LetzSecure logo LetzSecure
Log in
← Back to blog

Case Study: The Enovos "€117.90 Refund" Phishing Scam Dissected

November 23, 2025

The Anatomy of the Attack


Phishing attacks are becoming increasingly visually accurate. Gone are the days of spelling mistakes and pixelated logos. This specific campaign highlights how scammers replicate the full user experience (UX) to lower the victim's guard.


Here is the step-by-step breakdown of how this scam works.


Step 1: The Hook (The Email)



The attack begins with an email that appears urgent but positive. The subject line "Suivi remboursement 117,90 EUR en attente" (Refund tracking pending) immediately grabs attention.


Why it works:


Specific Amount: Using a specific number like €117.90 feels more authentic than a round number like €100.


Branding: The logo and color scheme perfectly match Enovos branding.


The Trap: The sender address [email protected] is the massive red flag here. It is a compromised account from a Peruvian university, unrelated to Enovos or Luxembourg.


Step 2: The Fake Portal



If a victim clicks the "Confirm my data" button, they are not taken to enovos.lu. Instead, they land on a fraudulent domain: mon-remboursement-espace-client.com.


The scammers provide a similar Login Page as the Enovos Login Page. This visual familiarity often tricks users into entering their real login credentials, which the attackers harvest immediately.


Step 3: Identity Theft



Once "logged in," the user is presented with a refund confirmation screen. To "process" this refund, the site demands a full profile update.


They ask for:


- Full Name


- Date of Birth


- Full Address


- Phone Number


The Danger: This isn't just about stealing money; it’s about Identity Theft. With this combination of data, attackers can conduct targeted social engineering attacks against you later.


Step 4: The Financial Payload



This is the critical moment. The site asks for Credit Card details (Number, Expiry, CVV) to "receive" the refund.


The Logic Gap: Legitimate companies refund money to your bank account (IBAN) or deduct it from your next bill. They do not need your credit card number and security code (CVV) to send you money. This form is designed solely to make unauthorized purchases using your card.


Step 5: The False Sense of Security


After submitting the credit card details, the website simulates a "Verification in progress" screen (complete with loading bars) and finally shows a green "Refund Confirmed" success message.


Why they do this: This is a psychological trick. By confirming the transaction, they calm the victim down. The victim closes the browser believing they solved a problem, giving the scammers hours or days to use the stolen credit card before the victim notices suspicious charges.


Summary of Red Flags (IOCs)


For IT administrators and security aware users, here are the specific indicators from this campaign:


Sender Domain: @autonomadeica.edu.pe (or other non-Enovos domains).


Malicious URL: mon-remboursement-espace-client.com.


The "Credit Card for Refund" Logic: A service provider will never ask for a Credit Card number to send funds.


Urgency: The email implies the refund is "pending" and requires immediate action.


How to protect your organization?


This Enovos scam demonstrates that visual recognition is no longer enough to spot a threat. The website looks perfect. Detection requires checking the Source (URL and Sender) and analyzing the Context (Why do they need my credit card?).


At LetzSecure, we believe that exposure is the best vaccine. We can simulate attacks exactly like this one to train your employees in a safe environment.


Is your team ready to spot the next sophisticated clone?

Discover our Phishing Simulations