Week 39: One phishing attempt follows another

Languages

Service navigation

Search

Navigation

Week 39: One phishing attempt follows another

30.09.2025 - Last week the NCSC received an uptick in reports of phishing attempts that combine phishing with bogus support calls. The aim is to apply pressure and single out particularly susceptible targets.

Potential victims typically first receive a phishing email containing a link to a convincing-looking scam website. The email may claim that they are entitled to a refund or that they got a parking ticket, for example. Anyone who enters their card details on the site is then contacted by phone by someone claiming to be from the bank's fraud detection team, who says that they want to protect the account. This multi-step ploy aims to build trust, apply pressure, and ultimately obtain access to sensitive banking data.

The supposed tax refund

Pretending you are owed a refund is one of the most common tricks used by scammers. Scammers exploit the names of well-known companies and public authorities to build credibility. Common pretexts include overpaid phone bills and alleged refunds from health insurers or tax offices.

One of the scams reported to us involved a particularly elaborate deception: victims received an email claiming that they had overpaid their taxes and were therefore due a refund. A link led to a very convincing website. First, they had to select a language; then, they were asked to provide a long list of personal details, including their name, address, date of birth, and phone number. The site then requested bank details and finally credit card data.

Tax refund scam website that asks for bank details and credit card data.
Tax refund scam website that asks for bank details and credit card data.

Within minutes of entering their card details, victims received a call supposedly from their bank's fraud prevention team. The caller claimed that there had been a phishing attack and that a fraudulent payment was in progress. In order to stop it, victims were told to grant the caller remote access to their computer and log in to online banking urgently. This gave the scammers access to the account, allowing them to trigger payments or change settings.

Also seen in other phishing scams

We have also seen this approach used in other phishing scams, for example parking fine scams. Here, victims first received a fake payment demand for an alleged traffic offence. After entering their card details they then got a call via WhatsApp. This attempt was noticeably less professional: the scammers did not know the victim's bank and communicated only in French.

Similar incidents have been reported in connection with sales on classified ad websites. Victims were persuaded to provide their card details in order to confirm receipt of payment for an item they had sold. They then received a call from scammers posing as representatives of the bank's fraud department.

What is the scammers' strategy?

There are several reasons why scammers may be turning to this double phishing method. Firstly, the initial phishing site can act as a filter, helping to identify potential victims in advance. Someone willing to enter personal data on a website is much more likely to accept a subsequent phone call, for example from someone claiming to be from the bank's fraud detection team, and grant the caller access to their online banking accounts.

This method is similar to well-known police impersonation robocalls . In those cases, the initial contact is automated. Only when a victim responds (for example by pressing '1', as instructed) is the call forwarded to a real person. This saves the scammers resources because people who recognise the fraud right away are not passed through.

Secondly, accessing e-banking accounts is often more lucrative than stealing card details. E-banking can be used to transfer cash directly, and limits are usually higher. With credit cards, scammers usually have to take the detour of buying vouchers or goods and then redeeming or reselling them to get cash, which is less convenient.

Recommendations

  • Never enter your credit card or login details on websites you don't know or that look suspicious.
  • If you get a call about something you just did online, or right after an online activity, end the call immediately.
  • If you are unsure about a message or call, contact your bank directly – but never using the number provided in the message.
  • Never allow remote access to your computer.
  • If you have granted remote access, there is a possibility that your computer has been infected. The first step is to uninstall the remote access program.

Last modification 30.09.2025

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2025/wochenrueckblick_39.html