Table of contents
- What PEC phishing is and how it works
- Signs of a PEC phishing attack
- Examples of PEC phishing: PEC phishing from Aruba and other common cases
- How to protect your PEC account and sensitive data
- What to do if you fall for a PEC phishing attempt
The phenomenon of phishing has seen a steady increase, and certified email (PEC) has also become a target for scammers.
PEC, which ensures the authenticity and traceability of communications, is now widely used by businesses, professionals, and citizens, especially in Italy, where it is also utilized for interactions with public entities like the Revenue Agency and INPS (National Institute for Social Security).
Unfortunately, due to its institutional use, PEC has become an appealing channel for phishing attacks aimed at stealing sensitive information and login credentials.
Online scams through PEC phishing can take various forms, so understanding how these attacks operate and how to defend against them is essential for avoiding personal and financial harm.
What PEC phishing is and how it works
PEC phishing is a social engineering technique in which attackers send fake communications to deceive recipients and convince them to click on links within the messages.
These messages appear to be from official entities such as INPS or the Revenue Agency but are, in fact, fraudulent attempts to steal personal data and sensitive information.
Scammers often use the names of known institutions and addresses that appear authentic to disguise the phishing attempt and prompt the user to trust the communication.
Example
in a typical PEC phishing scheme posing as INPS, a user might receive an urgent message requesting them to update their login credentials or verify their account, threatening access to essential services if they fail to act.
Signs of a PEC phishing attack
Identifying PEC phishing requires caution, as fraudulent messages are often crafted to look credible. However, some indicators can help to unmask these scam attempts.
One common sign is the presence of suspicious links that, when clicked, redirect to cloned or fake sites designed to steal sensitive data like credit card numbers or passwords.
These links in the message may be disguised, so it’s important to avoid clicking on them without first verifying the message’s authenticity.
Another sign of PEC phishing is the use of an email address that appears similar but doesn’t exactly match the official institution’s address. Scammers often make small changes to bypass PEC inbox filters and make the communication look authentic.
Finally, language that emphasizes urgency or the need for immediate action is another typical element of online scams.
Examples of PEC phishing: PEC phishing from Aruba and other common cases
One of the most well-known cases is Aruba PEC phishing: several users have received fake communications that seem to be from the certified email provider Aruba.
In these messages, scammers request that users click a link to avoid service suspension or to confirm billing details. Aruba itself has warned its users, reminding them to carefully verify each message and never provide personal information without thorough verification.
Similarly, PEC phishing attacks often use the names of public entities such as the Revenue Agency and INPS.
Example:
In a Revenue Agency PEC phishing case, the message might contain payment information or notices related to tax practices, while in an INPS PEC phishing case, it might be a notice to update social security data or bank details.
In both cases, scammers aim to persuade the user to click a link to update their information, risking the security of their email account.
How to protect your PEC account and sensitive data
Protection against PEC phishing requires a combination of awareness and security practices. First, it’s essential to always verify the authenticity of communications: if you receive a message asking you to click a link or update information, check the sender’s email address for any errors or discrepancies.
Another security measure is to avoid clicking on links directly within the suspicious PEC email. Instead, it’s better to type the official institution’s website address directly into the browser, thus avoiding links in phishing messages.
Additionally, using tools like two-factor authentication adds a layer of protection for sensitive data.
Users should also train themselves and stay informed about the most common phishing attack methods by consulting reliable resources.
Many public entities and service providers offer dedicated sections on cyber security, where you can find information on the latest scam attempts and how to defend yourself.
Finally, installing security software and keeping devices used to access your email account updated is essential to prevent phishing attempts from succeeding.
What to do if you fall for a PEC phishing attempt
If you accidentally click on a PEC phishing link, it’s important to act immediately. The first step is to change the login credentials for your PEC account and any other accounts that might have been compromised.
Contacting the customer support of your PEC provider, as in the case of Aruba PEC phishing, can help to resolve the situation.
Additionally, it’s important to report the incident to the relevant authorities, such as the Postal Police, to contribute to the fight against online scams.
Notifying the Revenue Agency or INPS, in cases where phishing targeted these entities, can also be helpful to prevent others from being deceived.