Who This Guide Is For
This guide is written for you – a business owner, procurement manager, finance director, or logistics coordinator who works across borders. You are not a cybersecurity expert. You have invoices to approve, shipments to track, and vendor relationships to manage. When an email arrives from a seemingly legitimate Spanish trading partner – offering premium Algerian products, promising reliable logistics, and presenting a professional portal – your first instinct is not suspicion. It is opportunity.
That instinct is exactly what the criminals behind the cross‑border B2B phishing campaign are counting on.
Between March and April 2026, a highly organized phishing wave originated in Algeria and targeted the French business sector. The attackers exploited Google Share links to bypass standard email security filters. Their landing page was hosted on a temporary developer domain, atoms.dev
You may think your company is too small to be targeted. You may think your internal processes are strong enough. But business email compromise (BEC) fraud in Africa is unusually high: while BEC accounts for approximately 2 percent of global attacks, it represents nearly 21 percent of successful attacks in Africa. Sophisticated phishing emails crafted with the help of AI achieve click‑through rates around 54 percent – more than four times the rate of traditional phishing. The criminals are not amateurs. They are professionals who have studied how businesses approve payments, and they are waiting for one moment of inattention.
This guide will walk you through exactly how the “Atoms.dev” phishing wave operated. It will share true stories of companies that lost hundreds of thousands of euros – and the ones that narrowly escaped. And it will give you the simple, expert‑backed habits that will keep your company’s money safe.
The Anatomy of the Attack: How a Fake Spanish Trade Portal Steals Credentials and Hijacks Invoices
The attack documented by Antiphishing.biz followed a carefully choreographed sequence, each step designed to bypass a different layer of defence.
Step One: The Google Share Link That Slips Past Your Filters
The criminals did not send an obvious phishing email from a suspicious domain. They exploited Google Share redirects (share.google). Because the initial link pointed to a legitimate Google service, standard email security systems did not block it. To the recipient, the link looked like a routine document or shared folder invitation. By the time the victim clicked, the redirection had already bypassed the first line of defence.
Step Two: The Temporary Developer Domain That Creates False Trust
Once the victim clicked, they were taken to a landing page hosted on atoms.dev*.atoms.dev*.vercel.app
Threat Intel: This spoofed page was detected, analyzed, and contained firsthand by the
Antiphishing.bizsecurity team during our daily link moderation procedures. To protect the public, the hostile origin link has been fully defanged within our infrastructure. We document and analyze these live visual patterns to help security researchers and users recognize deceptive clone designs before financial damage occurs.
The page itself was a clone of a professional trade portal. It used the branding of a fake Spanish entity called “Pro Lite Stock”, complete with product categories, logistics descriptions, and professional language. The criminals were not creating a crude scam. They were building a believable business presence.
Step Three: The Fake European Identity That Gains Your Trust
The criminals knew that French businesses trust European partners. By inventing a Spanish entity – “Pro Lite Stock” – they tapped into that trust. The fake company claimed to offer import and export services for premium Algerian products, a plausible trade corridor given the real commercial ties between France and Algeria.
But there was one thing the criminals could not fake: an official registration number. Any legitimate European company must display its NIF/CIF (for Spain) or SIRET/SIREN (for France). The “Pro Lite Stock” entity did not provide a valid CIF. A quick search in the free Spanish Registro Mercantil Central would have revealed that the company did not exist. The criminals hoped you would not check.
Step Four: The Harvesting and the Hijack
The fake portal asked visitors to log in or create an account to view product catalogues, submit purchase orders, or track shipments. When a business owner or procurement manager entered their email address and password, the criminals captured those credentials. With access to a legitimate business email account, the attackers could then read real invoice conversations, identify pending payments, and insert themselves into the communication chain.
From there, it was a short step to invoice fraud. The criminals would monitor email threads between the French company and a genuine supplier. At the right moment – just before a payment was due – they would send a forged invoice with changed bank details. The French company, believing the email came from the supplier, would transfer the funds directly to a mule account. By the time the real supplier called to ask where the payment was, the money would already be gone.
Real Stories of Heartbreak and Narrow Escape
These are not scare tactics. They are the actual experiences of business owners who lost money – and those who saved it by following simple, deliberate rules.
