you hand over your online-banking password and a TAN approval on the same web form. That combination is the whole point of the phishing page.
• Generic greeting and odd German. "Sehr geehrter Kunde" instead of your name, plus stilted phrasing or missing umlauts, are common, although AI-written fakes are getting cleaner. Treat the structure as the proof, not the polish.

What SafeBrowz sees on the network

When the SafeBrowz engine examines a Sparkasse lookalike page, the structure of the attack is consistent enough to read across all three detection layers. A few patterns stand out.

First, the host is throwaway. The destination behind a Sparkasse phishing message is almost always a free-hosting subdomain or a domain registered within the last few days. A real local Sparkasse lives on a clean sparkasse-<city>.de, never on .pages.dev or a domain days old. Host type and domain age alone flag a large share of these before any content loads.

Second, the structure is a keyword sandwich on a non-official host. The string carries "sparkasse," "pushtan," or "sicherheit" plus a transactional word, then resolves on a free host or cheap top-level domain that the real registrant would never use. Crucially, our matching is built to respect the legitimate sparkasse-<city>.de family, so a genuine regional bank is not flagged just for carrying the brand word. The signal is the brand word living on a host the bank does not control.

Third, the page content gives itself away. A cloned Sparkasse login form, the red-and-white styling, a "pushTAN reaktivieren" headline, and a request for credentials plus a TAN, all served from a non-Sparkasse host, is a textbook brand-impersonation profile. Content-level analysis catches the impersonation even when the domain is brand new and absent from every blocklist. Honest scope: SafeBrowz flags the phishing page, the lookalike domain, and the fake login link in your browser. It cannot read inside your genuine S-pushTAN app, so the rule there stays human: only ever approve what you started yourself.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1, Local detection: 60+ URL patterns plus 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) and a community whitelist/blacklist, all running directly in the extension before the page renders. It catches bank-impersonation keyword patterns on non-official hosts, free-hosting abuse, and re-activation-bait redirect families instantly, while letting the legitimate sparkasse-<city>.de family through.
• Layer 2, API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, and ScamAdviser, plus domain-age lookup (most Sparkasse-scam destinations are less than 30 days old) and 30+ scam TLDs.
• Layer 3, AI deep scan: content-aware brand-impersonation analysis in 100+ languages catches a brand-new Sparkasse lookalike that no blocklist has seen yet, reading the German page content directly.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

For people who do not want to install anything, the same engine powers the free public URL checker. Paste any link from a suspicious Sparkasse message and get a verdict in seconds. If you want to learn the manual checks yourself, our guide on how to tell if a website is a scam walks through reading a URL right to left.

What to do right now

If a Sparkasse pushTAN or "account blocked" message just landed, here is the whole correct response.

1. Do not click the link, scan the QR code, or open any attachment. The link is the entire attack surface. Curiosity is how people get caught.
2. Verify directly, not through the message. Open the official Sparkasse app yourself, or type your bank's address (sparkasse.de or your real sparkasse-<city>.de) into a fresh browser tab and log in. Anything genuine will be visible there. Never use the link in the message.
3. Report it to the Verbraucherzentrale Phishing-Radar. Forward the email to [email protected] so it can be logged and warned about publicly. They anonymise the data.
4. Learn the rules at the BSI. The Federal Office for Information Security at bsi.bund.de publishes the official guidance on protecting yourself against phishing.
5. Then delete the message.

If you already opened the link but entered nothing, you are most likely fine: close the tab and clear cookies for that domain. If you entered your login, approved a pushTAN re-registration, or shared a TAN, act immediately. Block your cards and online-banking access through the central German blocking hotline 116 116, which is free and available 24/7, then call your own Sparkasse to secure the account and check whether an unknown device was registered. If money moved or a card was misused, file a report with the police (Polizei 110 for emergencies, or your local station). Our full "I got scammed, what to do right now" walkthrough covers the first-hour playbook in detail.

Frequently asked questions

Is sparkasse.de safe?

Yes. sparkasse.de is the genuine central portal of the Sparkassen-Finanzgruppe, and your local savings bank runs a real site in the form sparkasse-<city>.de. Those are legitimate. The danger is lookalike domains that add words like "sicherheit," "update," or "pushtan" or sit on a free host. When in doubt, do not judge the link at all: open the official app or type the address yourself.

How do I recognise a Sparkasse phishing email?

It asks you to re-activate or re-register pushTAN, confirm your data under a new security procedure or AGB update, or unblock your account through a link or QR code, usually with a tight deadline. Real Sparkasse never starts a pushTAN change from an emailed or texted link, and never has you enter your login and a TAN together on a web page. Those structural tells, not how polished the message looks, are the proof.

What is S-pushTAN and can it be faked?

S-pushTAN is the Sparkasse app that approves your online-banking transactions. A real approval only appears for an action you started yourself, and you confirm it with a swipe inside the genuine app. The app itself is not "faked," but phishing tricks you into entering your login and approving a fresh re-registration on a fake page, which can let an attacker bind their own device to your account. Only ever approve what you initiated.

How do I report Sparkasse phishing in Germany?

Forward the email to the Verbraucherzentrale Phishing-Radar at [email protected], and read the BSI guidance at bsi.bund.de. If you shared your login or a TAN, block your access through the central hotline 116 116, call your own Sparkasse, and if money moved, report it to the police. Then delete the message.

Why am I getting this if I am not even a Sparkasse customer?

Attackers do not target by bank. They send millions of messages, including by SMS, to addresses and numbers bought from data leaks and brokers. Many recipients have no Sparkasse account at all. Receiving the message is not evidence that anything is wrong with an account, and a correct name or polished design does not make it genuine.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge