PHISHING INDEX

Below are the most common email phishing attempts detected by the TG Soft Anti-Malware Research Center in December 2025:

31/12/2025 => KIKO
23/12/2025 => Crédit Agricole
22/12/2025 => MetaMask
13/12/2025 => PayPal
10/12/2025 => Netflix
10/12/2025 => Aruba - Annual settlement
10/12/2025 => Klarna
10/12/2025 => Aruba - Password scaduta
09/12/2025 => Infocert
09/12/2025 => Aruba - Renew your domain
07/12/2025 => Carabinieri police force
05/12/2025 => SELLA Bank
02/12/2025 => Email Account
02/12/2025 => InBank
01/12/2025 => OneDrive

These emails aim to deceive unsuspecting victims into providing sensitive information, such as bank account details, credit card codes, or personal login credentials, with all the easily imaginable consequences.

• A little bit of attention and glance, can save a lot of hassles and headaches..

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

31 December 2025 ==> Phishing customer survey: KIKO

Below, we analyse another phishing campaign using customer surveys that exploits the brand names of well-known companies. 
In the example shown, the cybercriminal used the well-known KIKO brand,  to simulate a promotional message offering the chance to win an exclusive prize: a ‘KIKO Milano make-up gift set’. All you need to do to claim your reward is simply answer a few short questions.
Clearly, the brands exploited in these campaigns are unrelated to the mass sending of these malicious emails, which are genuine scams whose aim remains, as always, to steal sensitive data from unsuspecting recipients.
In the example shown, we see that the email has an address <noreply[at]news[dot]infobuild[dot]it> unrelated to the official KIKO domain. This is definitely unusual and should certainly make us suspicious.

When we click on the link in the email, we are redirected to a graphically misleading page (with misleading images and the authentic brand logo), but hosted on an unusual address/domain that does not seem at all reliable or traceable to the brand being exploited.

The cybercriminals behind the scam, in order to achieve their goal, use various tricks, such as reporting false testimonials from customers who have won the prize. They try to persuade the user to complete the survey quickly, by making him/her believe that only a few can win, and that the offer expires today.
Surely if so many users were lucky why not take a chance?

When the survey is completed, the user is usually sent to a page for the entry of the shipping address and subsequent payment of shipping costs.
The cybercriminals' purpose, is to induce the victim to enter his/her personal information to ship the prize and then, likely, also the credit card information to pay the shipping costs.

To conclude, we always urge you to be wary of advertising/promotional messages that boast of "giving away" valuables, and avoid clicking on suspicious links whose links may lead to a counterfeit site. In fact, if you trust these messages, your most valuable data is stolen by cyber crooks who can use it at will.

23 December 2025 ==> Phishing Crédit Agricole

SUBJECT: <Profile information update needed­­ >
 
Below, we examine the following phishing attempt, which comes via a fake communication from Crédit Agricole, the well-known French bank.

The message informs the recipient that for security reasons, he/she is required to confirm his/her user profile information, specifically the phone number, to ensure correct account details.
It then invites the user to log in to update his/her data via the following link:

CONFIRM YOUR DATA

When we examine the message, we immediately notice that it has an email address <booking(at)tuscanydaytrip(dot)it> that clearly does not belong to the official Crédit Agricole domain. Let's always be super careful before clicking on any suspicious links.

Anyone who unluckily clicks on the CONFIRM YOUR DATA link, will be redirected to a fraudulent web page, unrelated to the official Crédit Agricole website, but which has already been reported as a DECEPTIVE PAGE/WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for illegal purposes.

22 December 2025 ==> Phishing MetaMask

SUBJECT:<Your MetaMask wallet will be suspended.>

Below we analyze a new phishing attempt aimed at stealing the login credentials of the victim’s MetaMask cryptocurrency wallet, a San Francisco–based company.

MetaMask is a cryptocurrency software wallet used to interact with the Ethereum blockchain. It allows users to access their Ethereum wallet via a browser extension or mobile app.

The message, in English, informs the recipient that an attempt has been made to access his/her MetaMask account from a device never used before. It then warns him/her that his/her account and wallet have been temporarily blocked to prevent the loss of funds.
It then invites him/her to complete the login process and unlock the account in order to verify his/her identity, via the following link:

Recover My Account

When we examine the message, we see that it has a highly suspicious email address <do-not-reply[at]teamtechsoul[dot]com>, which does not appear to be linked to the official MetaMask domain. This is highly unusual and should certainly raise our suspicions.

Anyone who unluckily clicks on the Recover My Account link, will be redirected to a web page that has already been reported as a DECEPTIVE PAGE/WEBSITE.
To conclude, we urge you to always be careful and not to enter your personal details and/or passwords on forms hosted on fake web pages, as they will be sent to a remote server and used by cyber fraudsters, with all the risks that this entails.