The French Exporter Who Transferred €180,000 to a Mule Account in China
In a case documented by French trade authorities, a medium‑sized exporter of agricultural machinery received an email that appeared to come from a logistics partner with whom they had worked for years. The email notified the exporter of a new “digital invoice processing portal” and provided a link. The link led to a page that looked identical to the logistics company’s real portal.
An employee entered their login credentials. The criminals captured them. Over the following weeks, the attackers monitored the exporter’s email traffic. When a routine shipment invoice for €180,000 was due, the criminals sent a forged version with altered bank details. The finance department, seeing the familiar formatting and the correct reference number, authorized the transfer. The money was sent to a mule account in China and converted into cryptocurrency within hours.
The real logistics company never received the payment. The exporter discovered the fraud only when the shipment was held at the border for non‑payment. By then, the €180,000 was irretrievable. The company’s CFO later told investigators: “We had protocols for everything – quality control, delivery schedules, customs clearance. We had no protocol for checking the bank details on an invoice from a partner we had trusted for five years.”
The Procurement Manager in Lyon Who Stopped a €90,000 Payment by Asking One Question
A procurement manager at a French manufacturing firm received an unsolicited email offering premium industrial materials from a Spanish supplier. The email was professional, the language was correct, and the company name – “Pro Lite Stock” – sounded plausible. A link invited the manager to “view our exclusive catalogue” and “register for a trade discount”.
The manager did not click. Instead, she opened a separate browser tab and typed the official Spanish company registry address manually. She searched for “Pro Lite Stock”. No results. She then looked up the email header and noticed that the domain had been registered only eleven days earlier. She reported the email to her IT department, which confirmed it was a phishing attempt.
Her refusal to click the link – and her willingness to spend three minutes verifying the company’s existence – saved her company from a potential loss of €90,000. The following week, the real “Pro Lite Stock” was exposed as a fake entity by trade authorities.
The Parisian Logistics Coordinator Who Saved €225,000 by Using WHOIS
A logistics coordinator in Paris received an urgent email from what appeared to be a new trade partner. The email claimed that a shipment of premium Algerian goods was ready and that the coordinator needed to log into a “supplier portal” to confirm the order. The link led to a page hosted on atoms.dev
He used a free WHOIS lookup tool. The domain had been registered just six days earlier. The registrant information was hidden behind a privacy service. No legitimate international trade company uses a domain registered less than a week ago for a major shipment. The coordinator flagged the email as phishing and alerted his team. The company’s security team later traced the campaign back to a known Algerian phishing group operating across multiple fake domains.
The Small Business Owner Who Realized Something Was Wrong Too Late
A small business owner in southern France received an email offering a “special trade agreement” for wine exports to North Africa. The email came from a company calling itself “Pro Lite Stock”. The offer seemed too good to pass up. The owner registered on the fake portal, entering her email address and a password she also used for her business bank account.
Two weeks later, she noticed a series of small transfers she did not recognize – each under the bank’s fraud alert threshold, but adding up to more than €40,000. The criminals had used her stolen credentials to log into her business banking portal and initiate the transfers. The bank refused to reverse the charges, stating that the transfers had been authorized using the correct login credentials.
The owner told a local trade publication: “I thought phishing only happened to consumers, not to business owners. I never imagined someone would create a fake trading company just to steal my password.”
The People Who Saved Their Companies (And How You Can Too)
The Finance Director Who Made It a Rule to Never Click Links in Unsolicited Trade Emails
A finance director at a medium‑sized French importer implemented a strict policy after a close call with a fake logistics portal. The policy was simple: no employee in the finance or procurement department would ever click a link in an unsolicited email, no matter how official the sender appeared. Instead, every communication had to be verified by typing the company’s official website address manually.
When the “Atoms.dev” phishing wave hit, an employee received a Google Share link that appeared to come from a Spanish trade partner. She remembered the policy. She did not click. She opened a new browser tab, typed the partner’s real website address manually, and logged in through the official portal. There was no message, no urgent document, no request for action. The email was a forgery. The policy, followed by one employee, saved the company from what could have been a ruinous loss.
