PHISHING INDEX

Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in September 2025:

30/09/2025 => ING Bank
30/09/2025 => PosteItaliane
23/09/2025 => Phishing Bank
19/09/2025 => Netflix
16/09/2025 => Docusign
15/09/2025 => SumUp
15/09/2025 => WeTransfer
12/09/2025 => Phishing customer survey - LEROY MERLIN / TELEPASS
09/09/2025 => Scam Carabinieri Police Force
09/09/2025 => Microsoft
09/09/2025 => Phishing customer survey - TIM / DECATHLON
08/09/2025 => Aruba - Restore Backup
06/09/2025 => PayPal
05/09/2025 => Mooney
05/09/2025 => Smishing Poste Italiane
05/09/2025 => Aruba - Expiration notice
04/09/2025 => Blockchain
04/09/2025 => ING
03/09/2025 => Sella Bank
03/09/2025 => Netflix
03/09/2025 => WeTransfer
03/09/2025 => Aruba - Renew your domain

These emails aim to deceive unsuspecting victims into providing sensitive information, such as bank account details, credit card codes, or personal login credentials, with all the easily imaginable consequences.

• A little bit of attention and glance, can save a lot of hassles and headaches..

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

30 September 2025 ==> Phishing ING Bank

SUBJECT: <***** - Change to your credit line for payment by invoice>

Once again, we encounter a phishing attempt disguised as an official message from ING. 

The message informs the unsuspecting recipient that the credit line for deferred payment on invoice has been extended for his or her account: the new limit is €10,000.00. It then invites him/her to complete the account setup to configure deferred  invoice payment via the following link:

Complete configuration

ING is clearly not involved in the mass sending of these emails, which are scams whose aim, as always, is to steal the home banking login credentials of unsuspecting recipients.

When we analyse the text of the message, we immediately notice that it is generic and that the sender's email address  <merry(at)merryriana(dot)com> does not belong to ING official domain. Another unusual fact is the request to update data by entering home banking credentials via a link sent by email. 
When we click on the link, we expect to find a page that simulates the official ING website but, as we can see from the image on the side, we are instead sent to the Roundcube webmail authentication page, which is clearly unrelated to the bank..

To conclude, we always advise you to be wary of any email that asks you to enter confidential data, and to avoid clicking on suspicious links. In fact these links could lead to a fake website, difficult to distinguish from the original, putting your most valuable data in the hands of cyber fraudsters who can use it at will.

30 September 2025 ==> Phishing PosteItaliane

SUBJECT: <Important: activate the new security system>

This month, we find another phishing attempt hidden behind a fake communication from the Italian postal service, PosteItaliane, regarding the notification of a new security system.

The link in the message redirects us to a web page that is supposed to simulate the official PosteItaliane website. Although the site may be misleading for the presence of the well-known PosteItaliane logo, we see that the URL address in the browser bar is abnormal and cannot be traced back to PosteItaliane.

<<https[:]//*****/SISTEMA[.]DI[.]SICUREZZA/LOGIN/index...>> 

To conclude, we always advise you to be wary of any email that asks you to enter confidential data, and to avoid clicking on suspicious links. In fact these links could lead to a fake website, difficult to distinguish from the original, putting your most valuable data in the hands of cyber fraudsters who can use it at will.

23 September 2025 ==> Phishing Bank

SUBJECT: <Update required: check your contact information>

The message uses graphics — either stolen or made to look like those of a well-known national bank — to appear as an official communication. The goal is to convince the recipient to follow the instructions and fall into the trap, which is based on  social engineering techniques.

The message informs the unsuspecting recipient that, for security reasons, his/her profile information, particularly contact details, must be confirmed in order to ensure the full functionality of online services.

To update, the user just needs to click on the link:

CONFIRM DATA

We can immediately see that the message comes from a highly suspicious email address <sanaolo(at)selaluna(dot)it> and contains very generic text, despite the cybercriminal had the graphic foresight to include the bank's logo in order to mislead the user. The criminals' intention is to trick the victim into logging into his or her banking app so that they can steal the data.