13 December 2025 ==> Phishing PayPal

SUBJECT: <­Unauthorized access detected – Act now>

Below, we analyse a new phishing attempt that aims to steal login credentials for PayPal accounts, the well-known US digital payments company.

The message warns the recipient that an access to his/her PayPal  account has been detected from a non-recognised device. It then informs him/her that if he/she did not perform the operation, it is necessary to follow the security procedure below to protect the account and the personal data of the account holder. To verify the reported suspicious activity, the user is asked to click on the following link:

Protect my account

When we examine the message we see that it comes from an email address <lina[at]mtbsantafiora[dot]it> that is clearly not linked to the official PayPal domain. This is definitely unusual and should make us suspicious.. 

Anyone who unluckily clicks on the Protect my accoun link, will be redirected to a web page unrelated to PayPal, which aims to obtain your most valuable data for criminal purposes.

10 December 2025 ==> Phishing NETFLIX

SUBJECT: <­Action required: payment method verification>

We examine another phishing attempt originating from a fake communication sent by NETFLIX, the well-known streaming platform for films, television series, and other paid content, which aims to steal the credit card details of the victim..

The message informs the user that a problem has been encountered in processing the payment of €6.99 for his/her subscription. In order to continue using the service without interruption, he/she is asked to log into his/her account and update his/her payment details via the following link:

Update data

When we examine the message we see that it comes from an email address <emaan(at)associazionepietta(dot)it> not traceable to the official NETFLIX domain. This is definitely unusual and should raise our suspicions.

Anyone who unluckily clicks on the Update data
link, will be redirected to a web page unrelated to NETFLIX which aims to obtain your most valuable data for illegal purposes.

10 December 2025 ==> Phishing Aruba - Annual settlement

SUBJECT: <Annual Recalculation 2025 – Additional Payment of €239.00>

This month, we once again encounter phishing attempts pretending to be communications from the Aruba brand. This time the message informs the recipient that "following the annual recalculation of services for the year 2025, an additional balance of €239.00 has been identified, which has not yet been paid. This difference is due to tariff adjustments and the actual use of services during the current year."
It therefore invites the user to settle the payment of the amount due in order to avoid service interruptions, via the following link:

Proceed to payment

The well-known web hosting, e-mail and domain registration company Aruba is clearly not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

When we examine the message, we immediately see that its email address <aruba[at]redproducciones[dot]com[dot]ar> does not belong to the official Aruba domain, something that should make us suspicious.

Anyone who unluckily clicks on the Proceed to payment link, will be redirected to a web page which, although it graphically simulates the Aruba account login page due to the presence of the well-known company's logo, has an unusual address/domain:

 https[:]//[FakeDomainName*]

On this page, the user is invited to access his/her customer area by entering his/her email login and password to pay the annual balance indicated, before the services are blocked.

We always urge you to pay attention to every detail, even trivial ones, not to rush and not to enter your personal details and/or passwords on forms hosted on fake web pages, as these will be sent to the cybercriminals behind the scam, who will use them for criminal purposes.

10 December 2025 ==> Phishing Klarna

SUBJECT: <Verify your Klarna account>

This month, we analyse a new phishing attempt that pretends to be a communication from Klarna, the Swedish payment service. The message informs the recipient that, for security reasons, some account features hosted on Klarna have been temporarily restricted because the payment method is no longer valid. It then informs him/her that he/she cannot use his/her account at the moment and must verify his or her details via the following link:

Confirm Account

The well-known online payment company Klarna is clearly not involved in the sending of these mass emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

When we examine the message, we immediately see that the email address <mmn1[at]e2[dot]gmobb[dot]jp> does not belong to the Klarna official domain, which is highly unusual and should make us suspicious.

Anyone who unluckily clicks on theConfirm Account link ,will be redirected to a web page that, although it looks like the Klarna account login page, has an unusual address/domain:

 https[:]//[FakeDomainName*]

On this page, the user is invited to access his/her customer area by entering his/her email login and password to retrieve messages before they are deleted.

We always urge you to pay attention to every detail, even trivial ones, not to rush and not to enter your personal details and/or passwords on forms hosted on fake web pages, as these will be sent to the cybercriminals behind the scam, who will use them for illegal purposes.

