19.08.2025 - Last week, we received two reports of cases where attackers tried to trick recipients into installing malware. These show just how much the methods have changed: Getting malware onto a computer is much harder today than it was a few years ago. Attackers are now increasingly relying on sophisticated social engineering to achieve their aims.
In the first half of 2025, only 182 cases involving malware were reported to us via the public reporting form – just 0.4% of all reports submitted during that period. There are two possible explanations for this low figure. One is positive: Technical safeguards such as antivirus programs and spam filters have become so effective that they block most malware attacks before they can run, which also means fewer reports reach us. The other is less positive: The attacks may have become so sophisticated that those affected don't even realise that they have been attacked – and therefore don't report anything.
That said, while malware attacks appear to have gone down, they haven't disappeared. In fact, we've recently seen a rise in cases where emails are used to spread malware – including last week, as the following two examples show.
Fake invoice in Intrum's name
Last week, emails were sent in the name of Intrum, a debt collection agency, with fake invoices and payment reminders. The message claimed there was a QR invoice attached that should be opened to make the payment. When the file is opened, a message appears saying the PDF cannot be displayed because JavaScript is disabled. In reality, the attachment isn't a PDF at all – it's an HTML file.
The instructions then tell recipients to press "Windows+R" and "Ctrl+V" to enable JavaScript – a well-known trick we have already covered in a previous weekly review. Opening the HTML file silently copies a malicious PowerShell script to the computer’s clipboard. (A PowerShell script is a text file containing commands the computer will run.)
Pressing "Windows+R" opens a window where commands can be executed. "Ctrl+V" pastes the malicious command from the clipboard into that window. After that, the computer connects to a server controlled by the attackers and downloads and installs malware.
Fake payment request in UBS's name
Another report we received involved a fake payment request sent in the name of UBS. As in the previous example, the recipient was asked to open a file attached to an email. This time it really was a PDF – but it was password protected. The password was conveniently included in the body of the email.
The idea is most likely to bypass safeguards such as spam filters and antivirus software, which can't scan the contents of a password-protected file. After entering the password, the PDF opens and displays a message saying the actual content is stored on OneDrive.
Clicking on the link downloads an archive file containing a "batch file" – an executable text file with commands. Running it causes the malware to be downloaded and installed, just as in the first example.
These two examples show how complex and multi-layered such attacks have become. A simple executable file attached to an email is no longer enough to infect a computer. Instead, attackers now rely on elaborate tricks to bypass technical safeguards and push victims into actively taking steps themselves. That's why awareness and vigilance remain key elements of cybersecurity.
Recommendations
- Do not click on links in emails or text messages.
- If you are expecting a payment reminder, contact the debt collection company or health insurer to check whether the claim you received is legitimate. Use the contact details from the official websites of the companies.
- If you suspect that malware has been installed on your device, contact a computer specialist. The safest option is to completely reinstall your operating system. Make sure to back up all personal data beforehand.
- After the reinstallation, change your passwords for all your online accounts (e.g. email, social media).
Current statistics
Last week's reports by category:
Last modification 19.08.2025