Anyone who mistakenly clicks on the CONFIRM DATA link, will be taken to an unusual web page that is completely unrelated to the official website of the bank

From the image shown on the side, we can see that the web page is graphically well designed and reasonably simulates the official website of the banking portal. We see that there are several other menus, such as NEAR YOU – ONLINE AND IN BRANCH, INFORMATION AND SERVICES…, which aim to further reassure users about the authenticity of the portal, even though the links do not lead to the indicated pages.

Given these points, we urge you to be extremely cautious and examine every detail closely. Before providing any sensitive data, it is crucial to ensure the communication is legitimate.

This DECEPTIVE PAGE/WEBSITE is managed by cybercriminals whose goal is to obtain your most valuable data so that they can use it for their own purposes. 

19 September 2025 ==> Phishing NETFLIX

«SUBJECT:<Payment not processed — risk of service interruption­­>

Let’s examine another phishing attempt that comes from a fake communication pretending to be from NETFLIX — the well-known streaming platform for movies, TV series, and other paid content. The aim of this scam is to steal the victim’s credit card information.

The message informs the user that a payment issue has been detected with the €6.99 payment for his/her subscription. To continue using the service without interruption, the user is asked to update his/her payment details as soon as possible via the following link:

Update your data

When we examine the email, we notice that the message has an email address <ame(at)roluservizi(dot)it> that is not traceable to the official NETFLIX domain. This is definitely unusual and should make us suspicious.

Anyone who unluckily clicks on the Update your data link, will be redirected to an anomalous WEB page, which has already been reported as DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for malicious purposes.

16 September 2025 ==> Phishing Docusign

SUBJECT: <**** e-Sign Request REFID: 09909832859494>

Below, we examine a new phishing attempt aimed at stealing login credentials for Docusign, the American software company that provides electronic signature solutions

The message, in English, informs the recipient that he/she has a new incoming document and invites him/her to click on the following link to view and download it:

Review Documents

When we examine the message, we see that its email address <ralpay[at]coo1eys[dot]com> does not come from the Docusign domain. This is definitely unusual and should make us suspicious.

Anyone who unluckily clicks on the Review Documents link, will be taken to the screen shown in the side image
As we can see, the user is redirected to a website that visually mimics the Docusign page, where it appears possible to download the document.
The scammers' goal is to trick the victim into entering his/her Docusign password linked to his/her email address, which is also provided..
However, the page where the user is redirected is hosted on an unusual address/domain:

https[:]//[FakeDomainName*].com/.....

Considering these points, we advise you to NEVER enter your credentials on websites whose origin you do not know, as they will be sent to a remote server and used by cybercriminals, with all the associated risks that this entails.

15 September 2025 ==> Phishing SumUp

SUBJECT: <Check your email to continue using SumUp>

Below, we examine a new phishing attempt that poses as an official communication from SumUp, the well-known London-based digital payments company.

The message asks the recipient to verify his/her email address immediately, thus ensuring the security and proper functioning of the SumUp account. To confirm, the recipient simply needs to click on the following link:

Verify Email

Clearly, the well-known London-based company has no connection to the mass sending of these emails, which are outright scams aimed, as always, at stealing the sensitive data of unsuspecting recipient.

If we carefully examine the message, there are some clues that should raise suspicion. We immediately notice that the email address of the message <no-reply[at]airtel[dot]co[.]ug> does not belong to the SumUp official domain . This is definitely unusual and should make us suspicious. Another strange fact is that the email does not provide any customer identification details, and asks the user ot enter his/her account credentials via a link provided in the email. 

Anyone who unluckily clicks on the Verify Email link, will be redirected to an anomalous WEB page,  which has already been reported as DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for malicious purposes.

We therefore urge you to always pay close attention, even to the smallest details, and not to enter your personal details and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber fraudsters for illegal purposes.

