The Revenue Agency has reported a new phishing campaign which, by improperly using the logo and name of the AdE itself, attempts to induce users to hand over their SPID credentials, the digital identity that allows access to the online services of the Public Administration. The attack starts with an apparently legitimate communication inviting you to access the reserved area of the Revenue Agency: the message contains a hyperlink which, instead of taking you to the institutional website of the Italian fiscal government body, redirects to a page built specifically by the fraudsters to steal the information they need to carry out the attack. Let’s take a closer look at how SPID credential phishing works and how to defend yourself.
How phishing disguised as a communication from the Revenue Agency works
Let’s go into detail about the scam mechanism and see how phishing disguised as a communication from the Revenue Agency works. The emails disseminated in this campaign are designed to appear credible in both graphics and language, recalling official communications from the Revenue Agency. The link in the text leads to a fraudulent site, i.e. a website created specifically by scammers, which replicates the appearance of the organisation’s reserved area. Shown here is a spoofed login screen that simulates login via SPID.
The form requires the entry of only the digital identity password, as the user’s e-mail address is already filled in automatically. The preventive inclusion of this data is an element that increases the credibility of the message and can reduce the level of attention of those who receive it. «If this information is already filled in», the recipient of the message might in fact think, «evidently it is because the message really comes from the Revenue Agency, which knows the data of each taxpayer». At that point, if the user in question fills out the online form, he delivers the precious data they were looking for into the hands of cyber criminals.
How to defend yourself from a phishing attempt made to steal your SPID
The Revenue Agency reiterated its total non-involvement in these communications, as systematically happens in similar cases. To defend yourself from phishing attempts, you must always remember that the organization does not send emails with direct links for entering credentials, which is why you must be wary of messages that request urgent action. What should you do if you receive a communication that wants you to believe it comes from the Revenue Agency, but which in reality has a sinister origin? This is the organisation’s advice:
As always, we recommend that you pay the utmost attention if you receive emails of this type, avoiding clicking on the links provided or providing personal information and we invite you to proceed with their elimination immediately.
What if you can’t figure out whether the message you receive is authentic or not? In this case, it is better to get in direct contact with the Revenue Agency by going in person to the relevant territorial office (you can find it by consulting this page) or, again, using the contact details on the contact page of the body itself.
