Key discoveries
- A complex scam targeting SNCF customers using phishing and social engineering — attackers send fake promotional emails and make fraudulent phone calls to trick people.
- Attackers use information from a prior 2024 leak to precisely target French users whose data has already been exposed.
- The scammers create websites that look similar to official SNCF pages and launch them during French holidays when people are planning their trips.
- Payment redirections use legitimate processors like Stripe to lend credibility to the scam, taking advantage of refund and abuse reporting limitations to retain stolen funds.
- Emotional manipulation plays a central role in the scheme, as fake bank counselors build false trust and a sense of urgency to extract IBANs, security codes, and additional payments from victims.
- Fraudsters use emotional trust and reputable brands to create urgency, sustain deception, and obtain victims’ financial data.
Who may find this blog interesting:
- Cybersecurity and fraud teams
- Financial security specialists
- Law enforcement investigators
- Corporate security units
- Informed online consumers
Group-IB Threat Intelligence Portal:
Group-IB customers can access both our Threat Intelligence and Fraud Protection portals for more information about the scam scheme described in this blog:
Introduction
While online scams are becoming more advanced, this particular multi-stage scam stands out for its advanced social engineering. These days, it’s not uncommon to receive fake phishing emails. Generally, they are easy to spot because of the ridiculous way they try to make us believe in offers that are too good to be true.
However Group-IB’s current research indicates that fraudsters can be very persuasive and meticulous both in the way they carry out their scam and their choice of victims. This blog focuses on one highly-targeted scheme to deceive customers of the French national railway company (SNCF), which is used on a daily basis by 5 millions of travelers through 15 thousand trains.
The observed scam is divided into two distinctive parts. The first part aims at attracting victims through the fake promotion of very generous discounts on SNCF products and tickets. The second part, after the victim falls for the first one, aims at further manipulating the victims to allow payments from their bank account through social engineering phone calls.
Group-IB researchers focused on how this scam is managed, and how the victims are chosen by fraudsters. From a simple fake email to a much larger scam with huge consequences and loss for the victims.
Step 1: The targeted phishing lure
The beginning of this scheme is quite simple and shares many commonalities to other phishing scams: Fraudsters reach out to SNCF customers with a simple email promoting attractive offers on rail pass subscriptions.
Figure 1. Example of fake discounts promoted by scammers, with English translation.
Figure 1. Example of fake discounts promoted by scammers, with English translation.
As this fraud scheme is made to attract as many people as possible and bypass initial scrutiny, it follows a very specific periodicity: French school holidays i.e. when there is a high volume of families travelling together. These holidays are always set in the following months of the year: October, December, February, April, July and August.
Moreover the creation or activity of the observed fraudulent domains related to this fraud seems to follow this holiday periodicity as well. The domains mainly use common keywords such as avantages (advantages), offres (offers) or SNCF connect (as the official domain of SNCF is sncf-connect.com) to impart a sense of familiarity with the French general public.
Examples:
- avantage-offres[.]com → active on 13/12/2024
- T-mail-avantages[.]com → active on 17/04/2025
- sncf-connect[.]net → active on 31/07/2025
Figure 2. Example of a fake SNCF website.
Many public testimonies of victims are indeed shared during these periods. Victims share their testimonies on French public forums and platforms regarding this fraud, revealing that they have indeed received emails promoting a very interesting offer for discounted Advantage Card (an annual rail card) from SNCF. It seems, as seen here and here, that the emails are very persuasive and redirect to websites which are even more persuasive in mimicking the exact digital identity of the SNCF. Such realism is enough to deceive victims’ vigilance as they do not seem to realise the obvious fraudulent email address used to send such emails.
Figure 3. Example of a victim testimony on a public forum, with English translation.
Figure 3. Example of a victim testimony on a public forum, with English translation.
Once victims choose a product on the phishing site, they are redirected to a legitimate online payment platform, such as Stripe
(stripe.com), as recounted by the testimony of a victim here, for checkout and payment. This greatly reduces suspicion of fraud happening.
Figure 4. Payment is routed to a legitimate Stripe check out page.
And while it may seem at first that fraudsters are taking a risk using a legitimate payment platform since they could be directly obliged to reimburse victims, Group-IB researchers have observed a loophole where fraudsters are taking advantage of the platform’s own abuse policy.