15 September 2025 ==> Phishing WeTransfer

SUBJECT: < Commercial Documents Received via WeTransfer>

Below, we analyse a phishing attempt that aims to steal WeTransfer account credentials.
The message, in English, informs the recipient that he/she has received 3 files. It then invites him/her to log in to download them via the following link:

Get your files

When we examine the email, we immediately see an inconsistency in the information because the file is only available until 14 September, the day before the email was received. The documents available for download are then listed. <Proforma Invoice.pdf; Sales Contract.pdf; Payment Slip.pdf>. The message moreover originates from an email address <anisf@yongjin.co.id> that cannot be traced back to the WeTransfer  domain. This is highly unusual and should certainly arouse suspicion.

Anyone who unluckily clicks on the Get your files link, will be redirected to a fake web page, graphically well designed, where the user is asked to log in to his/her WeTransfer account to download the files mentioned in the message.
However, the page the user is redirected to is hosted on an unusual address/domain:

https[:]//[FakeDomainName*].com/.....

We always urge you to be careful and not to enter your personal details and/or passwords on forms hosted on fake web pages, as they will be sent to a remote server and used by cyber fraudsters, with all the associated risks that this entails.

12 September 2025 ==> Phishing customer survey: LeroyMerlin / TELEPASS

This month, we are once again seeing phishing campaigns themed around customer surveys, that exploit the brands of well-known companies. In the two cases reported below, the companies involved are large retailers and mobility service providers.
Clearly, the brands exploited in these campaigns are unrelated to the mass sending of these malicious emails, which are genuine scams whose aim remains, as always, to steal sensitive data from unsuspecting recipients.
In the two examples shown, we can see that the emails clearly come from addresses <it651dewdw[at]flligambale[dot]it> and <aaa98415602waswddw[at]aetikaservice[dot]it>, unrelated to the official TELEPASS and Leroy Merlin domains. This is definitely unusual and should certainly make us suspicious.

When we click on the links in the e-mail, we are directed to a landing page that may look graphically deceptive (with misleading images and the brand's authentic logo), but is hosted on an abnormal address/domain that is not  trustworthy or traceable to the exploited brand.

The cybercriminals behind the scam, in order to achieve their goal, use various tricks, such as reporting false testimonials from customers who have won the prize. They try to persuade the user to complete the survey quickly, by making him/her believe that only a few can win, and that the offer expires in the day.
Surely if so many users were lucky why not take a chance?
When the survey is completed, the user is usually sent to a page for the entry of the shipping address and subsequent payment of shipping costs.
The cybercriminals' purpose, is to induce the victim to enter his/her personal information to ship the prize and then, likely, also the credit card information to pay the shipping costs. To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data is stolen by cyber crooks who can use it at will.

09 September 2025 ==> SCAM Carabinieri Police Force

«SUBJECT: <Important information: Pornographic content depicting minors.>

Below is an example of a SCAM attempt involving a false summons for child pornography sent by email, supposedly from the General Command of the Carabinieri.

The message, coming from a highly suspicious email address <minecraft13[at]aisa[dot]sch[dot]ae>, contains the following text: "Following a thorough analysis of your Internet traffic and connected devices, it has been found that you have viewed pornographic videos, including videos involving persons under the age of 18.
Please refer to the attached document for full details of the summons and the charges brought against you.
It is essential that you provide a detailed written explanation, in advance and without prejudice, to the certified email address indicated below upon receipt of this letter."
An email address to reply to is then provided <email[at]itgoverno[dot]com>, along with an attached .pdf file named <Armadeicarabinieri_Scan> containing the details of the summons and the charges. When we open the attachment, which we see below, we see that it is graphically misleading and seems to come from Dr Salvatore Luongo, Commander-in-Chief of the Carabinieri. The complaint accuses the victim of child pornography, paedophilia, exhibitionism and cyber pornography, as he allegedly visited a child pornography website.

