The Postal Police has identified a sophisticated phishing campaign targeting users of public transport in Rome and Milan, namely ATAC and ATM. Fraudsters send fake SMS in which they report an alleged irregularity in the payment of a trip – usually an alleged “failure to validate on exit” with the Tap&Go system – and invite you to immediately pay a small amount via link, to avoid much heavier penalties. Clearly, behind these messages there are no real employees of the Rome Capital Mobility Company, nor even operators of the Milanese Transport Company, but real cyber criminals. Let’s take a closer look at how the scam works and the mistakes to avoid if you receive the message.
How the public transport scam works
How the scam works is actually a classic phishing attempt: a technique in which scammers pose as an authoritative entity, in this case ATAC or ATM, to trick victims into sharing personal data, credentials or banking information.
The pretext used to make the communication credible and thus induce the user to take an action (click on the link and pay) is that there has been an “incomplete validation” of Tap&Go, the system that allows you to pay for the ticket by holding a contactless card at the turnstiles. Hence, the invitation to «close the case and avoid further charges». By inducing a certain sense of urgency and fear of sanction, scammers push people to act on impulse, bypassing critical thinking altogether. The less time we feel we have, the less we analyze the situation and the worse the decision we will make.
Yes, because by clicking on the link contained in the message you are certainly not redirected to the official websites of the transport companies mentioned above, but to web pages similar to the original ones, whose sole purpose is to collect the data entered by the unfortunate victims. It is worth remembering this clearly: neither ATAC nor ATM ever require payments or regularizations via SMS with external links.
What to do if you receive the fake message from ATAC or ATM
If you were to receive the fake ATAC or ATM communication – via SMS, on WhatsApp, via e-mail, etc. – the rule to follow is always the same: do not interact with the message. Do not click on the link, do not provide any data and do not pay anything. The only action we recommend you take is to report the incident to the Postal Police, who will then be able to monitor the phenomenon.
If you have real doubts about the regularity of your trips, contact exclusively the official channels of the companies in question, which have customer care dedicated to these eventualities.
