PHISHING INDEX

Below are the most common email phishing attempts detected by the TG Soft Anti-Malware Research Center in April 2026:

28/04/2026 => Klarna
28/04/2026 => Aruba - Insufficient space
27/04/2026 => Pago PA - Revenue Agency
21/04/2026 => Webmail
20/04/2026 => Unicredit
20/04/2026 => Nexi
17/04/2026 => WINDTRE
17/04/2026 => DHL
14/04/2026 => Aruba
13/04/2026 => Tiscali
11/04/2026 => Smishing Nexi
02/04/2026 => Email account

These emails aim to deceive unsuspecting victims into providing sensitive information, such as bank account details, credit card codes, or personal login credentials, with all the easily imaginable consequences.

• A little bit of attention and glance, can save a lot of hassles and headaches..

• Try Vir.IT eXplorer Lite

• Now Available VirIT Mobile Security

• Acknowledgements

• How to send suspicious emails for analysis

28 April 2026 ==> Phishing Klarna

SUBJECT: <Verify your Klarna account>

This month, we’re checking out a new phishing attempt that pretends to be a message from Klarna, the Swedish payment service. The message informs the recipient that: “an update to your contact information” regarding their Klarna account “is pending approval”. It then invites them to update their details via the following link:

Update now

The well-known online payment company Klarna is clearly not involved in the mass sending of these emails, which are outright scams whose goal, as always, is to steal sensitive data from unsuspecting recipients.

Upon closer inspection of the message, we see some suspicious elements. In fact, we immediately notice that the email address of the message <as6[at]esterportal[dot]com>  does not belong to the official Klarna domain, a highly unusual circumstance that should raise our suspicions

Anyone who unfortunately clicks on the Update now link, will be redirected to a webpage that, although it visually mimics the Klarna account login page, has an unusual domain:

 https[:]//[FakeDomainName*]

On this page, the user is invited to log in to their account using their email username and password to retrieve their messages before they are deleted.

We always urge you to pay close attention to every detail, no matter how minor, not to rush, and to avoid entering your personal information and/or passwords into forms on fake websites, as this information will be sent to the cybercriminals behind the scam, who will use it for illegal purposes.

28 April 2026 ==> Phishing Aruba - Action required for space management

SUBJECT: <Notification of undelivered incoming emails to your inbox.>

Here is yet another phishing attempt posing as a communication from the Aruba brand.

The message informs the recipient that some incoming messages have been blocked due to insufficient storage space in their Aruba email account. It then advises them that, in order to retrieve the 15 pending messages and prevent incoming emails from being blocked, they must log in to their account via the following link:

RECOVER MESSAGES (15)

We should always be wary of requests to enter personal credentials via suspicious links sent by email.
The well-known web hosting, email and domain registration company, Aruba, is clearly not involved in the mass sending of these emails, which are genuine scams whose aim, as always, is to steal sensitive data from unsuspecting recipients.

We immediately see that the email address it comes from, <cagnihydre1983[at]gmx[dot]de>, is not associated with the official Aruba domain. This is highly unusual and should certainly raise our suspicions.   

Anyone who unfortunately clicks on these links, will be redirected to a web page unrelated to the Aruba website; however, we see that the address/domain is unusual:

https[:]//[FakeDomainName/amazonaws[.]com/Arubs[.]html#***]

On this page, the user is invited to log in to their customer area using their email password in order to retrieve any pending messages.

We urge you to always pay close attention to every detail, however minor, not to rush, and not to enter your personal details and/or passwords into forms hosted on fake websites, as these will be sent to the cybercriminals behind the scam, who will use them for illegal purposes.

27 April 2026 ==> Phishing Pago PA - Revenue Agency

SUBJECT: <pagoPA: Necessary verification of your data>

Below, we analyze a new phishing attempt delivered through a message apparently coming from PagoPA, the digital platform that allows users to make payments to the Public Administration. 

The message informs the recipient that a new message has been sent to their MyPagoPA account containing the following information:

• Subject: Refund of €354,20
• Sender: Italian Revenue Agency
• Date: April 27, 2026, 7:24 a.m. 

An analysis of the alert immediately reveals the anomalous sender address, <0020935400001[at]postacertificata[.]tabaccai[.]it>, which is not associated with the official PagoPA domain.
The message also appears from the Revenue Agency, but it is very vague and does not include the taxpayer’s first and last name, as we would expect. Moreover, the subject inside the notice is also vague, referring simply to a “Refund”.

To view the message regarding the alleged refund of €354.20, the user needs to click on the following link:

Go to the message

Anyone who unfortunately clicks on the link will be redirected to a fake version of the PagoPA website.
As can be seen from the image below, the webpage is well designed and is a relatively good imitation of the official PagoPA website.

