PHISHING INDEX

Below are the most common email phishing attempts detected by the TG Soft Anti-Malware Research Center in January 2026:

30/01/2026 => Email Account
26/01/2026 => Aruba - Service suspension
22/01/2026 => Email Account
20/01/2026 => TISCALI
20/01/2026 => SumUp
19/01/2026 => Aruba - Renew your domain
14/01/2025 => CUP - Smishing
08/01/2026 => Webmail
07/01/2026 => Aruba - Invoice Balance
06/01/2026 => Aruba - Service suspension
02/01/2026 => Nexi
01/01/2026 => Netflix

These emails aim to deceive unsuspecting victims into providing sensitive information, such as bank account details, credit card codes, or personal login credentials, with all the easily imaginable consequences.

• A little bit of attention and glance, can save a lot of hassles and headaches..

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

30 January 2026 ==> Phishing Email Account

SUBJECT: <Your password ‘******’ will expire today.>

Below, we analyse the phishing attempt that aims to steal the email account credentials of the victim.

The message informs the recipient that his or her email account password will expire within 24 hours and asks him or her to confirm the password in order to continue using it, via the following link:

confirm password

When we analyse  the message we see that it has an email address which seems to come from the recipient's email domain <segreteria(at)nift(dot)com>. This is definitely unusual and should make us suspicious.

Anyone who unfortunately clicks on the confirm password link, will be redirected to a fraudulent web page that simulates the Aruba email account login page.

On this page, the user is invited to log in to his/her Aruba account to update his/her password....
Actually the page where you are redirected to enter your Aruba account credentials is hosted on an unusual address/domain, which we report below:

 https[:]//[FakeDomainName*]

We always urge you to pay attention to every detail, even trivial ones, and not to enter your personal details and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber fraudsters, with all the associated risks that are easy to imagine.

26 January 2026 ==> Phishing Aruba - Service suspension

SUBJECT: <Final system reminder - action required by 27/01/2026>

This month, we are once again seeing phishing attempts pretending to be communications from the Aruba brand. This time, the message informs the recipient that his/her domain hosted on Aruba is ‘close to scheduled suspension on 27/01/2026.’
It only takes a few minutes to avoid service suspension, and by doing so immediately, the user can take advantage of an exclusive offer.
Therefore, it invites the user to proceed via the following link:

Keep the service active

Aruba, the well-known web hosting, email and domain registration company, is clearly not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

When we carefully examine the message, there are some clues that should raise suspicion. We immediately notice that the email address of the message <info+tNB13s[at]tectonicinternational[dot]com> does not belong to the official Aruba domain, something that is definitely unusual and should make us suspicious.

Anyone who unfortunately clicks on the Keep the service active link, will be redirected to a web page which, although it graphically simulates the Aruba account login page - due to the presence of the well-known company's logo - has an abnormal address/domain:

 https[:]//[FakeDomainName*]

On this page, the user is asked to log in to his/her customer area by entering his/her email login and password to pay the overdue invoice indicated, before the services are blocked.

We always urge you to pay attention to every detail, even trivial ones, not to rush and not to enter your personal details and/or passwords on forms hosted on fake web pages, as these will be sent to the cybercriminals behind the scam, who will use them for criminal purposes.

22 January 2026 ==> Phishing Email Account

SUBJECT: <***** WARNING: The “******” Email account is almost full.>

Below, we analyse a phishing attempt that aims to steal the email account credentials of the victim.

The message, in English, informs the recipient that he/she has 5 new pending messages, which he/she cannot receive because he/she does not have enough storage space. If he/she does not upgrade his/her storage space, he/she may risk account deactivation, in addition to losing the pending emails. The following link is provided to upgrade storage space:

Click here to restore pending mails

When we examine the message, we notice that it has an email address <no-reply(at)*******> that seems to come from the recipient's email domain. This is definitely unusual and should make us suspicious.

Anyone who unluckily clicks on the Click here to restore pending mails
link, will be redirected to a fake web page, which is designed to look like the email account login page.

On this page, the user is invited to log in to his/her account by entering, specifically, the password for his/her email account in order to update the storage space.

Actually, the page where the user is redirected to enter his/her email account credentials is hosted on an unusual address/domain, which we report below:

 https[:]//[FakeDomainName*]

We urge you to always pay attention to every detail, even trivial ones, and not to enter your personal details and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber fraudsters, with all the associated risks that this entails.

20 January 2026 ==> Phishing Tiscali

SUBJECT: <(Urgent deactivation notice)>

Below we examine a phishing attempt aimed at stealing login credentials for TISCALI accounts.

The message informs the recipient that his/her mailbox has expired and has been deactivated, so he/she can no longer send or receive messages until it is reactivated. Furthermore, all messages will be deleted one day after the expiry date.

The user is then asked to reactivate his/her account as soon as possible via the following link:

REACTIVATE NOW

Upon careful analysis of the message, there are some clues that should raise suspicion. We immediately notice that its email address <milantns[at]sbb[dot].rs>  cannot be traced back to the official TISCALI domain, an unusual occurrence. Another red flag is that in order to confirm, the user is required to enter their account credentials via a link provided in the email. 