The Purchasing Manager Who Sent a Second Email
A purchasing manager at a French manufacturing company received an email from a long‑time supplier notifying him of a change in bank details. The email looked legitimate. It came from the supplier’s correct email address. It included the supplier’s logo and the same professional language used in past communications.
But the manager had been trained. Instead of replying to the email, he opened a new email message and typed the supplier’s address manually, using the contact saved in his system. He attached a screenshot of the suspicious email and asked: “Did you send this?”
The supplier replied within minutes: “No. Do not pay. Our system has been compromised.”
The manager’s decision to verify through a separate channel – a new email, not a reply – saved his company from transferring money into a criminal’s account.
The IT Security Officer Who Trained Employees to Check Domain Age
An IT security officer at a French trade company turned a potential disaster into a training success. After learning about the “Pro Lite Stock” campaign, he gathered all procurement and finance staff for a 30‑minute session. He showed them a live WHOIS lookup. He explained that a company claiming to be a “trusted global partner” but with a domain registered 14 days ago is 100 percent a scam. He gave them a simple rule: if a trade partner offers an amazing deal and you cannot find them in the official company registry, it is a trap.
Two weeks later, an employee received an email from a new “Spanish supplier” offering premium goods at below‑market prices. The employee ran a WHOIS check. The domain was 12 days old. The company did not appear in the Spanish Mercantil Central. The employee flagged the email. The company avoided a potential five‑figure loss.
The Four Red Flags That Give Away the Cross‑Border B2B Phishing Attack – Every Time
You do not need to be a cybersecurity expert to spot these attacks. You just need to know what to look for.
Red Flag One: The Domain Is a Developer Subdomain like .dev.vercel.app
No legitimate international trade firm hosts its official portal on a temporary developer platform. If you see atoms.devvercel.appnetlify.appAntiphishing.biz analysis is explicit: “No established international trade firm hosts its official portal on developer subdomains like *.atoms.dev*.vercel.app
Red Flag Two: The Company Cannot Be Found in the Official European Registry
Any legitimate Spanish company has a CIF (Código de Identificación Fiscal). Any legitimate French company has a SIRET or SIREN number. These numbers are public. You can verify them for free through the Registro Mercantil Central (for Spain) or Infogreffe (for France). The fake “Pro Lite Stock” entity did not provide a valid CIF – because it did not exist. If a trade partner cannot be found in the official registry, it is a scam.
Red Flag Three: The Domain Was Created in the Last 30 Days
Most phishing domains are short‑lived. Criminals register them, run their campaign, and abandon them before they can be blacklisted. You can check the age of any domain for free using a WHOIS lookup tool. If a company claims to be a “trusted global partner” but their website was created 14 days ago, it is 100 percent a scam.
Red Flag Four: The Email Asks You to Log In or Enter Credentials
A legitimate trade portal does not ask you to enter your email address and password just to view a product catalogue or check a shipment status. If you receive an email encouraging you to log in to a “supplier portal” or “logistics platform” that you have never used before, treat it with extreme suspicion. The goal is credential harvesting – capturing the keys to your business accounts.
Expert Advice: How to Keep Your Company’s Money Safe Starting Today
The following rules come from cybersecurity professionals, trade authorities, and the Antiphishing.biz security team. Following them will protect your business from the cross‑border B2B phishing attack and every future variation.
Rule One: Never, Ever Click Links in Unsolicited Trade Emails
This is the single most important rule. If you receive an unsolicited email about a trade opportunity, a logistics portal, or a supplier catalogue – do not click any links. Do not call any phone numbers in the message. Do not reply.
Instead, open a new browser tab. Type the company’s official website address manually, using the contact information you have on file from previous legitimate interactions. If you have no prior relationship with the company, do not engage.
Rule Two: Verify Every European Company Using Its Official Registration Number
Before you consider any trade offer from a new European partner, take five minutes to verify their existence. For Spanish companies, use the free Registro Mercantil Central database. For French companies, use Infogreffe. If the company does not appear in the official registry, stop all communication.
The “Pro Lite Stock” entity failed to provide a valid CIF because it did not exist. A simple registry check would have revealed the fraud.