However, the information displayed on the PagoPA login page differs from the message sent by the Italian Revenue Agency. In fact, it no longer concerns a refund, but a request for payment of a fine for a traffic offence – specifically, speeding – amounting to the previously stated sum of €354.20.
We see that this information, in addition to differ from the previously stated details, is provided even before logging in, which is decidedly unusual. With this in mind, we urge you to pay close attention to any misleading details, always check the URL where the login form is hosted, and assess the legitimacy of the request before entering any sensitive data.
We would like to remind you that PagoPA and the Italian Revenue Agency are in no way involved in the mass distribution of these phishing campaigns, and we urge you, if in any doubt, to check their official website, which frequently warns of scam attempts that use their name.

21 April 2026 ==> Phishing Webmail

SUBJECT: <*****  your mailbox will be closed.>

Below, we analyse the phishing attempt aimed at stealing the victim’s email account credentials.

The message, in English, states: ‘The current version of your email account will be deactivated on 21 April 2026’, and following the recent update to the terms of service and privacy policy, the user must also update their email account.
It therefore invites the user to update their account via the following link to avoid deactivation or the loss of email data:

Continue to new version

On closer inspection of the email, we can see that the message appears to come from an email address <no-reply(at)*******> belonging to the recipient’s email domain. This is highly unusual and should certainly raise our suspicions.

Anyone who unfortunately clicks on the Continue to new version link, will be redirected to a fraudulent web page designed to look like the email account login page.
On this page, the user is asked to log in to their account by entering their email password in order to update their data.

Actually, the page where the user is redirected to enter their email account credentials is hosted on a suspicious address/domain, which is listed below:

 https[:]//[FakeDomainName*]

We urge you to always pay close attention to every detail, however trivial, and not to enter your personal details and/or passwords into forms hosted on fake websites, as these will be sent to a remote server and used by cybercriminals, with all the associated and easily imaginable risks.

20 April 2026 ==> Phishing Unicredit

SUBJECT: <Identity verification required for your account>

The message, using graphics stolen from or similar to those of the well-known UNICREDIT bank, attempts to pass itself off as an official communication, in order to induce the recipient to comply with the request and fall into this trap, based on social engineering techniques.

The message informs the unsuspecting recipient that an attempt to access their UNICREDIT account from an unrecognised IP address has been detected. It then advises them that, for security reasons, their profile details must be verified within 24 hours. Pending verification, their account may be temporarily blocked.
To proceed with verification, they simply need to click on the link:

Verify your identity

We immediately see that the alert message comes from a highly suspicious email address, <unicred(at)ddhousegroup(dot)com>, which clearly does not originate from the official UNICREDIT domain. It contains very generic text, despite the inclusion of the UNICREDIT logo in an attempt to mislead the user. The aim is to trick the victim into logging into their banking app so that their details can be stolen.

Anyone who unfortunately clicks on the Verify your identity link, will be redirected to a malicious web page, which has already been reported as a DECEPTIVE PAGE/WEBSITE as it is managed by cybercriminals, whose aim is to obtain your most valuable data so that they can use it for their own purposes.

20 April 2026 ==> Phishing Nexi

SUBJECT: <SPA- Xpay Nexi - (IDS_064236044)>
 

This new phishing attempt pretends to be a fake message from Nexi, a well-known digital payment services company.

The message informs the recipient that ‘maintenance work is currently being carried out on the Nexi app’ and advises them to check their details to prevent fraud. It then asks the user to confirm their details as soon as possible via the following link:

Check your Nexi

The well-known company is clearly not involved in sending these mass emails, which are outright scams whose aim, as always, is to steal the unsuspecting recipient’s sensitive data.

In this case, the message is not very credible; indeed, it contains spelling mistakes and the reason given in the request to update personal details is implausible. Moreover, the sender’s email address <contact[at]bless-company[dot]com> does not belong to the official Nexi domain. This is highly unusual and should certainly raise our suspicions.

Anyone who unfortunately clicks on the link will be redirected to a fraudulent website designed to steal access to user's credit card account; this site has already been reported as a SCAM SITE. It is in fact run by cybercriminals whose aim is to gain hold of your most valuable data in order to use it for fraudulent purposes.

Based on these observations, we urge you to NEVER enter your login details on websites of unknown origin, as they will be sent to a remote server and used by cybercriminals, with all the associated and easily imaginable risks.

17 April 2026 ==> Phishing WindTre

SUBJECT: <Promemoria pagamento fattura - Gennaio 2026>

Below, we analyse a new phishing attempt pretending to be a communication from the WINDTRE brand.

