PHISHING INDEX

Below are the most common email phishing attempts detected by the TG Soft Anti-Malware Research Center in MARCH 2026:

23/03/2026 => OneDrive
18/03/2026 => SumUp
17/03/2026 => Bank
17/03/2026 => Aruba
15/03/2026 => DPD
14/03/2026 => Credit Agricole
11/03/2026 => Aruba - Action required
09/03/2026 => Telepass Sondaggio
08/03/2026 => Aruba - Renew your domain
04/03/2026 => Banco BPM
03/03/2026 => Webmail

These emails aim to deceive unsuspecting victims into providing sensitive information, such as bank account details, credit card codes, or personal login credentials, with all the easily imaginable consequences.

• A little bit of attention and glance, can save a lot of hassles and headaches..

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

23 March 2026 ==> Phishing OneDrive

SUBJECT: < REQUEST FOR SCRAPPING >

Below, we examine the phishing attempt aimed at stealing the OneDrive account credentials.
  The message, seemingly from VEMOCAR SRL and titled ‘REQUEST FOR SCRAPPING’, informs the recipient that they have received a folder containing 23 items on OneDrive. To make the message more credible, the email includes a signature at the bottom from the alleged commercial director of the mentioned company, ‘Fabio Buzzetti’. The recipient is then asked to view the attached document by downloading it via the following link:

VIEW THE ATTACHED DOCUMENT

On closer inspection, we can see that the message contains a misleading email address. Indeed although it appears to come from the domain of the named company, it also contains another address <t2[at]tsxczscl[dot]com> which is completely unrelated to the official OneDrive domain. If we open the attachment, we can see a few red flags.

If the user clicks on the link, in fact, they will be redirected to a web page that once again prompts them to download the document, which appears to come from VEMOCAR SRL.
As the user proceed, they redirected to another web page which, as shown in the image on the right, requires access to the their Microsoft account in order to download the files received.

Actually, the page where the user is redirected to enter their Microsoft credentials is hosted on an unusual address/domain:

 https[:]//[FakeDomainName*]

We always urge you to pay close attention to every detail, however trivial, and not to enter your personal details and/or passwords into forms hosted on fake websites, as these will be sent to a remote server and used by cybercriminals, with all the associated risks  that are easy to imagine.

18 March 2026 ==> Phishing SumUp

SUBJECT: <Important Final Reminder:>

Below, we examine a new phishing attempt that pretends to be an official communication from SumUp, a well-known London-based digital payments company.

The message, which concerns the security of the user's account, warns: “the update to your account has not yet been completed.
To ensure you can continue to access our services, you must complete the required procedure as soon as possible.”
It then says them that the update must be carried out within 24 hours via the following link:

Update your account now

The well-known London-based company is, of course, in no way involved in the mass sending of these emails, which are outright scams whose aim, as always, is to steal the unsuspecting recipient’s sensitive data.

If we examine the message closely, there are a number of clues that should raise our suspicions. We immediately notice that the email address of the message  <3006356800101[at]ingenieria[dot]usac[dot]edi[dot]gt> does not belong to the official SumUp domain. This is highly unusual and should certainly make us suspicious. Another strange thing is that the email does not provide any customer identification information and asks the customer to enter their account credentials via a link sent by email.


Anyone who unfortunately clicks on the Update your account now link, will be redirected to a webpage that, although it visually mimics the SumUp account login page—as evidenced by the presence of the well-known company’s logo—has an unusual URL/domain:

 https[:]//[FakeDomainName*]

On this page, the user is invited to log in to their customer account by entering their email address and password to complete the requested update.

We therefore urge you to always pay close attention to even the smallest details and to avoid entering your personal information and/or passwords into forms on fake websites, as cybercriminals will use this information for illegal purposes.

17 March 2026 ==> Phishing Bank

SUBJECT: <Enhanced security: Complete your MyKey registration>

The message, using graphics stolen from or similar to those of a well-known national banking institution, attempts to pass itself off as an official communication in order to induce the recipient to comply with the request and fall into this trap based on social engineering techniques.

The message warns the unsuspecting recipient:“from March 19, 2026, your card will face restrictions blocking online payments. To prevent service interruption and ensure full functionality, you must immediately register for the MyKey security service”.
To perform the update, the user is required to click on the following link:

COMPLETE YOUR MYKEY REGISTRATION NOW

The alert message can be readily identified as originating from a suspicious email address <eraa(at)inveniosolutions(dot)it> and contains generic content, despite the threat actor’s use of the bank’s logo to enhance credibility and deceive the user. The aim is to induce the victim to log into their banking application and harvest their credentials.
Anyone who unfortunately clicks on the COMPLETE YOUR MYKEY REGISTRATION NOW
link, will be redirected to a suspicious web page, which has already been reported as a fraudulent website.