This is an attempt at fraud by cybercriminals, whose aim is to extort money, in this case in the form of a fine. In fact, the message states the following:

" We ask you to report your case by e-mail, writing your justifications so that they can be examined and verified in order to assess the penalties; this must be done within a strict deadline of 72 hours."

If the victim does not respond within 72 hours, a warrant will be issued for immediate arrest by the postal or municipal police, resulting in registration in the national sex offenders register..

It is quite easy to see that this is a false report. First of all, the report is not personal, and secondly, the document contains a very suspicious stamp.

This is clearly an attempt at fraud with the aim of stealing sensitive user data and extorting money.

09 September 2025 ==> Phishing Microsoft

SUBJECT: < Pending Review_Ref Id: {RECIPIENT_DOMAIN_NAME}supplies/{CURRENT_DATE}/A1Q/#zS0#{RANDOM_STRING} Amendment to Agreement>

Below, we analyse a phishing attempt that aims to steal Microsoft account credentials The message, in English, informs the recipient that his/her outstanding balance is ready to be transferred. It then invites him/her to log in to view the payment confirmation via the following link:

VIEW PAYMENT CONFIRMATION HERE

When we examine the message we see tha has an email address <wcaldwell(at)gmc(dot)edu>  not traceable to the Microsoft domain. This is definitely unusual and should make us suspicious.

Anyone who unluckily clicks on the VIEW PAYMENT CONFIRMATION HERE
link, will be redirected to a graphically well-designed, fraudulent web page where he/she is asked to log in to his/her Microsoft account. We see that the username is already set and we are only asked to enter the password in order to download the file specified in the message.
However, the page where we are redirected is hosted on an anomalous address/domain:

https[:]//[FakeDomainName*].com/.....

We always urge you to be careful and not to enter your personal details and/or passwords on forms hosted on fake web pages, as they will be sent to a remote server and used by cyber fraudsters, with all the associated risks that this entails.

09 September 2025 ==> Phishing customer survey: TIM / DECATHLON

Phishing campaigns themed around customer surveys that exploit the brands of well-known companies continue. In the two cases reported below, the companies are specialised in large-scale distribution and telecommunications.
The brands exploited in these campaigns are clearly unrelated to the mass sending of these malicious emails, which are genuine scams whose aim remains, as always, to steal sensitive data from unsuspecting recipients.
In the two examples shown, we can see that the emails clearly come from addresses <decait82yhba[at]flahertyinc[dot]com> and <itunabava[at]flahertyinc[dot]com>, which are not part of the official Decathlon or TIM domain. Moreover, we can see that in both cases the sender's domain is the same, suggesting that this is probably the same phishing campaign.

When we click on the links in the e-mail, we are directed to a landing page that may look graphically deceptive (with misleading images and the brand's authentic logo), but is hosted on an abnormal address/domain that is not  trustworthy or traceable to the exploited brand.

The cybercriminals behind the scam, in order to achieve their goal, use various tricks, such as reporting false testimonials from customers who have won the prize. They try to persuade the user to complete the survey quickly, by making him/her believe that only a few can win, and that the offer expires in the day.
If so many have succeeded, why not give it a try?

When the survey is completed, the user is usually sent to a page for the entry of the shipping address and subsequent payment of shipping costs.
The cybercriminals' purpose, is to induce the victim to enter his/her personal information to ship the prize and then, likely, also the credit card information to pay the shipping costs.. To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data is stolen by cyber crooks who can use it at will.

08 September 2025 ==> Phishing Aruba - Ripristino Backup

SUBJECT: <Warning: your data backup will be lost within 3 days!­­­­>

Below is another phishing attempt posing as a communication from the Aruba brand.

