False emails for the renewal of the Health Card from the Ministry of Health: what happens with the scam

Image generated with AI for illustrative purposes only.

An alleged mandatory replacement of the Health Card, a message that recalls the Ministry of Health and a convincing-looking website: these are the elements used in a new phishing campaign identified by CERT-AGID, the Computer Emergency Response Team of the Agency for Digital Italy. Cybercriminals’ goal is to trick users into believing that they need to request a new document to continue accessing healthcare services, thus convincing them to provide personal data and payment information on fraudulent pages.

As reported, the campaign uses several fraudulent Internet domains that reproduce graphics and visual identity of the institutional portal to make the scam more credible. This is a now consolidated technique that aims to leverage the trust placed in public bodies to push victims to lower their guard.

What the Health Card replacement scam is and how it works

The mechanism follows a rather simple scheme, which has already been observed in the past, but designed to appear authentic. The user receives a communication informing of the need to replace the Health Card to adapt to a presumed new electronic health identification system. The message also suggests that failure to replace it could lead to the progressive deactivation of the card and, consequently, limitations in access to health services.

In reality, there are no official campaigns requiring citizens to replace their health cards with the methods described in the message. It is precisely this false urgency that is exploited by cybercriminals to convince victims to lower their guard and provide their data.

The fraudulent site that simulates the portal of the Ministry of Health. Credit: CERT–AGID

To complete the process, the recipient must click on a link to a site designed to resemble that of the Ministry of Health. Here you are asked to fill out a form with personal data, contact details and other details.

In the next phase, a summary of the costs for the presumed issuing of the new card appears. The site requires the payment of 6.39 euros, a figure presented as the sum of various items, including 2.50 euros for issuing, 0.99 euros for shipping and 2.90 euros for activating the service. Once the payment is initiated, victims are tricked into entering their payment card information, which together with their personal information is the real target of the scam.

Because the scam may seem credible

Phishing campaigns are not aimed at directly hacking computer systems, but at manipulating people’s behavior. In this case, cyber criminals adopt a familiar theme such as the Health Card, a document used daily to access numerous services of the National Health System.

Several factors contribute to making the scam even more convincing: the use of institutional logos, graphics similar to those of official portals, formal language and references to alleged administrative procedures. Added to this are calls to act quickly to avoid alleged inefficiencies. These are all typical elements of this type of scam, designed to push users to act on impulse without verifying the authenticity of the messages received.

How to recognize phishing and avoid falling into the trap

Recognizing this type of scam is not always easy, especially because cybercriminals can reproduce with great fidelity the graphic appearance of sites and emails that appear to come from public bodies. For this reason, the name or logo of an institution is not sufficient to guarantee the authenticity of a communication.

Before entering personal or payment data, it is therefore advisable to carefully check the website address, avoiding accessing through links contained in emails and preferring to manually type the address of the official portal into the browser. Likewise, any requests for unexpected payments or bank details as part of administrative procedures should be considered a red flag. In case of doubt, it is preferable to interrupt the procedure and check the possible existence of the request by directly consulting the official channels of the Ministry of Health or the competent bodies, without using the links in the email or SMS.

CERT-AGID constantly monitors such campaigns and, when it identifies new fraudulent infrastructures, initiates enforcement activities together with the competent entities, also updating the indicators of compromise used to identify malicious sites. However, because the domains used by criminals can change rapidly, the most effective defense remains prudence. Therefore, always check the origin of communications and be wary of requests that invite you to provide personal data or payment information through links received via e-mail.