Brinztech Alert: New “Bershka” Task Scam & Identity Theft Ring Detected

Threat Intelligence Analysis

Brinztech has investigated and confirmed a sophisticated Employment Scam and Identity Theft operation targeting job seekers in Europe. The operators are impersonating the global fashion retailer Bershka (part of the Inditex Group) to lure victims into a fraudulent “task-based commission” scheme.

The operation centers around the domain bershka-europe.com, which was registered on February 11, 2026. This domain has zero affiliation with the legitimate brand (which operates exclusively under bershka.com). Victims are contacted via messaging apps and directed to Telegram for “training,” where they are groomed to believe they are optimizing merchant sales metrics.

Key Cybersecurity Insights

This campaign utilizes a hybrid “Pig Butchering” (Sha Zhu Pan) and Identity Theft methodology:

• The “Sunk Cost” Trap: The scammers use a classic psychological trick. During the “training phase,” the victim is shown a dashboard where they seemingly earn a small commission (approx. €67–€70). This builds false trust. Once hooked, the trap springs: the victim is told they must deposit €100 of their own money to “activate” the account or withdraw their earnings. Legitimate employers never ask employees to pay to work.
• Pivot to Identity Theft: Uniquely, when the victim in this case refused the financial deposit, the scammers pivoted immediately to Data Harvesting. They demanded a Passport/ID and Proof of Address (Utility Bill/Bank Statement) under the guise of “HR Contract Preparation.” This data is not for a contract; it is used to bypass KYC (Know Your Customer) checks on cryptocurrency exchanges or neobanks, allowing the scammers to launder money in the victim’s name.
• Ephemeral Infrastructure: The domain bershka-europe.com was created on the same day the attacks began (Feb 11, 2026). This “burn and churn” tactic allows them to defraud victims quickly before reputation filters block the site.
• Telegram Anonymity: The use of generic Telegram handles (e.g., “Bershka Retails – Support”) ensures the perpetrators remain anonymous and cannot be traced via corporate email headers.

Mitigation Strategies

To protect job seekers and brand reputation, the following strategies are recommended:

• Domain Blocking: Network administrators should immediately blacklist bershka-europe.com and any related subdomains.
• “Pay-to-Work” Rule: Educate users that any job offer requiring an upfront deposit for “software,” “activation,” or “training” is a scam 100% of the time.
• Document Protection: Never upload a photo of your ID, passport, or utility bill to a Telegram chat. Legitimate HR departments will request these via secure portals (https://.../upload) or in-person, only after a formal offer letter is signed.
• Brand Verification: Always verify job offers by visiting the official career page of the brand (e.g., inditexcareers.com). If the job isn’t listed there, it doesn’t exist.

Secure Your Business with Brinztech — Global Cybersecurity Solutions

Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback?

For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com