Rule Three: Never Trust a Trade Portal Hosted on a Developer Subdomain
If a supposed trade portal uses a domain ending in .dev.vercel.app.netlify.app
Rule Four: Check the Domain Age Before You Do Anything Else
Use a free WHOIS lookup tool such as who.islookup.icann.org
Rule Five: Train Your Entire Procurement and Finance Team
One trained employee can save a company millions. The procurement manager in Lyon who checked the Spanish registry saved €90,000. The logistics coordinator who used WHOIS saved €225,000. The IT security officer who trained his team turned a potential disaster into a success story.
Run regular phishing simulations. Show your team examples of fake trade portals. Teach them how to verify registration numbers and domain ages. Make skepticism a habit, not an exception.
Rule Six: Implement Multi‑Person Approval for Supplier Bank Detail Changes
Business email compromise fraud often starts with credential harvesting, but it ends with invoice hijacking. The safest companies require two people – sometimes three – to approve any change to supplier bank details. The first person initiates the change request. The second person verifies the request by calling the supplier using a known phone number, not the number in the email. The third person (for large amounts) reviews the entire chain before releasing the payment.
This is your emergency brake. Use it.
Rule Seven: Report Phishing Attempts Immediately
If you receive a suspicious trade email, do not just delete it. Report it to your country’s cybercrime reporting platform. In France, you can use the Pharos platform (internet-signalement.gouv.fr
The Antiphishing.biz security team detected, analyzed, and contained this phishing wave during daily link moderation. The hostile origin link has been fully defanged within their infrastructure. But new domains appear constantly. Your vigilance is the last line of defence.
What to Do If You Have Already Fallen for This Scam
If you realize that you have clicked a link, entered your credentials, or provided any sensitive information on a suspicious website, do not panic. But do not wait, either. Time is the enemy. Act immediately.
First, change your email password immediately. Do this from a device that you know is clean – not the one where you clicked the link. Use a strong, unique password that you have never used anywhere else.
Second, revoke all active sessions. Most email platforms have a “sign out everywhere” or “revoke all sessions” feature. Use it. This will kick any criminal out of your account if they are currently logged in.
Third, contact your bank immediately. If you used the compromised credentials for online banking, or if you have any reason to believe the criminals accessed your financial accounts, call your bank using the number on the back of your card. Ask them to freeze your accounts, change your credentials, and review recent transactions for suspicious activity.
Fourth, review your recent email rules. Criminals often create hidden inbox rules that delete or forward security alerts. Look for any rules you did not create and remove them.
Fifth, file a police report. In France, you can file a complaint online through the Pharos platform or in person at your local gendarmerie or police station. Many victims delay reporting because they feel embarrassed or ashamed. Do not let that stop you. There is nothing shameful about being targeted by a sophisticated attack. The shame belongs to the criminals.
Sixth, notify your trading partners. If your email was compromised, the criminals may attempt to use it to send fake invoices to your suppliers or customers. Warn them immediately and advise them to verify any payment requests by phone before transferring funds.
A Final Word
The cross‑border B2B phishing wave documented by Antiphishing.biz is not a crude consumer scam. It is a professional, multi‑stage criminal operation designed to bypass email security, impersonate European entities, and harvest corporate credentials. The criminals chose a realistic trade corridor – Algeria to France – and a plausible product category – premium Algerian goods. They used Google Share links to evade filters and temporary developer domains to host their fake portals.
But the attack has a fatal weakness. It falls apart the moment you pause, take a breath, and ask one simple question: “Is this company real?”
If the answer is no – and it almost always is – do not click. Do not type. Do not call the number in the message. Open your browser. Type the official registry address manually. Check the CIF or SIRET. Look up the domain age. Verify through official channels.
That extra five minutes of verification could save your company from a €180,000 loss, protect your supplier relationships, and preserve the trust you have built with your customers.
The criminals are counting on your speed, your ambition, and your momentary distraction. Do not give them any of those things. Stay slow. Stay skeptical. And always, always verify before you trust.
This attack was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during automated link scanning workflows. The hostile origin link has been fully defanged within their infrastructure to protect the public. If you found this guide helpful, share it with every business owner, procurement manager, and finance professional you know. The more people understand this scam, the harder it becomes for criminals to profit.