The message informs the recipient that the January 2026 invoice for their WINDTRE subscription has not yet been paid. It then states: ‘Your WINDTRE subscription has been suspended and will be cancelled if we do not receive payment shortly.’ To avoid any interruption to the service, the recipient must pay the invoice as a matter of urgency via the following link:

Make the payment

We should always be wary of requests to enter our personal data via suspicious links sent by email.
The well-known telecoms and internet company, WINDTRE, is clearly not involved in the mass sending of these emails, which are outright scams whose aim, as always, is to steal sensitive data of unsuspecting recipients.

We immediately see that the email address in the message <postmaster[at]familiavalente[dot]pt> does not belong to the official WINDTRE domain. This is highly unusual and should certainly raise our suspicions.   
Anyone who unfortunately clicks on the Make the payment link, will be redirected to a web page which, although it mimics graphically the WINDTRE account login page – as evidenced by the presence of the well-known company’s logo – has an unusual address/domain:

 https[:]//[FakeDomainName*]

On this page, the user is invited to log in to their customer area using their email login and password in order to renew their account by paying the requested amount. We strongly advise you not to enter your credit card details.

The aim of the cybercriminals behind this scam is clearly to steal this information. Therefore, always exercise the utmost caution and check the expiry dates of your active services only via official pages, not via suspicious links.

17 April 2026 ==> Phishing DHL

SUBJECT: < Dispatch, transfer and confirmation of the requested address >

Below is a new phishing attempt, disguised as a fake message from the courier DHL regarding the delivery of a supposed parcel.

The message informs the unsuspecting recipient that their parcel is on hold and advises them: ‘To avoid delays in processing your parcel, please confirm the delivery address as soon as possible so that we can proceed with dispatch.’
These messages are increasingly being used to scam consumers, who are turning to e-commerce more and more for their purchases.
To proceed with the shipment, it is necessary to click on the following link:

Delivery address ****

13 April 2026 ==> Phishing Tiscali

SUBJECT: <(Urgent deactivation notice)>

Below, we analyse a phishing attempt aimed at stealing login credentials for the TISCALI accounts.

The message informs the recipient that their email account has expired and has been deactivated; they can therefore no longer send or receive messages until it is reactivated. The email also warns the user that, one day after the expiry date, all messages will be deleted.

The user is therefore asked to reactivate their account as soon as possible. To do so, they simply need to follow this link:

REACTIVATE NOW

A careful analysis of the message reveals a number of clues that should raise suspicions. We immediately notice that the email address <info04725[at]gmail[dot]com> does not belong to the official TISCALI domain, a highly unusual circumstance. Another red flag is that, in order to confirm the process, the user is required to enter their account credentials via a link sent by email. 

Anyone who unfortunately clicks on the REACTIVATE NOWREACTIVATE NOW link, will be redirected to a web page which, although it graphically simulates the TISCALI account login page – complete with the company logo – is by no means trustworthy. In this case too, the web address is suspicious:

https[:]//[FakeDomainName*]

On this page, the user is invited to log in to their customer area, where they can then reactivate their account to prevent any loss of data.

We urge you to always pay close attention to every detail, however minor, to take your time, and not to enter your personal details and/or passwords into forms hosted on fake websites, as these will be sent to the cybercriminals behind the scam, who will use them for illegal purposes.

11 April 2026 ==> Smishing Nexi

Below, we analyse a new smishing attempt disguised as a fake text message purporting to be from Nexi.

02 Aprile 2026 ==> Phishing Email account

SUBJECT: <Email Password Has Expired : ****** >

Below, we analyse the phishing attempt aimed at stealing the victim’s email account credentials.

The message, in English, alerts the recipient that their email password has expired and requires immediate updating to keep using the related services. They have three hours to confirm their current password via the following link

Keep Current Password

On closer inspection of the message , it appears to come from an email address belonging to the recipient’s email domain <no-reply(at)*****>. This is highly unusual and should certainly raise our suspicions.

Anyone who unluckily clicks on the Keep Current Password’ link, will be redirected to a fake web page that simulates the email account login page.

Anyone who accidentally clicks on the image in the email – which conceals a malicious link – will be redirected to a fake web page that mimics the email account login page.

On this page, users are asked to log in to their account using their email password to confirm.
Actually, the page the user is redirected to is hosted on a suspicious address/domain:

https[:]//[FakeDomainName*]

We urge you to always pay close attention to every detail, however trivial, and not to enter your personal details and/or passwords into forms hosted on fake websites, as these will be sent to a remote server and used by cybercriminals, with all the associated risks that one can easily imagine.