10 December 2025 ==> Phishing Aruba - Password expired

SUBJECT: <Invoice due**>

Phishing attempts pretending to be communications from the Aruba brand, continue.  The message informs the recipient that his/her password for the account hosted on Aruba will expire in 24 hours (10 December 2025). It then invites him/her to confirm the password in order to continue using it, via the following link:

confirm password

The well-known web hosting, e-mail and domain registration company Aruba is clearly not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

When we examine the message closely, we immediately notice that its email address does not belong to the official Aruba domain but simulates the recipient's own address. This is highly unusual, as it appears to have been sent from the recipient's email account.

Anyone who unluckily clicks on the confirm password link, will be redirected to a web page which, although it graphically simulates the Aruba account login page due to the presence of the well-known company's logo, has an unusual address/domain:

 https[:]//[FakeDomainName*]

On this page, the user is invited to access his/her customer area by entering his/her email login and password to retrieve messages before they are deleted.

We always urge you to pay attention to every detail, even trivial ones, not to rush and not to enter your personal details and/or passwords on forms hosted on fake web pages, as these will be sent to the cybercriminals behind the scam, who will use them for criminal purposes.

09 December 2025 ==> Phishing Tinexta Infocert

SUBJECT: <Notice of unsuccessful payment for your Legalmail subscription>

This month, we examine the following phishing attempt that pretends to be a communication from the Tinexta Infocert brand. The message informs the recipient that his/her Legalmail subscription provided by Tinexta Infocert could not be renewed because payment could not be received. The cause may be credit card refusal or deletion of the payment profile.
In any case, customers can take advantage of a promotion dedicated to new subscriptions:

"Good news! This is the best time of year to reactivate your subscription, because you can benefit from a 30% discount to reactivate your account!"

It then invites the user to take advantage of the promotion, which expires within 24 hours, via the following link:

Resume your subscription

The well-known company Tinexta Infocert, which offers digitalisation services such as digital signatures, SPID, Legalmail, etc., is clearly not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

When we examine the message, we immediately see that its e-mail address  <info[at]2face-carscz[dot]cz> does not belong to the official Tinexta Infocert domain, an anomalous fact that i should make us suspicious.

Anyone who unluckily clicks on the Resume your subscription link, will be redirected to a web page that, although it graphically simulates the login page for the Tinexta Infocert reserved area, due to the presence of the company logo, has an unusual address/domain:

 https[:]//[FakeDomainName*]

On this page, users are invited to access their customer area by entering their login details and password to renew their subscription before the promotion expires.

We always urge you to pay attention to every detail, even trivial ones, not to rush and not to enter your personal details and/or passwords on forms hosted on fake web pages, as these will be sent to the cybercriminals behind the scam, who will use them for criminal purposes.

09 December 2025 ==> Phishing Aruba - Renew your domain

SUBJECT: <Domain Expiration Notice - Deactivation scheduled for 09/12/2025­­>

This month, we once again see phishing attempts pretending to be communications from the Aruba brand.

The message warns the recipient that his/her domain hosted on Aruba expires on 9 December 2025. It then informs him/her that in order to avoid service interruptions, blocking of incoming emails or loss of the domain, he/she is invited to renew the domain immediately at a cost of €22.57, via the following link:

RENEW YOUR DOMAIN

Let's always be careful when we receive requests to enter personal credentials via suspicious links sent by e-mail.
The well-known web hosting, e-mail and domain registration company Aruba is clearly not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

We immediately see that the email address  of the message<adefarhan425[at]gmail[dot]com> does not belong to the official Aruba domain. This is highly unusual and should make us suspicious.
To induce the victim to act quickly, the cybercriminal gives him or her little time to respond. This technique is clearly intended to intimidate the user, who, fearing to be unable to access his or her account and use the services linked to it, is prompted to act without paying due attention. 

Anyone who unluckily clicks on the link will be redirected to a fraudulent web page which has already been reported as a DECEPTIVE PAGE/WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use it for malicious purposes.

07 December 2025 ==> SCAM Carabinieri police force

SUBJECT: <Your device is connected to illegal content.>

Below is an example of a SCAM attempt, a false summons for child pornography that comes via email and seems to originate from the Carabinieri police force.

The message, which comes through a highly suspicious email address <a18503[at]aemgnascente[dot]pt>, reports that illegal activity related to the visualisation of child pornography has been detected and invites the recipient to attend a court hearing, attached to the email.
When we open the PDF attachment named <Armadeicarabinieri_Scan>, shown below, we notice that it is graphically misleading and appears to come from the General Command of the Carabinieri. The fasle complaint accuses the victim of child pornography, paedophilia, exhibitionism and cyber pornography, as he allegedly visited a child pornography website.

This is an attempt by cybercriminals to extort money as a fine. Moreover, if the victim does not respond within 72 hours, an arrest warrant is threatened.
We would like to emphasise that the complaint is not personal, which should immediately raise our suspicions and make us realise that this is an attempt to defraud us in order to steal sensitive user data and extort money.