Indeed, as the platform indicates here, if someone has been scammed through a payment made on the platform, victims first need to open an abuse case. In most instances, before any action can be taken, the fraudster is already long gone with the money of the victim, and it becomes difficult for the victim’s bank itself to investigate and reimburse their client.
In this first step of the scam, victims have already gone through the full checkout process, which includes making payment for the fake product, and providing on top, some personal information such as name, email and phone number. With this information, the fraudster proceeds to the second part of the scam.
Step 2: The fake bank counselor
Once the victim completes payment, the fraudster contacts them by phone, pretending to be a bank counsellor. They inform the victim that a fraudulent transaction has been spotted in their bank account. At this point, the victim realises that the SNCF website and promotion was fake. This is a very important part of understanding the social engineering behind this scheme. The fraudster reveals the original scam and exploits the victim’s emotions at being upset for falling for the scam. By pretending to be a bank counsellor, the fraudster gives the victim a sense of relief, as they now think the fraudulent transaction was successfully intercepted and they will be refunded.
From this point onwards, the victim cooperates fully with the fraudster. They will willingly carry out further instructions and actions that are requested by the “bank counsellor” on their bank account, such as confirming their security code, supposedly to enable the counsellor to block the initial fraudulent payment. In reality, this allows the fraudster to authorise further payments from the victim’s account.
Here again, there are public testimonies of victims targeted by these fake phone calls. In their testimonies, the victims confess they fell for the scam per email and the day after received a call from someone pretending to be their bank counselor, as explained here. The operations asked by the fraudsters and shared by the victims can vary from the adding of an IBAN code in their account or the sharing of their security code to approve payments as revealed here.
Figure 5. Example of victim testimony on public forums, with English translation.
Figure 5. Example of victim testimony on public forums, with English translation.
How are victims chosen?
This scam has a single focus and only geo-targets clients from a very specific company located in France. It cannot affect any other individuals on the internet. It mainly targets people who are likely to travel on SNCF trains and who speak French, as the observed scam campaign is entirely in French. Please note that French mobile numbers always start with either 06 or 07 (the latter being the most recent ones).
Through our investigation, we identified several victims’ email addresses and they had two things in common:
- They were using French email service provider (generally ending with .fr or on a domain belonging to popular french companies)
- They were all previously part of a data breach publicly revealed on a forum in September 2024 known as the Addka72424 breach (you can see detail about this breach in our Threat Intelligence Platform).
Figure 6. Examples of fraudulent emails sent to various .fr email addresses.
Figure 6. Examples of fraudulent emails sent to various .fr email addresses.
Figure 6. Examples of fraudulent emails sent to various .fr email addresses.
Figure 6. Examples of fraudulent emails sent to various .fr email addresses.
Conclusion
This scam scheme analyzed by Group-IB in this blog exemplifies how social engineering is becoming increasingly sophisticated in order to defraud victims. The typical standalone, passive phishing email is no longer sufficient. Scammers are now observed to actively engage with victims using complex, elaborate playbooks that manipulate emotions and trust in order to harvest data and steal money.
The way the whole scheme is imagined and the way the victims are chosen highlight the fact that scammers are getting better at understanding their target’s behavior and processes (both impersonated companies and individual victims).
Such scams are growing in popularity in this age of e-commerce and digital spending. While this blog focuses on one specific brand and scenario, there is always another occasion, another event, or another sale period around the corner, creating the perfect conditions for fraudsters to launch similar campaigns with sustained repeatability.
Recommendations:
For brands and organizations:
- Launch awareness campaigns about such fraud and inform customers about official resources used by the company.
- Implement a Digital Risk Protection solution that continuously monitors for brand abuse fraud and facilitates their takedown, to improve company security and customer trust.
- Leverage an advanced Threat Intelligence solution to keep up-to-date with new schemes and tools that cybercriminals use, to proactively prevent them and inform and educate your customers.
For individuals:
- Always pay attention to the email address receiving such promotional emails, and know the official domain of the brand you are interacting with. For example, SNCF is sncf-connect.com
- Always pay attention to any link you’re clicking on, and even when they seem to be legitimate, simply move the slider on the link without clicking to see if you may be redirected. When in doubt, do not click and manually visit the official site.
- If you believe you’ve fallen for a scam, directly call your bank to lodge an objection on your credit card or any payment you may have made.
- Bank officials would never ask you for private account information over the phone; if you receive such a phone call, block the sender and report it.
