A phishing campaign targeting French telecommunications provider SFR uses fraudulent emails and SMS to trick customers into entering personal and credit card details on fake “Espace Client” login pages. The attack, designed to harvest banking credentials and 3D-secure codes through fake payment or refund notices, highlights a growing utility billing scam tactic.
SFR “Refund / Unpaid Invoice” Phishing
Target: SFR (Société Française du Radiotéléphone) customers in France
Threat Level: High (Credit Card Skimming & Account Takeover)
Phishing Method Description
This attack targets users of the French telecommunications provider SFR. Scammers send out Phishing Emails or SMS (Smishing) using two common pretexts:
The Refund Bait: Claiming the user has overpaid their bill and is entitled to a refund (e.g., 50.00€).
The Payment Failure: Claiming a recent monthly payment failed and services will be suspended unless a small “regularization fee” is paid immediately.
The link leads to a high-fidelity clone of the SFR “Espace Client” portal. This phishing kit is designed to harvest:
Login ID and Password (to access the user’s contract and personal data).
Full Credit/Debit Card Details (Card Number, Expiry, and CVV).
Personal Information (Name, Address, and Date of Birth).
3D-Secure SMS Codes: The fake site intercepts the security code in real-time, allowing the attacker to authorize a much larger fraudulent purchase instead of a “refund” or a small fee.
⚠️ Red Flags to Watch For
Deceptive URL: The official domain is sfr.fr. Phishing sites use lookalikes such as mon-espace-sfr-reglement.com, remboursement-sfr.net, or free hosting subdomains like sfr-client.web.app.
Refund via Credit Card: Legitimate companies like SFR refund overpayments by crediting your next bill or via bank transfer (IBAN). They never ask for your CVV code to “send” you money.
Urgent and Alarming Language: Phrases like “Action requise immédiatement” or “Suspension de ligne” are used to induce panic.
💡 Expert Security Tip: The “Reverse Payment” Illusion
The Method:
This case highlights the “Refund-to-Skimming” tactic. Scammers exploit the psychological “reward” of receiving a refund to lower the victim’s guard.
The Trap:
By asking you to “enter your card details to receive a refund,” the scammers are actually setting up a payment gateway on their end. When you provide your card info and the subsequent SMS code, you aren’t receiving 50€—you are authorizing a payment of potentially hundreds or thousands of euros to the attacker’s account.
How to Protect Yourself:
Refunds go to IBAN: In France, utility and telecom refunds are almost always processed via the bank account (RIB/IBAN) already linked to your contract. If a site asks for your CVV (the 3 digits on the back) to “give” you money, it is always a scam.
Check the “Espace Client” Directly: Never click a link in an email. Go to www.sfr.fr manually or open the “SFR & Moi” app. if there is a real issue or refund, it will be visible there.
Verify the Sender: Official SFR emails come from @sfr.fr or @sfr.com. Be wary of addresses like [email protected] or other generic domains.