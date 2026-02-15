IT scams that exploit the name of digital public services are experiencing a phase of strong growth and in 2025 the phenomenon has taken on new characteristics, more refined and less recognizable at a glance, at least for less astute users. This photograph was “taken” by the new report on malicious campaigns analyzed in 2025, published by CERT-AgIDwhich highlights how cyber criminals are focusing their efforts on tools of everyday use for citizens and businesses, leveraging the trust we place in institutional communications. In particular, two vectors emerge that deserve attention: the false payment requests that recall PagoPA and the improper use of the PEC. This is not a sudden and chaotic explosion, but the result of a gradual evolution of phishing and malware diffusion techniques, which are increasingly targeted and technologically mature.

Over the course of the year, more than that were registered 3,620 malicious campaigns and more than 51,500 indicators of compromise (technical traces useful for recognizing an attack) which were shared with the administrations involved. The picture that emerges tells us that it is no longer enough to be wary of poorly written emails or suspicious links: today scams imitate official channels with graphic and linguistic precision and even use tools perceived as “secure” by definition (such as Certified Electronic Mail).

The trap of false payment reminders

Going into detail, 2025 marks the first large-scale diffusion of phishing campaigns that abuse the PagoPA name. In over 300 documented cases, victims received emails simulating payment reminders for alleged unpaid traffic fines. The mechanism is always the same: the message invites you to quickly regularize the position and refers to a web page that impeccably replicates the appearance of the official portals. Here, personal data and payment card details are requested, which end up directly in the hands of the attackers. The success of this bait is linked to the growing familiarity with digital payments towards the Public Administration and the psychological pressure exerted by terms such as “fine” or “imminent deadline”.

The increasingly massive use of PEC

In parallel, a marked increase in the use of PEC as an attack channelwith an increase close to80% compared to the previous year. PEC is an email system that guarantees the identity of the sender and the legal validity of the communication, and it is precisely this aura of reliability that makes it attractive to criminals. The campaigns surveyed use both legitimate compromised mailboxes and addresses created specifically and then abandoned. There are two purposes: the phishingoften geared towards stealing banking credentials, and distributing malware such as MintsLoadera program designed to download additional malicious components onto the victim’s computer.

On the channel front, however, it is the ordinary email to remain the means most used by criminals. The smishingi.e. phishing attempts via SMS, is a technique that was used less frequently overall than in the previous year, but which was increasingly used to lead users to unknowingly install malware, especially on Android devices. In these cases the message contains a link that leads to the download of a file APKthe file format used to distribute and install applications on Android, sometimes presented as an urgent update of a banking app. The installation gives the attacker access to sensitive data and sometimes total control of the phone.

The evolution of social engineering

Another relevant element concerns theevolution of social engineering techniques. In 2025 the so-called has spread ClickFixa strategy that tricks the user into manually executing commands on their system following seemingly legitimate instructions, sometimes disguised as what appears to be a harmless CAPTCHA. The “voluntary” execution of these commands allows you to bypass various automatic security checks and start the download of malicious code without exploiting technical vulnerabilities.

The domain of infostealers

From the point of view of malicious software, they continue to dominate infostealerprograms designed to steal information such as passwords, session cookies, and documents. Their diffusion often occurs through compressed archives, which reduce the chances of preventive interception. FormBook, Remcos And AgentTesla they are among the most observed families, inserted in multi-stage infection chains that combine social engineering, loaders and intermediate components.

The omnipresence of AI

A factor that cuts across many campaigns is thegrowing use of artificial intelligence. The ability to generate credible, well-written and context-adapted messages, reducing the effectiveness of filters based on formal errors, is one of the most interesting aspects noted by researchers. In some cases, especially those involving the use of ransomware, AI is even being exploited as an extortion tool, as malicious actors threaten to reuse the stolen data for model training.

How to defend yourself from online threats in 2026

In the face of all these cyber threats, we must remain clear-headed and learn to defend yourself. You can do it starting from these five points.