Anyone who unluckily clicks on the REACTIVATE NOW link will be redirected to a web page which, although it graphically simulates the TISCALI account login page – as the cybercriminal had the foresight to insert the logo – is not at all reliable. In this case too, the address is abnormal:

https[:]//[FakeDomainName*]

On this page, the user is invited to log in to his/her customer area to reactivate his/her account and avoid data loss.

We always urge you to pay attention to every detail, even trivial ones, not to rush and not to enter your personal details and/or passwords on forms hosted on fake web pages, as these will be sent to the cybercriminals behind the scam, who will use them for criminal purposes.

20 January 2026 ==> Phishing SumUp

SUBJECT: <Important: Vulnerability detected – Update immediately>

Below, we analyse a new phishing attempt that pretends to be an official communication from SumUp, a well-known London-based digital payments company.

The message, which concerns the security of the user's account, warns: "Due to a vulnerability detected in the data encryption systems, your account requires the manual application of the Security Patch. This procedure is mandatory to prevent unauthorised access.
Failure to update by the end of the session will result in the temporary suspension of outgoing transactions to protect your funds."
To update, the user simply needs to click on the following link:

APPLY UPDATE NOW

The well-known London-based company is clearly not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

Upon careful analysis of the message, there are some clues that should raise suspicion. We immediately notice that the email address of the message <teamdisumup-noreply-verificationltd[at]highpointlabradors[dot]com> is not traceable to the official SumUp domain. This is highly unusual and should certainly raise suspicion. Another strange fact is that the email does not provide any customer identification details and asks the user to enter his/her account credentials via a link provided in the email.


Anyone who unluckily clicks on theAPPLY UPDATE NOW link, will be redirected to a web page that, although it graphically simulates the SumUp account login page, as the cybercriminal has had the foresight to insert the well-known company's logo, hasna abmormal address/domain:

 https[:]//[FakeDomainName*]

On this page, the user is invited to access his/her customer area by entering his/her email login and password for the requested update.

We therefore urge you to always pay close attention to even the smallest details and not to enter your personal details and/or passwords on forms hosted on counterfeit web pages, as they will be used by cyber fraudsters for illegal purposes.

19 January 2026 ==> Phishing Aruba - Renew your domain

SUBJECT: <Domain Expiry Notice - Deactivation scheduled for 19/01/2026>

Phishing attempts pretending to be communications from the Aruba brand, continue this month.

The message informs the recipient that his/her domain, hosted on Aruba, expires on 19 January 2026. It then warns him/her that, in order to avoid service interruptions, blocking of incoming emails or loss of the domain, he/she must immediately renew it at a cost of €22.57 via the following link:

RENEW YOUR DOMAIN

Let's always pay attention to requests to enter personal credentials via suspicious links sent by email.

Aruba, the well-known web hosting, e-mail and domain registration company, is clearly not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

We immediately notice that the email address of the message <spintowinandgain[at]gmail[dot]com> does not belong to the official Aruba domain. This is highly unusual and should make us suspicious.
To induce the victim to act quickly, the cybercriminal gives him or her little time to respond. This technique is clearly intended to intimidate the user, who, fearing he or she will be unable to access his or her account and use the services linked to it, is prompted to act without paying due attention. 


Anyone who unfortunately clicks on the RENEW YOUR DOMAIN link, will be redirected to a web page which, although it graphically simulates the Aruba account login page (due to the presence of the well-known company's logo), has an abnormal address/domain:

 https[:]//[FakeDomainName*]

On this page, the user is invited to access his/her customer area by entering his/her email login and password to renew his/her account by paying the required amount. Obviously, we urge you not to enter your credit card details.

The aim of the cybercriminals behind the scam is clearly to steal them. Therefore, always pay close attention and check the expiry dates of active services only through official pages and not through suspicious links.

14 January 2025 ==> Smishing CUP

Below we report a new scam attempt that is spreading these days, through a fake text message from the Central Booking Office (CUP) for medical examinations and tests.

08 January 2026 ==> Phishing Webmail

SUBJECT: <System Maintenance:***  Authentication Notification>

Below, we analyze a phishing attempt that aims to steal the email account credentials of the victim.

The message, in English, informs the recipient that his/her email account password will expire today and warns him/her that it must be updated as soon as possible in order to continue using the services linked to it. In order to continue using the same password, he/she can click on the following link:

Use Same Access

When we examine the message we see that has an email address <chandinadepo(dot)scm(at)provitagroupbd(dot)com> that seems to come from the recipient's email domain. This is definitely unusual and should make us suspicious.

Anyone who unluckily clicks on the Use Same Access link, will be redirected to a fake web page that simulates the email account login page.

On this page, the user is invited to log in to his/her account by entering, notably, the password for his/her email account in order to confirm or change his/her current password, which is about to expire.

