A new and sophisticated wave of fraudulent campaigns exploit the familiarity of Italian citizens with the digital payment tools of the Public Administration. The alarm is raised by the Postal Policewhich identified a massive sending of misleading communications that illegitimately abuse the name and brand “PagoPA”the system designed to make payments to the PA simpler, safer and more transparent. The phenomenon falls into the category of phishing, a social engineering technique through which cyber criminals attempt to deceive the victim by convincing them to provide personal information, financial data or access codes, pretending to be a reliable entity. The bait used by scammers is leverage alleged irregularities: Users receive alerts regarding unpaid fines, pending administrative sanctions or generic missed payments which require immediate regularization.
The danger of these campaigns lies in their ability to simulate official pagoPA communications with a certain fidelity, inducing citizens to carry out impulsive actions for fear of incurring legal consequences or paying costly fines. In this in-depth study we will explain how to recognize false pagoPA payment requests and how to defend yourself.
How to recognize false pagoPA payment requests
Analyzing in detail the modus operandi of these illicit activities, we observe that cybercriminals do not limit themselves to sending a simple text, but construct communications (delivered via e-mail, SMS And messaging app) designed to look authentic. Learn to recognize counterfeit communications sent by cybercriminals may be, in itself, more than enough to avoid falling victim to cyber criminals. It must be said, however, that being able to recognize them may not be easy for less careful users. This is because the tone used in the body of the message and the skilful use of logos, headings and regulatory references could confer a certain aura of “officialness”. From a graphic point of view, therefore, few clues can be truly useful for recognizing a true communication from a false one.
Much more useful is the content of the message which, if analyzed well, can allow us to understand in a relatively simple way that the communication does not really come from pagoPA. In fact, in the communication sent by scammers, reference is almost always made to one debt situation originating from a traffic fine or an unpaid tax, followed by a more or less significant amount to be paid. This is precisely where the psychological component of the scam comes into play: the creation of a sense of urgency and the fear of incurring worse consequences if you don’t pay immediately are the feelings that cyber criminals leverage to induce their victims to carry out dangerous actions. What actions are we referring to? Typically you are invited to regularize your position by clicking on a link or by scanning a QR code (the two-dimensional codes which, when framed with the camera, refer to a web page).
By opening the link or scanning the QR code you are redirected to web portals that clone the appearance of the PagoPA site, but which are in reality controlled by scammers. In these fake portals we are asked to enter our sensitive data, such as personal details or, even worse, credit card details and banking credentials. The final objective of these operations is not the collection of the (fake) fine, but the direct theft of money and the theft of digital identity.
How to protect yourself from false pagoPA communications
In light of what we have seen so far, however protect yourself from false pagoPA communications you must first learn to recognize fraudulent messages and then apply them 7 tips provided by the Postal Police:
- Do not click on links or scan QR codes in messages.
- Do not provide personal or banking information.
- Access the official websites of the institutions directly to check any pending payments owed to us.
- Report any fraudulent messages received to the Postal Police.
- Keep your device software (operating system and apps) updated.
- Enable phishing filters.
- Be wary of any communication that creates a sense of urgency by threatening immediate sanctions.
