IT scams that exploit the name of digital public services are experiencing a phase of strong growth and in 2025 the phenomenon has taken on new characteristics, more refined and less recognizable at a glance, at least for less astute users. This photograph was “taken” by the new report on malicious campaigns analyzed in 2025, published by CERT-AgID, which highlights how cyber criminals are concentrating their efforts on tools of daily use for citizens and businesses, leveraging the trust we place in institutional communications. In particular, two vectors emerge that deserve attention: false payment requests that recall PagoPA and the improper use of certified e-mail. This is not a sudden and chaotic explosion, but the result of a gradual evolution of phishing and malware diffusion techniques, which are increasingly targeted and technologically mature.
Over the course of the year, over 3,620 malicious campaigns and more than 51,500 indicators of compromise (technical traces useful for recognizing an attack) were recorded and shared with the administrations involved. The picture that emerges tells us that it is no longer enough to be wary of poorly written emails or suspicious links: today scams imitate official channels with graphic and linguistic precision and even use tools perceived as “secure” by definition (such as Certified Electronic Mail).
The trap of false payment reminders
Going into detail, 2025 marks the first large-scale spread of phishing campaigns that abuse the PagoPA name. In over 300 documented cases, victims received emails simulating payment reminders for alleged unpaid traffic fines. The mechanism is always the same: the message invites you to quickly regularize the position and refers to a web page that impeccably replicates the appearance of the official portals. Here, personal data and payment card details are requested, which end up directly in the hands of the attackers. The success of this bait is linked to the growing familiarity with digital payments towards the Public Administration and the psychological pressure exerted by terms such as “fine” or “imminent deadline”.
The increasingly massive use of PEC
In parallel, a marked increase in the use of PEC as an attack channel was observed, with an increase of close to 80% compared to the previous year. PEC is an email system that guarantees the identity of the sender and the legal validity of the communication, and it is precisely this aura of reliability that makes it attractive to criminals. The campaigns surveyed use both legitimate compromised mailboxes and addresses created specifically and then abandoned. There are two purposes: phishing, often aimed at stealing banking credentials, and the distribution of malware such as MintsLoader, a program designed to download additional malicious components onto the victim’s computer.
In terms of channels, however, ordinary email remains the means most used by criminals. Smishing, i.e. phishing attempts via SMS, is a technique that was used less frequently overall than in the previous year, but which was increasingly used to lead users to unknowingly install malware, especially on Android devices. In these cases the message contains a link that leads to the download of an APK file, the file format used to distribute and install applications on Android, sometimes presented as an urgent update of a banking app. The installation gives the attacker access to sensitive data and sometimes total control of the phone.
The evolution of social engineering
Another relevant element concerns the evolution of social engineering techniques. In 2025, the so-called ClickFix became widespread, a strategy that induces the user to manually execute commands on their system following apparently legitimate instructions, sometimes disguised as what appears to be a harmless CAPTCHA. The “voluntary” execution of these commands allows you to bypass various automatic security checks and start the download of malicious code without exploiting technical vulnerabilities.
The domain of infostealers
From a malicious software perspective, infostealers, programs designed to steal information such as passwords, session cookies and documents, continue to dominate. Their diffusion often occurs through compressed archives, which reduce the chances of preventive interception. FormBook, Remcos and AgentTesla are among the most observed families, inserted in multi-stage infection chains that combine social engineering, loaders and intermediate components.
The omnipresence of AI
A factor across many campaigns is the growing use of artificial intelligence. The ability to generate credible, well-written and context-adapted messages, reducing the effectiveness of filters based on formal errors, is one of the most interesting aspects noted by researchers. In some cases, especially those involving the use of ransomware, AI is even being exploited as an extortion tool, as malicious actors threaten to reuse the stolen data for model training.
How to defend yourself from online threats in 2026
Faced with all these cyber threats, we must remain clear-headed and learn to defend ourselves. You can do it starting from these five points.
- Always check the official channels: in case of payment requests, manually access the PA’s digital services by writing the address in the browser or using official apps and portals such as PagoPA, without clicking on links received via email or SMS.
- Do not trust all communications received via PEC: even messages received via Certified Email can be fraudulent if the sender’s account has been compromised; unexpected attachments and links should be treated with the same caution as regular mail.
- Be wary of urgencies and psychological pressures: terms such as “imminent deadline”, “sanction” or “service block” should make you suspect that the communication could represent a possible attack vector.
- Do not install software from external sources: avoid APK files downloaded via links and install applications only from official stores, such as the Google Play Store or the Apple App Store.
- Remember that no institution asks for credentials via SMS, e-mail, etc.: if you think that a communication may be legitimate, try contacting the institution’s customer service and ask for clarification on the matter.