Actually, the page where users are redirected to enter their email account credentials is hosted on an unusual address/domain, which we report below:

 https[:]//[FakeDomainName*]

We always urge you to pay attention to every detail, even trivial ones, and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber fraudsters, with all the associated risks that are easy to imagine.

07 January 2026 ==> Phishing Aruba - Invoice Balance

SUBJECT: <Invoice Balance>

Phishing attempts posing as communications from the Aruba brand continue.  The message informs the recipient that the password for his/her Aruba account will expire in 24 hours (January 8, 2026).
It then asks the user to confirm his/her password in order to continue using it, via the following link:

confirm password

The well-known web hosting, email, and domain registration company Aruba is clearly not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

When we examine the message, there are some clues that should raise suspicion. We immediately notice that the email address of the message does not belong to the official Aruba domain but simulates that of the recipient itself, which is highly unusual. In fact, it seems that it was sent from the recipient's email account.

Anyone who unfortunately clicks on the confirm password link, will be redirected to a web page that, although it graphically simulates the Aruba account login page due to the presence of the well-known company's logo, has an unusual address/domain:

 https[:]//[FakeDomainName*]

On this page, users are invited to access their customer area by entering their email login and password to retrieve messages before they are deleted.

We always urge you to pay attention to every detail, even trivial ones, not to rush and not to enter your personal details and/or passwords on forms hosted on fake web pages, as these will be sent to the cybercriminals behind the scam, who will use them for criminal purposes.

06 January 2026 ==> Phishing Aruba - Service suspension

SUBJECT: <Suspension of current service>

This month, we are once again seeing phishing attempts pretending to be communications from the Aruba brand. This time, the email contains the following message: "an invoice due on 12/31/2025 is currently unpaid.
To avoid automatic suspension of services, scheduled for January 6, 2026, we invite you to proceed with payment as soon as possible."
It therefore invites the user to settle the outstanding payment to avoid service interruptions, via the following link:

Complete the payment

The well-known web hosting, email, and domain registration company Aruba is clearly not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

When we carefully examine the message, there are some clues that should raise suspicion. We immediately notice that the email address from which the message originates does not belong to the official Aruba domain <info+KWyRGB[at]bazofo[dot]pt>, which is highly unusual and should make us suspicious.

Anyone who unluckily clicks on the Complete the payment link, will be redirected to a web page that, although it graphically simulates the Aruba account login page—due to the presence of the well-known company's logo—has an abnormal address/domain:

https[:]//[FakeDomainName*]

On this page, the user is invited to access their customer area by entering their email login and password to pay the overdue invoice indicated, before services are blocked.

We always urge you to pay attention to every detail, even trivial ones, not to rush and not to enter your personal details and/or passwords on forms hosted on fake web pages, as these will be sent to the cybercriminals behind the scam, who will use them for criminal purposes.

02 January 2026 ==> Phishing Nexi

SUBJECT: <Protect Your Card: Complete Verification Now>
 

This new phishing attempt pretends to be a communication from Nexi, a well-known digital payment services company.

The message informs the recipient that an anomaly has been detected in his/her card verification systems. The message goes on to state that ‘To ensure maximum security and prevent unauthorised use, access to the services associated with your card has been temporarily restricted.’ In order to continue using the card, the user must verify his/her identity via the link provided. A 6-digit verification code will also be sent via text message to complete the procedure, via the following link:

Confirm your data

The well-known company is clearly not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

Although the cyber fraudster had the foresight to include the Nexi logo, we see that the message has an email address <marc[at]oscarbuffon[dot]it> that cannot be traced back to the official Nexi domain. This is definitely unusual and should make us suspicious.

Anyone who unluckily clicks on the link will be redirected to a fraudulent web page, which aims to steal access to his/her credit card account but has already been reported as a DECEPTIVE PAGE/WEBSITE. In fact, it is managed by cybercriminals whose goal is to obtain user’s most valuable data in order to use it for illegal purposes.

Based on these considerations, we advise you to NEVER enter your credentials on websites whose origin you do not know, as they will be sent to a remote server and used by cyber fraudsters, with all the associated risks that are easy to imagine.

01 January 2026 ==> Phishing NETFLIX

SUBJECT: <­Expiration notice: Update your Netflix payment method>

We examine below the following phishing attempt, which comes as a fake message from NETFLIX, the well-known streaming platform for films, TV series, and other paid content, and which aims to steal the credit card details of the victim.

The message informs the user that a problem has been encountered in processing the payment of €6.99 for his/her subscription, which expires on 2 January, 2026. To continue using the service without interruption, the user is asked to update his/her payment information by 02/01/2026. He/she is then asked to log into his/her account and update his/her payment details via the following link:

UPDATE DATA

When we examine the message, we notice that it has an email address <ara(at)frmoto(dot)it>  not linked to the official NETFLIX domain. This is definitely unusual and should make us suspicious.

Anyone who unluckily clicks on the UPDATE DATA   link, will be redirected to a web page unrelated to NETFLIX, whose purpose is to obtain user’s most valuable data for criminal use.