Based on these considerations we urge you to pay attention to every detail and remember that, before entering sensitive information, it is crucial to thoroughly check everything.

This fraudulent website is run by cybercriminals aiming to steal your most valuable data and exploit it for their own purposes.

17 March 2026 ==> Phishing Aruba - Action required for space management

SUBJECT: <Password expiry notice – Action required>

Here is yet another phishing attempt pretending to be a communication from the Aruba brand.

The message informs the recipient that the password for their email account hosted on Aruba is about to expire. It then warns them that, in order to keep the same password and avoid service interruptions, incoming emails being blocked or the loss of the domain, they must confirm their password via the following link:

Keep the same password

We should always be wary of requests to enter personal credentials via suspicious links sent by email.
It goes without saying that Aruba, the well-known web hosting, email and domain registration service provider, is not involved in the mass sending of these emails, which are outright scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

We can see straight away that the email address of the message <othantrifsi1983[at]gmx[dot]de> does not belong to the official Aruba domain. This is highly unusual and should certainly raise our suspicions.   

Anyone who accidentally clicks on these links will be redirected to a web page with an unusual address/domain that cannot be traced back to the Aruba website:

https[:]//[FakeDomainName/amazonaws[.]com/index4[.]html#***]

On this page, the user is invited to log in to their customer account by entering their email password, allowing their to update his/her details.

We urge you to always pay close attention to every detail, even trivial ones, to take your time, and not to enter your personal details and/or passwords into forms hosted on fake websites, as these will be sent to the cybercriminals behind the scam, who will use them for illegal purposes.

15 March 2026 ==> Phishing DPD (BRT)

SUBJECT: < Update on your international shipment >

Below is a new phishing attempt, disguised as a fake message from DPD, the leading German logistics group in Europe, whose operations in Italy are handled by the national courier Bartolini. 

The message informs the unsuspecting recipient that their shipment is on hold due to outstanding import duties. In fact, in accordance with current EU import regulations for third countries, a small customs clearance and processing fee has been applied. It therefore informs them that, in order to receive the parcel, they must confirm advance payment of the customs charges of €2.75.

These messages, which are even more prevalent today, are increasingly being used to defraud consumers who are turning to e-commerce more and more for their purchases.
A tracking number <reference D-40150529884> is also provided. To proceed with the delivery, the user must click on the following link:

Unlock delivery now

14 March 2025 ==> Phishing Crédit Agricole

SUBJECT: < Important update 3/14/2026 8:48:34 AM >
 
Below, we analyse the following phishing attempt, which comes from a fake message claiming to be from Crédit Agricole, a well-known French bank.

The message informs the recipient that, following a system update, they must confirm their details to avoid access restrictions.
It then asks the user to log in to update their details via the following link:

Update your account

When we examine the message, we immediately discover that it contains an email address <auth0-selt[at]betinsightik[dot]com> that clearly does not belong to the official Crédit Agricole domain. We should always exercise the utmost caution before clicking on suspicious links.
The aim is to trick the victim into logging into their online banking account.

11 March 2026 ==> Phishing Aruba - Action required for space management

SUBJECT: <[domain] Action required for space management>

Here is a new phishing attempt pretending to be a communication from the Aruba brand. This time the message informs the recipient that some incoming emails are on hold because their mailbox is approaching its storage limit. It is therefore necessary to free up space by clicking on one of the following links:

Release Pending Emails
Manage Archiving

The well-known web hosting, e-mail and domain registration company Aruba is clearly not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

When we take a closer look at the message, we see something suspicious. Actually, the email address of the message <534963156606739[at]nycent[dot]com> does not belong to the official Aruba domain, a highly unusual thing that should make us suspicious.

Anyone who accidentally clicks on the links will be redirected to a web page that, while graphically simulating the Aruba account login page due to the presence of the well-known company's logo, has an unusual address/domain:

 https[:]//[FakeDomainName*]

On this page, the user is invited to access their customer area by entering the login and password for their e-mail address, allowing him/her to update their personal details in order to reactivate the services.

We urge you to always pay close attention to every detail, however minor, to take your time, and not to enter your personal details and/or passwords into forms hosted on fake websites, as these will be sent to the cybercriminals behind the scam, who will use them for illegal purposes.

