16.12.2025 - Last week, the National Cyber Security Centre (NCSC) received an increasing number of reports about a scam that has been observed for some time. In this case, the victim is not pressured to click on a link, as is usually the case. Instead, under the pretext of an alleged suspicious transaction, they are asked to call back a telephone number. However, anyone who dials the number will not be connected to customer service, but directly to the fraudsters' call centre.
Phishers usually try to lure their victims to a fake website via a link in order to steal credit card details or login information. However, technical measures are improving and spam filters are becoming increasingly reliable at detecting fraudulent links in emails. In addition, fraudulent websites are usually deactivated quickly. This is why cybercriminals are increasingly resorting to what is known as a callback scam. In this case, the message does not contain a link, but rather a request to call a specific telephone number in order to resolve a supposed problem. The format and text of the emails are also often based on real, legitimate emails, which makes detection even more difficult.
Current examples of callback scams
Several variants stood out in particular last week. Firstly, numerous citizens received text messages that appeared to be from UBS or Amazon. Emails purportedly from TWINT were also observed. These claimed that a large payment had been initiated or that the account or payment needed to be verified. To cancel or clarify the matter, recipients were instructed to call the telephone number provided.
The original version
In the original version of such callback scams, alleged invoices are often sent by well-known security companies such as Norton, McAfee or Avast. Recipients are led to believe that a subscription has been automatically renewed and that several hundred francs or euros will be debited from their account. Anyone who does not agree with this debit is asked to contact "customer service" at the Swiss telephone number provided to obtain a refund.
Variants with alleged PayPal invoices are also regularly observed. In these cases, the purchase of a product is suggested. The principle remains the same: If you did not make the purchase, you should call the number provided (in this case an American number) "immediately" to cancel the alleged purchase or charge.
Swiss authorities also affected
Swiss authorities are also being misused for this attempted fraud. An email claims to be from the Federal Tax Administration, allegedly stating that you have an outstanding tax refund and should call the number provided.
The trap snaps shut on the telephone
When a concerned victim calls the number provided, a fraudster answers, pretending to be a bank or support employee. The aim of the conversation is to obtain sensitive data such as passwords or credit card details. Victims are often pressured into installing remote maintenance software (such as AnyDesk or TeamViewer). This is done under the pretext of stopping the incorrect transfer or cleaning up the infected device. Once the fraudsters have access to the computer or smartphone, they manipulate the e-banking system, make payments or trick the victims into entering credit card details, supposedly to receive a credit. In reality, however, the money is withdrawn. In some cases, the victim's screen is blacked out while security codes are being entered, so that the fraudulent actions remain unnoticed in the background.
Recommendations
- Be cautious if you receive an unsolicited text message or email with a payment request or order confirmation that you cannot identify.
- You never need to provide your credit card details to receive funds.
- Never use the telephone number provided in the suspicious message. Find the official number of the company on its verified website or on your physical bank documents.
- Never grant strangers remote access to your computer or smartphone. Reputable banks or service providers will never ask you to install software to stop a payment.
- Report suspicious emails or text messages using the NCSC reporting form.
- In the event of damage: Immediately disconnect the device from the internet, contact your bank or credit card issuer, and report the incident to the police.
Current statistics
Last week's reports by category:
Last modification 16.12.2025
