A new and sophisticated wave of fraudulent campaigns exploit the familiarity of Italian citizens with the digital payment tools of the Public Administration. The Postal Police issued the alarm, having identified a massive sending of misleading communications that illegitimately abuse the name and brand “PagoPA”, the system designed to make payments to the PA simpler, safer and more transparent. The phenomenon falls into the category of phishing, a social engineering technique through which cyber criminals attempt to deceive the victim by convincing them to provide personal information, financial data or access codes, pretending to be a reliable entity. The bait used by scammers leverages alleged irregularities: users receive warnings regarding unpaid fines, pending administrative sanctions or general missed payments that require immediate regularization.
The danger of these campaigns lies in their ability to simulate official pagoPA communications with a certain fidelity, inducing citizens to carry out impulsive actions for fear of incurring legal consequences or paying costly fines. In this in-depth analysis we will explain how to recognize false pagoPA payment requests and how to defend yourself.
How to recognize false pagoPA payment requests
Analyzing in detail the modus operandi of these illicit activities, we observe that cybercriminals do not simply send a simple text, but construct communications (delivered via email, SMS and messaging apps) designed to appear authentic. Learning to recognize counterfeit communications sent by cybercriminals can, in itself, be more than enough to avoid falling victim to cybercriminals. It must be said, however, that being able to recognize them may not be easy for less careful users. This is because the tone used in the body of the message and the skilful use of logos, headings and regulatory references could confer a certain aura of “officialness”. From a graphic point of view, therefore, few clues can be truly useful for recognizing a true communication from a false one.
Much more useful is the content of the message which, if analyzed well, can allow us to understand in a relatively simple way that the communication does not really come from pagoPA. In fact, in the communication sent by scammers, reference is almost always made to a debt situation originating from a traffic fine or an unpaid tax, followed by a more or less significant amount to be paid. This is precisely where the psychological component of the scam comes into play: the creation of a sense of urgency and the fear of incurring worse consequences if you don’t pay immediately are the feelings that cyber criminals leverage to induce their victims to carry out dangerous actions. What actions are we referring to? Typically you are invited to regularize your position by clicking on a link or scanning a QR code (the two-dimensional codes that, when framed by the camera, refer to a web page).
By opening the link or scanning the QR code you are redirected to web portals that clone the appearance of the PagoPA site, but which are in reality controlled by scammers. In these fake portals we are asked to enter our sensitive data, such as personal details or, even worse, credit card details and banking credentials. The final objective of these operations is not the collection of the (fake) fine, but the direct theft of money and the theft of digital identity.
How to protect yourself from false pagoPA communications
In light of what we have seen so far, to defend yourself from false pagoPA communications you must first learn to recognize fraudulent messages and then apply the 7 tips provided by the Postal Police:
- Do not click on links or scan QR codes in messages.
- Do not provide personal or banking information.
- Access the official websites of the institutions directly to check any pending payments owed to us.
- Report any fraudulent messages received to the Postal Police.
- Keep your device software (operating system and apps) updated.
- Enable phishing filters.
- Be wary of any communication that creates a sense of urgency by threatening immediate sanctions.
