Multi-stage social engineering campaign highlights the increasing sophistication of digital financial fraud schemes in Europe

Cybercriminals are increasingly professionalising their methods – combining classic phishing attacks with psychological manipulation, real-time communication and precise data analysis from previous leaks. A recent investigation by Group-IB provides a case study of how digital fraud models are evolving in Europe. The analysis focuses on a multi-stage fraud campaign targeting customers of the French state railway SNCF, which is used by around five million people every day.

What makes this attack unique lies not so much in the technical sophistication of individual components as in the orchestrated combination of phishing, payment processing that appears legitimate, and psychological escalation. Victims do not simply lose money once – they are manipulated again immediately after the first fraud and authorise further payments themselves.

According to Group-IB, this is not a widely distributed mass campaign, but a targeted “precision fraud” approach based on user data that has already been compromised.

Fake discount offers as an entry point

In the first step, SNCF customers received deceptively authentic-looking emails containing supposed special offers or heavily discounted rail season tickets. The campaign was timed to coincide with French school holidays – i.e. travel periods with particularly high ticket demand and increased interest in rail offers.

To this end, the attackers registered numerous domains that were visually and linguistically modelled on official SNCF offers. According to Group-IB’s findings, at least twelve fraudulent domains were identified, which were activated in parallel with the French holiday schedule.

Particularly concerning: payment processing was partly handled via legitimate payment service providers such as Stripe. This gave victims the impression of an authentic and technically trustworthy transaction. At the same time, the use of established payment infrastructures makes rapid tracing and fraud detection more difficult.

The perpetrators apparently deliberately targeted users whose data was already available from previous data breaches. Group-IB cites, among other sources, the so-called “Addka72424” leak, which has been circulating in criminal forums since September 2024. This enabled the attackers to tailor their campaign precisely to real French user profiles.

The second attack: “Bank advisor” exploits victims’ panic

However, the actual core of the campaign only follows after the initial phishing success. Shortly after the first payment, the victims received a phone call – supposedly from their bank.

The perpetrators posed as security advisors or fraud analysts from the respective bank and claimed to have detected suspicious activity. In doing so, they deliberately exploited the victims’ existing anxiety, as they may themselves have developed doubts about their payment shortly beforehand.

This approach creates a psychological emergency situation: the victims believe they have fallen victim to a scam – but are in fact speaking to the actual perpetrators.

Under time pressure and under significant emotional strain, those affected were persuaded to disclose one-time passwords (OTP), IBAN details or authorisation codes. In many cases, the victims thereby authorised additional transactions themselves or enabled further debits.

The perpetrators thus combine two classic attack models:

• technical phishing,
• and voice-based social engineering (‘vishing’).
• The key factor is the timing of both phases. The attackers strike at precisely the moment when uncertainty is at its peak.
• Social engineering is evolving into an industrial business model
• The investigation highlights a structural shift in modern cyber fraud models. Whilst earlier phishing campaigns often relied on broad distribution and low success rates, current fraud ecosystems are increasingly data-driven, modular and highly specialised.
• Several developments are becoming apparent:
• Data breaches are becoming the basis for precise fraud operations: Past data breaches do not lose their relevance, but instead develop long-term criminal value. Customer data that has already been compromised enables highly personalised attacks with greater credibility.
• Legitimate platforms are being misused: the use of established services such as Stripe significantly lowers the threshold for victims. At the same time, this makes it more difficult for traditional fraud detection systems to distinguish between legitimate and fraudulent transactions.
• Psychological manipulation replaces technical complexity: The campaign demonstrates once again that successful attacks today are often based less on malware or exploits and more on emotional manipulation, time pressure and abuse of trust.
• National brands are being specifically exploited: Major transport, energy and financial companies are highly relevant to everyday life and enjoy widespread trust. It is precisely this brand influence that attackers systematically exploit.
• European critical infrastructure and mobility platforms are coming under increased scrutiny
• The case has significant relevance beyond France. Mobility platforms, rail companies and digital ticketing systems are increasingly becoming attractive targets because they:
• combine high user numbers,
• regular payment processes,
• seasonal usage patterns,
• and strong brand loyalty
• .

At the same time, the attack demonstrates how closely cybersecurity, identity management and financial fraud are now intertwined. Critical infrastructures are thus not only targets of technical attacks, but also platforms for large-scale manipulation of trust.

Against the backdrop of NIS2, the Cyber Resilience Act and stricter requirements for digital resilience, the protection of customer-related communication processes is likely to come under greater scrutiny.

Voice fraud and hybrid attack chains are on the rise

The combination of phishing and subsequent telephone manipulation is increasingly regarded by security experts as particularly dangerous, as traditional technical safeguards are of limited effectiveness.

Even aware users can make poor decisions in stressful situations – particularly when attackers appear credible and use real customer data.

For businesses, this means that fraud prevention can no longer be viewed in isolation as an IT issue. Integrated security approaches are required that combine technical protection mechanisms with awareness, behavioural analysis and real-time detection.

Group-IB’s full technical analysis also includes specific Indicators of Compromise (IOCs), including domains, telephone numbers and email addresses associated with the campaign.