05 December 2025 ==> Phishing Sella Bank

SUBJECT: < You must update your information within 48 hours >

We find again this month the phishing campaign that spreads through an e-mail exploiting stolen graphics or similar to the graphics of SELLA Bank. Hence it tries to pass itself off as an official communication, in order to induce the unsuspecting recipient to do what requested, and fall into a social engineering trap.

The message informs the recipient that ‘as part of the periodic checks required by current legislation’, he/she is requested to urgently update their user profile data in order to ‘ensure the full operativity of the account and to avoid possible limitations to services’. It therefore invites him/her to update his/her details within 48 hours after receiving the message, via the following link:

Update your data

When we examine the message  we see that it comes from an email address <lina(at)dentalsun(dot)eu> that is not at all related to the SELLA Bank domain.
This is definitely unusual and should make us suspicious, even though the cybercriminal has included the well-known logo of the bank, which could mislead an inexperienced user.

The cubercriminals' purpose is to get the recipient to click on the Update your data link, which, we must point out, redirects to a page that is unrelated to the official SELLA Bank website and has already been reported as a DECEPTIVE WEBSITE. In fact, it is managed by cybercriminals whose goal is to obtain your most valuable data in order to use it for illegal purposes.

02 December 2025 ==> Phishing Email account

SUBJECT: <Your ***** password will expire today>

Below, we analyse the phishing attempt that aims to steal the email account credentials of the victim.

The message warns the recipient that his/her email account password will expire today and he/she must update it as soon as possible in order to continue using the services linked toit. To keep using the password, he/she can use the following link:

CLICK HERE

When we examine the  the message we see that it comes from an email address <comunicazioni(at)*******> that seems to belong to the recipient's email domain. This is definitely unusual and should make us suspicious.

Anyone who unluckily clicks on the link will be redirected to a fraudulent web page that simulates his/her email account login page.

On this page, users are asked to log in to their account by entering, most notably, the password for their email account, to confirm or change their current password, which is due to expire.

However, the page to which users are redirected to enter their email account credentials is hosted on an unusual address/domain, which we report below:

 https[:]//[FakeDomainName*]

We always urge you to pay attention to every detail, even trivial ones, and not to enter your personal details and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber fraudsters, with all the associated risks easy to imagine.

02 December 2025 ==> Phishing InBank

SUBJECT: <Request for data confirmation for profile security>

This month, we analyse a phishing attempt that pretends to be an official communication from INBANK. 

The message informs the unsuspecting recipient that, for security reasons, he/she is required to confirm the information associated with his/her profile. It then asks him/her to check his/her contact details, in particular his/her telephone number, to ensure that the account is correctly updated.
It invites him/her to complete the procedure as soon as possible to ensure a fully operational online service, via the following link:

CONFIRM DATAI

INBANK is clearly not involved in the mass sending of these emails, which are scams whose aim, as always, is to steal the home banking login credentials of unsuspecting recipients.

When we examine the text of the message, we immediately notice that it is generic and that the sender's email address <kolan(at)galileo-progetti(dot)it> cannot be traced back to the official INBANK domain.  Another unusual fact is that the user is asked to update his/her details by entering your home banking credentials via a link sent by email. 
Anyone who unluckily clicks on the link, will be redirected to a fraudulent web page, which aims to steal access to your credit card account but has already been reported as a DECEPTIVE PAGE/WEBSITE. In fact, it is managed by cybercriminals whose goal is to obtain your most valuable data in order to use it for illegal purposes.

01 December 2025 ==> Phishing OneDrive

SUBJECT: < Contract signing >

Below, we examine a phishing attempt that aims to steal OneDrive account credentials. The message informs the recipient that he/she has received a file containing 23 items on OneDrive, which seems to come from ‘La Scuola SpA’ with the subject line ‘ Contract signing’. It then invites him/her to view the attached documents by clicking on the following link:

VIEW THE ATTACHED DOCUMENT

When we examine the message, we see that it has an email address <f.moreni(at)gruppolascuola(dot)it> that is not linked to the OneDrive domain but appears to come from the sender him/herself. This is highly unusual and should make us very suspicious.

When we click on the link, we are redirected to a web page that asks us to log in to our account, entering our email password in particular, in order to download the attached document.

Actually, the page the user is redirected to for entering his/her OneDrive credentials is hosted on an unusual address/domain, which we report below:

 https[:]//[FakeDomainName*]

We always urge you to pay attention to every detail, even trivial ones, and not to enter your personal details and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber fraudsters, with all the associated risks that are easy to imagine.