Week 14: Phishing in Swiss German and an invoice from Schweizerische Rettungsfahrtwacht (imitation of Swiss Air-Rescue)

Languages

Service navigation

Search

Navigation

Week 14: Phishing in Swiss German and an invoice from Schweizerische Rettungsfahrtwacht (imitation of Swiss Air-Rescue)

11.04.2023 - Fraudsters, phishers and enterprising schemers repeatedly refer to Switzerland to try to gain the trust of their victims and lure them into acting rashly. In a case reported to the NCSC last week, Swiss German was even used to trick the victim into providing their credit card details. In another case, the trusted name of Swiss Air-Rescue (Schweizerische Rettungsflugwacht) was misappropriated in order to prevent the victim from reading the small print.

First phishing email in Swiss German

Many phishing emails are now written in perfect German. It is likely that fraudsters also use the numerous translation aids, which now produce very good results. However, since Swiss German is not available in popular translation tools, it is not surprising that fraudulent emails in dialect had not been observed before now. Moreover, High German is the norm in the business world. A supposedly official email in dialect from a bank would probably make victims suspicious rather than convince them to click on the link in question. Consequently, it is somewhat surprising that the first phishing email in Swiss German was reported to the NCSC last week. It concerned a fake parcel notification. The victim is led to believe that the parcel cannot be delivered and that a fee has to be paid. Apart from the section in Swiss German, the rest of the email is written in High German. It would appear that the fraudsters were a little unsure about what they were doing.

Fake parcel notification in Swiss German
Fake parcel notification in Swiss German

Needless to say, the advice remains the same for phishing emails in Swiss German:

  • No bank or credit card company will ever send you an email requesting that you change your password or verify your credit card details.
  • Never divulge personal data such as passwords or credit card details on a website that you accessed by clicking on a link in an email or text message.
  • Bear in mind that email sender IDs can easily be spoofed.
  • Be sceptical if you receive emails that require action on your part and that carry a threat of consequences (loss of money, criminal charges or criminal proceedings, blocking of an account or card, missed chance, misfortune) if you do not do what is required.

Schweizerische Rettungsfahrtwacht (imitation of Swiss Air-Rescue)

Swiss values were deliberately abused in another case too. Schweizerische Rettungsflugwacht (Swiss Air-Rescue, or Rega) is one of the better-known non-profit organisations in Switzerland. Therefore, it is not surprising to see the trusted name, or variants of it, used to deceive victims.

In recent weeks, for example, invoices sent by a certain Schweizerische Rettungsfahrtwacht (imitation of Swiss Air-Rescue) have been circulating for alleged inclusion in the register for SME specialist rescue services. The offer is for a "central register" for credit ratings and service reviews, among other things. But the company does not say what exactly this involves. More than CHF 500 is to be paid for "recording data" and "issuing a membership card". A normal payment slip with a QR code and Swiss IBAN is enclosed with the invoice.

It seems clear that the intention here is to imply a connection with Swiss Air-Rescue and suggest that a membership fee be paid. This is also apparent from a glance at the now deactivated website rettungsfahrtwacht.ch, which imitated both the Rega structure and logo.

Top: Rettungsfahrtwacht website Bottom: Swiss Air-Rescue website; the similarities between the two websites are probably not a coincidence
Top: Rettungsfahrtwacht website
Bottom: Swiss Air-Rescue website; the similarities between the two websites are probably not a coincidence

It is only when carefully reading the small print that it becomes obvious that this is merely an offer, and not an invoice for services already rendered.

Although it is additionally mentioned at the end of the document that "you are required to pay the amount only if you accept the contract", the print is small here too and the statement is misleading. However, the purpose of the sentence seems to be clear. The invoicing party is trying to ensure that the recipient has been made sufficiently aware of the informal nature of the letter and can thus avoid the accusation of fraud. Secretly, however, the fraudster is probably hoping that the victim will overlook this passage.

Official-looking invoice with the indication to pay within 7 days only if the contract is accepted
Official-looking invoice with the indication to pay within 7 days only if the contract is accepted

The NCSC regularly receives variants of official-looking invoices that turn out to be "mere" offers. It is speculated here that these will slip through a company's payment process and thus be paid inadvertently.

  • Therefore, check all invoices carefully. In the case of unusual orders, contact the company by telephone to verify that the order is genuine.

Last modification 11.04.2023

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2023/wochenrueckblick_14.html