Phishing Domain Takedown: How a Fraudulent Utility Payment Site Was Neutralized

The incident: a fraudulent EPM payment portal

The threat was first detected after a user reported that they had unknowingly paid for a utility service through a website impersonating Empresas Públicas de Medellín (EPM). The phishing site, facturaepm.com, closely mimicked EPM's branding, user interface, and payment flow. When users entered their billing information, the site displayed accurate billing information and redirected them to what appeared to be a legitimate payment gateway.

However, payment confirmations revealed that the transaction had been processed under the name Pagos GDE S.A., a digital account linked to Powwi, a financial institution that later confirmed the unauthorized use of its platform for fraudulent purposes.

Forensic analysis and threat containment

Centurio International's threat response team immediately began a forensic analysis of the domain. Findings included:

• A cloned interface that replicated the legitimate EPM portal.
  
  
• The use of phishing kits hosted on external servers.
  
  
• Redirection mechanisms that took users to unknown payment gateways with unverifiable trade names.

The fraudulent site took advantage of search engine indexing to appear among the top results for phrases such as “pay EPM bill,” making it especially dangerous for users who did not verify the domain.

Mitigation measures and dismantling execution

Within hours of detection, Centurio International began the dismantling process through multiple channels:

• Domain registrar intervention: the domain was reported and suspended for violating the terms of service.
  
  
• Notifications to the hosting provider: The servers hosting the phishing kit were shut down.
• Search engine de-indexing: The fake site was removed from search engine results through emergency phishing reports.
• Coordination with law enforcement: documentation and evidence were gathered and shared with the relevant digital crime units to support wider investigations.

As a result, facturaepm.com was rendered inoperable, preventing it from being exploited further.

Recovery assistance and financial reimbursement

In parallel, the affected user was guided through the incident reporting procedures with their financial institution. Thanks to the rapid notification and fraud detection protocols, the bank, Bancolombia, recognized the transaction as phishing-related and processed the reimbursement.

Key security lessons and prevention strategies

This incident reinforces several fundamental practices for both organizations and end users:

• Always validate domains: visual similarity is not enough. Carefully check URLs: official sites often use subdomains under trusted top-level domains (e.g., epm.com.co).
  
  
• Provide phishing training: It is essential to educate users about browser indicators, SSL certificates, and common warning signs.
  
  
• Use official apps or manually entered URLs: Avoid clicking on sponsored links or trusting autocomplete suggestions from search engines.
  
  
• Report fraud immediately: Early detection is key to recovering funds and preventing the threat from spreading.
  
  
• Partner with cybersecurity providers who are ready to respond: Having a dedicated team prepared to act on threats ensures rapid containment.

Continuous protection: the role of Centurio International

At Centurio International, our mission goes beyond prevention. We act quickly when digital fraud occurs, executing mitigation protocols, dismantling malicious infrastructure, and protecting others from similar attacks. From domain takedowns to forensic support and incident remediation, we ensure that your digital environment remains secure, even after an attack begins.