9 March 2026 ==> Phishing customer survey: TELEPASS

This month, we are once again seeing phishing campaigns disguised as customer surveys that exploit the brands of well-known companies.

In the example shown here, the cybercriminal has used the well-known TELEPASS brand, which appears to be promoting a competition offering the chance to win an exclusive prize: a <car emergency kit>. To claim the prize, all the user has to do, is answer a few short questions.

The brands exploited in these campaigns are, of course, in no way connected to the mass sending of these malicious emails, which are outright scams whose aim remains, as always, to steal sensitive data from unsuspecting recipients.
In the example given, we can see that the email clearly originates from an address <noreply[at]bk2021w[dot]firebaseapp[dot]com> unrelated to the official TELEPASS domain. This is highly unusual and should certainly raise our suspicions.

When the user clicks on the links in the email, they are redirected to a visually deceptive ‘landing’ page (featuring misleading images and the brand’s genuine logo), but with an unusual web address or domain that is neither trustworthy nor associated with the brand exploited.

The cybercriminals behind the scam, in order to achieve their goal, use various tricks, such as reporting false testimonials from customers who have won the prize. They try to persuade the user to complete the survey quickly, by making him/her believe that only a few can win, and that the offer expires today.
Surely if so many users were lucky why not take a chance?

When the survey is completed, the user is usually sent to a page for the entry of the shipping address and subsequent payment of shipping costs.
The cybercriminals' purpose, is to induce the victim to enter his/her personal information to ship the prize and then, likely, also the credit card information to pay the shipping costs.

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data is stolen by cyber crooks who can use it at will.

08 March 2026 ==> Phishing Aruba - Renew your domain

SUBJECT:<Billing issue>

Phishing attempts, pretending to be communications from the Aruba brand, continue this month.

The message informs the recipient that their domain hosted on Aruba is about to expire. It then warns them that in order to avoid service interruptions, incoming email blocking or domain loss, they must renew their domain via the following link:

Renew your Domain

Let's always pay attention to requests for personal credentials via suspicious links sent by email.
The well-known web hosting, email and domain registration company Aruba is clearly not involved in sending these mass emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

We immediately see that its email address <noreply[at]nordisssa[dot]firebaseapp[dot]com> does not belong to the official Aruba domain. This is highly unusual and should make us very suspicious    Anyone who unluckily clicks on the Renew your Domain link will, be redirected to a web page that, although it graphically simulates the Aruba account login page, due to the presence of the well-known company's logo, has an unusual address/domain:

 https[:]//[FakeDomainName*]

On this page, the user is invited to access their customer area by entering their email login and password to renew their account by paying the requested amount. Obviously, we urge you not to enter your credit card details, as the aim of the cybercriminals behind the scam is clearly to steal them.

Therefore, always pay close attention and check the expiry dates of active services only through official pages and not through suspicious links.

04 March 2026 ==> Phishing Banco BPM

SUBJECT: <Confirm your information>

We find again this month the phishing campaign that spreads through an e-mail exploiting stolen graphics or similar to the graphics of a well known bank, in this case BANCO BPM. Hence it tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to do what requested, and fall into a social engineering trap.

03 March 2026 ==> Phishing Webmail

SUBJECT: <RFQ – Chemicals and Other Items>

Below, we examine the phishing attempt that aims to steal the victim's email account credentials.

The message, in English, seems to be a request for a quotation ‘for chemicals and other items’ in response to a request sent, asking for the following information to be included in the offer:

Unit price (with currency)
Delivery times
Payment terms
Validity of the quotation
Technical specifications (if applicable)

The request seems to come from ‘Masda Chemical Pte Ltd’, whose details are provided below.
Looking at the email, we can see that the message appears to come from an email address <enquiry(at)masdachem(dot)com(dot)sg> belonging to Masda Chemical Pte Ltd, but this is not the official address. This is definitely unusual and should make us suspicious.

Anyone who unfortunately clicks on the image in the email (which hides a malicious link) will be redirected to a fake web page that simulates the email account login page.

On this page, the user is invited to log in to their account by entering, in particular, the password for their email account, in order to view the quote request that has been sent.

Actually, the page where the user is redirected is hosted on a weird address/domain:

https[:]//[FakeDomainName*]

We always urge you to pay attention to every detail, even trivial ones, and not to enter your personal details and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber fraudsters, with all the associated risks that are easy to imagine.