- To know if you are likely to receive such phishing emails, try to check if your email address was once leaked in any data breach using tools like: haveibeenpwned.com ; https://databreach.com/ ; https://breachdetective.com/ ; https://spycloud.com/
1. What is a 2-step or multi-stage scam?
A sophisticated fraud where victims are first tricked through classic phishing emails and spoofed websites, which are then followed-up by a fraudulent phone call to steal larger sums. This “double-hit” approach exploits the victim’s data and emotions across two distinct phases to maximize financial loss.
2. What tactics are used by fraudsters in this scam?
- Scammers use past data breach records to narrow down targets to a specific country, company, and/or individuals.
- Phishing campaigns coincide with popular events such as peak holiday travel periods to increase plausibility of promotional offers and reduce consumer suspicion.
- Scammers then employ social engineering through vishing, posing as bank counselors to further manipulate victims into sharing account security codes to gain direct access to their bank accounts.
3. How are fraudsters abusing legitimate online payment platforms?
Legitimate online payment processing platforms often have to follow proper abuse reporting and investigation channels, which fraudsters take advantage of. By the time victims are aware of the scam and initiate this process, the scam operators would have already closed their accounts and disappeared with the stolen funds.
4. How are victims affected?
Victims suffer immediate financial loss from the initial fake purchase and subsequent unauthorized transactions. Beyond monetary theft and compromised PII and banking credentials, they also experience emotional manipulation of being defrauded twice.
| Domain | IP |
| lesavantagesdesoffres[.]com/ | 185[.]221[.]19[.]8 |
| macarteavantage[.]live/promo/catalogue | 185[.]225[.]210[.]8 |
| sncf-connect-affiliation[.]com/ | 185[.]178.208[.]163 |
| carte-avantage-promotion[.]com/offres/ | 176[.]65[.]139[.]100 |
| sncfoffre-avantages.com/pages/login[.]php | 91[.]215[.]85[.]183 |
| sncf-pass-avantages.com/pages/login[.]php | 52[.]223[.]13[.]41 |
| avantages-promotion-sncf[.]com/offres/ | 45[.]125[.]66[.]34 |
| sncf-espaceoffres.com/pages/login[.]php | 185[.]161[.]209[.]176 |
| sncf-offre-avantages[.]com/pages/login.php | 91[.]215[.]85[.]183 |
| promotion-avantages[.]com/pages/login.php | 35[.]241[.]18[.]84 |
| sncf-avantage[.]com/pages/login[.]php | 193[.]143[.]1[.]151 |
| sncfcarte-avantages[.]com/pages/login[.]php | 103[.]224[.]182[.]242 |
Email addresses used by Fraudsters
| newsletter@zenithbank[.]com |
| ebusinessgroup@zenithbank[.]com |
| merci@mail-sncf-connect[.]com |
| [email protected][.]com |
| mail@info-sncf-connect[.]com |
| no-reply@beyondcool[.]co[.]jp |
| [email protected][.]com |
| noreply@ambassador-cloud[.]biz |
| rahulshitole@yahoo[.]fr |
| equipe-sncf@carte-avantagepromo[.]eu1[.]r[.]hs-inbox[.]com |
| merci@mail-redirect-promotion[.]com |
| newsletter@businessmint[.]com |
| sncfconnect@t-mail-avantages[.]com |
Phone numbers used by Fraudsters
| 0757650xxx |
| 0644662xxx |
| 0646241xxx |
| 0754832xxx |
| 0780945xxx |
| 0744731xxx |
DISCLAIMER: All technical information, including malware analysis, indicators of compromise and infrastructure details provided in this publication, is shared solely for defensive cybersecurity and research purposes. Group-IB does not endorse or permit any unauthorized or offensive use of the information contained herein. The data and conclusions represent Group-IB’s analytical assessment based on available evidence and are intended to help organizations detect, prevent, and respond to cyber threats.
Group-IB expressly disclaims liability for any misuse of the information provided. Organizations and readers are encouraged to apply this intelligence responsibly and in compliance with all applicable laws and regulations.
This blog may reference legitimate third-party services such as Stripe, SNCF and others, solely to illustrate cases where threat actors have abused or misused these platforms.
This material is provided for informational purposes, prepared by Group-IB as part of its own analytical investigation, and reflects recently identified threat activity.
All trademarks referenced herein are the property of their respective owners and are used solely for informational purposes, without any implication of affiliation or sponsorship.
