# rbcexpress.co.com — MALICIOUS > rbcexpress.co.com hosts a fake RBC Express login page impersonating Royal Bank’s commercial banking portal. 15/95 VirusTotal engines flag it. ## Summary PhishDestroy identifies an active phishing domain, rbcexpress.co.com, that masquerades as the Royal Bank of Canada’s RBC Express portal for institutional commercial clients. The landing page title reads exactly “Royal Bank | RBC Express: Institutional Commercial Banking,” tricking users into believing it is the legitimate business banking login. Security telemetry shows the domain resolves to IP address 94.156.115.181 and is currently flagged by 15 of 95 VirusTotal security vendors as well as the OpenPhish blocklist, indicating elevated risk for credential theft and financial fraud. This domain was flagged by PhishDestroy on 2024-05-23. The domain uses a Let’s Encrypt SSL certificate and was registered through a privacy-protected registrar to obscure ownership. VirusTotal detections include detection names such as Kaspersky Trojan-Banker, Emsisoft Phishing, and Netcraft Fraudulent Site, confirming the site is engineered to harvest corporate banking credentials. The low barrier to obtaining a Let’s Encrypt certificate combined with its impersonation of a trusted financial brand raises the risk of successful phishing against businesses. If you visited rbcexpress.co.com, do not enter any credentials. Disconnect from the network immediately, run a malware scan with up-to-date antivirus, and rotate any passwords you may have typed. Report the incident to your IT security team and your bank. Consider enabling multi-factor authentication on all corporate banking accounts and monitoring transaction alerts for unauthorized activity. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) - Page title: Royal Bank | RBC Express: Institutional Commercial Banking ## Domain Intelligence - Registrar: REGISTRAR_NOT_FOUND - IP: 94.156.115.181 ## Detection Status - VirusTotal: 15 vendors flagged - Google Safe Browsing: clean - Blocklists: 1 hits Lists: ["OpenPhish"] ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/domains/rbcexpress.co.com - PhishDestroy: https://phishdestroy.io/domain/rbcexpress.co.com/ - LLM endpoint: https://phishdestroy.io/domain/rbcexpress.co.com/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/rbcexpress.co.com/ Last updated: 2026-04-06