The message, characterised by graphics set up to alert the recipient as soon as it is opened, informs the receiver that his/her domain hosted on Aruba has expired and therefore the service has been suspended until the payment is made. It therefore informs him/her that in order to prevent his/her data from being permanently deleted, he/she has 3 days to make the payment. To proceed, it invites him/her to act immediately via the following link:

MAKE PAYMENT NOW

We shall always be cautious when asked to enter personal credentials via suspicious links sent by email.
The well-known web hosting, email, and domain registration company Aruba is clearly not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

We immediately see that its email address <Ga8eRHalWXeVZ[at]golf[dot]betweenus[dot]pt>, cannot be traced back to the official Aruba domain. This is highly unusual and should make us very suspicious.
To induce the victim to act quickly, the cybercriminal allows little time to respond. This technique is clearly intended to intimidate the user, who, fearing that his/her account and related services will be blocked, is compelled to act without paying due attention. 

Anyone who unluckily clicks on the MAKE PAYMENT NOW link, will be redirected to an anomalous WEB page,  which has already been reported as DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for criminal purposes.

06 September 2025 ==> Phishing PayPal

SUBJECT: <Service improvements: updating your account>

Below, we examine a new phishing attempt that aims to steal login credentials for PayPal accounts, the well-known US digital payments company.

The message informs the recipient that, following technical updates aimed at improving service quality and ensuring the full functionality of his/her PayPal account, he/she must confirm some basic information. It then invites him/her to update his/her information immediately to avoid account suspension, via the following link:

Go to your profile

When we examine the email, we see that the message comes from an email address <postmaster[at]448b87e6e7[dot]nxcli[dot].io>, clearly not attributable to the official PayPal domain. This is definitely unusual and should make us suspicious.
Anyone who unluckily clicks on the Go to your profile, will find him/herself facing the screen shown in the image on the side. As we can see, he/she is redirected to a site that graphically simulates the PayPal login page. However, it is hosted on an abnormal address/domain.

Considering these points, we advise you to NEVER enter your credentials on websites whose origin you do not know, as they will be sent to a remote server and used by cybercriminals, with all the associated risks that this entails.

05 September 2025 ==> Phishing Mooney

SUBJECT: <Update your account information>

Below, we analyse a phishing attempt pretending to be a communication from Mooney, a well-known Italian Proximity Banking & Payments company.

The message informs the recipient that his/her account has been temporarily suspended due to a failed update. It then invites him/her to complete the update within the deadline via the following link:

https[:]//[FakeDomainName.]com/mooney-modifica-profilo-utente/

Clearly, the well-known Italian online payment company Mooney is not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

When we analyse the text of the message, we immediately see that the sender's email address <do_not_reply(at)intuit(dot)com> does not belong to the Mooney official domain. Another anomaly is the attached file named <document.pdf>, which mimics a sales order for Mooney services for €12.00.

Anyone who unluckily clicks on the https[:]//[FakeDomainName.]com/mooney-modifica-profilo-utente/ link, will be redirected to a fraudulent web page that graphically simulates the official Mooney website.

On this page, the user is asked to log in to his/her reserved area by entering his/her account login and password.

Although the site may be misleading due to its graphics similar to the Mooney website, the URL address on the browser bar is unusual and cannot be traced back to the company's official domain.

We therefore urge you to always pay close attention, even to the smallest details, and not to enter your personal details and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber fraudsters.

05 September 2025 ==> Smishing Poste Italiane

Below, we analyse a new smishing attempt that pretends to be a text message from Poste Italiane (Italian postal service).

05 September 2025 ==> Phishing Aruba - Expiration notice

SUBJECT: <Expiration notice: Your subscription requires immediate attention - Ref:1212596470>

This month, we are once again seeing phishing attempts posing as communications from the Aruba brand.

The message informs the recipient that his/her subscription to the Aruba services has expired and that his/her only have until today to resolve the issue. It then warns the user that <the invoice has been overdue for longer than the maximum period specified in our terms and conditions. The subscription is currently inactive. The service will be reactivated and all data and files will be recovered only after payment has been settled.>
A link is then provided to proceed with payment:

MAKE YOUR PAYMENT NOW

The well-known web hosting, email, and domain registration company Aruba  is clearly not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

When we examine the message, we immediately notice that has an address <EgVZcTzMe12RXm@host.3dmodel.pt>, which clearly does not belong to the official Aruba domain. It is crucial to always exercise extreme caution before clicking on suspicious links.

