01.07.2025 - In recent weeks, we’ve seen a rise in scam messages claiming that police investigations have uncovered funds linked to fraud. The aim is usually to trick victims into paying fake fees. A new version of this scam uses a fake Swiss government website that promises victims that they can recover lost money by filling out a form and providing their banking details. In reality, it’s a sophisticated phishing trap.
The NCSC has recently been receiving an increasing number of reports of scam messages claiming the police have recovered money lost in a previous fraud. The scammers usually pose as official authorities to make the message seem legitimate. They promise you'll get your money back – but it's all fake. They’re counting on the possibility that you’ve already been the victim of a scam and that you might be willing to pay a fee in the hope of recovering your losses. This is a classic advance-fee scam.
Last week, the NCSC came across a similar scheme, but this time it involved phishing rather than an advance-fee scam. Victims were directed to a fake website where they could supposedly apply for compensation. The site claimed to be approved by Twint and the Swiss government, and at first glance resembled an official Federal Administration website. The scammers had copied the layout of the official ePortal, and added a fake section promising compensation to victims of fraud. None of the other links on the page worked; the only one that did led straight to the phishing form.
The next page opens a form which, once again, refers to the alleged joint initiative between Twint and the Swiss government. It states that the aim is to provide swift, transparent and hassle-free support to those affected. It also claims that 30% of the requested amount will be paid immediately, with the remainder to follow after a review. If you weren't suspicious before, you should be now. The idea that anyone can enter any amount of damages and instantly receive 30% of the total – without any checks – is completely unrealistic and an obvious sign that this is a scam.
The form asks for your name, phone number, the amount of money you supposedly lost and the name of your bank. The scammers say they need this information to send you the refund. In reality, they use the bank name to load a phishing page that matches the institution you selected. After you submit the form, an exact copy of your bank’s e-banking login page opens – but under a different domain. If you enter your contract number, login details and password, a pop-up will appear telling you to wait and not to close the window; otherwise, the process will supposedly be cancelled.
What’s really happening in the background is that the scammers are trying to log in to your bank account using the details you just entered. But because all e-banking login sites are protected by two-factor authentication, they can’t get in with just your contract number and password. They also need the second factor – and that only gets triggered once the login process has started. To buy time, the scammers stall with a message telling you not to close the window. As soon as the bank prompts them for the second factor, they pass that request on to you. If you give them the code, the scammers gain full access to your account. Since login procedures vary from bank to bank, the phishing pages are tailored accordingly.
It’s unclear whether the scammers use this access to make direct withdrawals or to try to link the victim’s bank account to a different Twint number.
Recommendations
- Don’t click on links in suspicious messages. Never enter personal information on websites you’ve reached via a link in a suspicious email or text message.
- Never share codes you’ve received by text message.
- No bank or credit card company will ever ask you by email to change passwords or verify credit card details.
- Bear in mind that email senders can easily be faked.
- Be wary of emails that urge you to take action or threaten consequences if you don't (e.g. financial loss, legal action, account or card suspension, missed opportunities).
Current statistics
Last week's reports by category:
Last modification 01.07.2025