Anyone who unluckily clicks on the MAKE YOUR PAYMENT NOW  link, will be redirected to the web page shown.
On this page, the user is invited to access his/her customer area by entering his/her login details, from where he/she can then proceed to pay the invoice and thus reactivate the suspended services.

Although the site may be misleading due to the well-known Aruba logo, the URL address in the browser bar is unusual and cannot be traced back to the official domain:

https[:]//[FakeDomainName*]

If you enter your data into counterfeit websites, it will be delivered to the cyber-criminals behind the scam who will use it for criminal purposes. We therefore urge you not to rush and always pay attention to every detail, even trivial ones.

04 September 2025 ==> Phishing Blockchain

«SUBJECT: <You have received $245,439.51 (2.5891 BTC)>

Below, we analyze a new phishing attempt that aims to steal the login credentials for the victim's cryptocurrency wallet Blockchain, the famous digital wallet that allows users to make transactions in cryptocurrencies.

The message, that we analyse below, informs the recipient that 2.5891 BTC, equivalent to $245,439.51, has been successfully sent. "This is part of our ongoing Bitcoin Compensatione Program, design by our platform and investors to accelerate the mass adoption of cryptocurrency. The transaction is pending activation”
It then invites the recipient to accept the transaction by clicking on the following link:

CLICK TO ACCEPT AND ACTIVATE 

When we examine the message, we see that it has a highly suspicious email address <agri[at]shabakieh[dot]com>, not traceable to the official Blockchain domain. This is definitely unusual and should make us very suspicious..

Anyone who unluckily clicks on the CLICK TO ACCEPT AND ACTIVATE   link, will be redirected to a fraudulent web page unrelated to the official Blockchain website. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for criminal purposes and/or to transfer funds. We therefore urge you to always pay close attention, even to the smallest details, and not to enter your personal details and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber fraudsters.

04 September 2025 ==> Phishing ING

SUBJECT: <lNG accounts at risk: update your information now>

This month, we are once again seeing phishing attempts pretending to be official communications from ING.

The message, using graphics stolen from, or similar to the gaphics of the well-known banking institution, tries to pass itself off as an official communication, to induce the recipient to enter his/her personal data.
It then warns the user that immediate action is required on the account to ensure the security and proper functioning of the account and related services.
To complete the verification process, the user simply needs to update his/her personal information via the following link:

Update my information

Clearly, ING is not involved in the mass sending of these emails, which are scams whose aim, as always, is to steal the home banking login credentials and/or money of the unsuspecting recipient.

Although the cybercriminal had the foresight to include a link to ING's Help and Support page and a logo similar to the logo of the well-known bank, which could easily mislead users, there are some clues that should raise suspicion. When we examine the text of the message, we immediately see that it is generic and that the sender's email address <sukanta(at)decisive(dot)in> cannot be traced back to the official ING domain. Another unusual fact is that the user is asked to update his/her data by entering his/her home banking credentials via a link sent by email.

Anyone who unluckily clicks on the Update my information link, will be redirected to a fraudulent web page unrelated to the official ING website. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for criminal purposes and/or to transfer funds.
We therefore urge you to always pay attention to even the smallest details and not to enter your personal details and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber fraudsters.

03 September 2025 ==> Phishing Sella Bank

«SUBJECT:< An important new message. >

We find again this month the phishing campaign that spreads through an e-mail exploiting stolen graphics or similar to the graphics of Banca SELLA (Sella Bank). Hence it tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to do what requested, and fall into a social engineering trap.

The message informs the recipient that from September 7, 2025, he/she will no longer be able to use his/her credit card unless he/she updates his/her information. The update is required to activate the new security system, otherwise his/her account will be unusable.
The recipient is then asked to complete the following steps:

Step 1 : Log in to your account
Step 2: Confirm your credit card update
Step 3: Confirm the transaction with an SMS received on your cell phone.

ACTIVATE YOUR ACCOUNT NOW

When we examine the message, we immediately observe that has an email address <masa(dot)admin(at)myt(dot)mu> that is not associated with the Banca SELLA domain.
This is definitely unusual and should make us suspicious, even though the cybercriminal has been clever enough to include the well-known logo of the bank, which could mislead an inexperienced user.

The purpose is to get the recipient to click on the ACTIVATE YOUR ACCOUNT NOW
link, which, we would like to point out, redirects to a page unrelated to the official website of Banca SELLA but which has already been reported as DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for criminal purposes.

03 September 2025 ==> Phishing NETFLIX

«SUBJECT: <­Update your payment details to continue watching Netfix­­>

Let's analyse the following phishing attempt seemingly originating from a fake communication from NETFLIX, the well-known streaming platform for movies, TV series, and other paid content, which aims to steal the victim's credit card details.

The message informs the user that his/her subscription payment has not been successful, but reassures the customer that these things happen and that there is nothing to worry about. Moreover, resolving the issue is simple: the user just needs to click on the following link and follow the instructions:

Try the payment again

When we examine the email, we see that the message comes from an email address <alp@sgstudio.it> that cannot be traced back to the official NETFLIX domain. This is highly unusual and should definitely raise our suspicions.

Anyone who unluckily clicks on the  Try the payment again link, will be redirected to an anomalous WEB page,  which has already been reported as DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for criminal purposes.

03 September 2025 ==> Phishing WeTransfer

SUBJECT: < pec@cert.gov.it sent you 2 files via WeTransfer>

Below, we analyze a phishing attempt that aims to steal WeTransfer account credentials. The message informs the recipient that he/she has received two files and has until the end of today to view and download them, and after that they will be removed from the company servers. The names of the two files that have been transferred are listed: “Invoice-230925.pdf” and “971SAL-signed.pdf.” The recipient is then invited to log in to download the two files via the following link:

Download the files

When we examine the message, we see that its email address <info@coopfrantoiocompitese.it> cannot be traced back to the WeTransfer domain. This is definitely unusual and should make us suspicious.

Anyone who unluckily clicks on theDownload the files link, will be redirected to a fake web page in order to download the files indicated. Unlike what we would expect, this page does not refer to WeTransferr, but to a page that graphically simulates the Aruba website.
The user is then asked to log in to his/her Webmail, in order to steal his/her login credentials. The page the user is redirected to is unrelated to Aruba, as it is hosted on an anomalous address/domain:

https[:]//[FakeDomainName*].windows[.]net/sunbathes-82729/webm[.]html

We always urge you to be careful and not to enter your personal details and/or passwords on forms hosted on fake web pages, as they will be sent to a remote server and used by cyber fraudsters, with all the associated risks that this entails.

03 September 2025 ==> Phishing Aruba - Renew your domain

SUBJECT: <Notice: your domain ***** has expired – renew now­­>

Phishing attempts, claiming to be communications from the Aruba brand, continue this month.

The message informs the recipient that his/her domain hosted on Aruba has expired. It then warns him/her that in order to avoid service interruptions, he/she can immediately renew the domain at a cost of €5.99 via the following link:

Renew Now

Let's always be careful with requests to enter personal credentials via suspicious links sent by e-mail.
Clearly, the well-known web hosting, e-mail and domain registration company, Aruba, is not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

We immediately notice that the email address of the message <mina[at]teatroavista[dot]it> does not belong to the official Aruba domain. This is highly unusual and should make us suspicious.
To induce the victim to act quickly, the cybercriminal allows little time to respond. This technique is clearly intended to intimidate the user, who, fearing that he/she will be unable to access his/her account and use the services linked to it, is prompted to act without paying due attention.  

Anyone who unluckily clicks on the  link, will be redirected to an anomalous WEB page,  which has already been reported as DECEPTIVE WEBSITE/PAGE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for illegal purposes.