30.12.2025 - In its final weekly review of the year, the NCSC typically reflects on the reports it has received over the past twelve months. This year, the NCSC received almost 65,000 reports of cyberincidents, which represents a significantly smaller increase than in previous years. Although reports concerning 'calls supposedly from the police' still dominated in 2025, more reports in this category were recorded in the first half of the year than in the second. This decline was offset by a substantial rise in the number of reports concerning 'online investment fraud'. Despite only a moderate increase in reporting volume, scams have become much more sophisticated.
Week 52: More focused, more intricate, more sophisticated – almost 65,000 reports submitted to the NCSC in 2025
In 2025, the NCSC received almost 65,000 reports – slightly more than the year before. The most frequently reported category remained 'calls supposedly from the authorities', accounting for 26% of the total number of reports. This was followed by the categories 'phishing' (19%) and 'online investment fraud' (9%). The ratio of reports from the general public (90%) to reports from companies, associations, and authorities (10%) remained stable. Among the fraud offences most frequently reported by businesses was 'CEO fraud', which increased again (2025: 970 reports / 2024: 719 reports). In contrast, the number of reports concerning 'business email compromise (BEC)' increased only slightly (2025: 132 reports / 2024: 114 reports). Following a significant decrease in 'ransomware' reports in 2024 (92 reports), there was a slight increase in this category in 2025 ( 104 reports), although this figure remains below that of 2023 (109 reports). However, the number of cases does not reflect the scale of the damage caused. As attackers increasingly focus on lucrative targets, the damage per incident is likely to increase in the future. It should also be noted that ransomware attacks are now almost always coupled with a data breach, which further increases the magnitude of the damage caused. Finally, the number of reports concerning the category 'DDoS attacks' decreased from 48 reports in 2024 to 35 reports in 2025.
More focused, more intricate, more sophisticated
While the number of reports involving fraud fell by around 5,500, the number of spam reports increased by around 6,500. The other categories remained virtually unchanged. The decline in fraud-related cases is almost entirely due to fewer reports concerning 'calls supposedly from the authorities'. Conversely, the increase in the number of spam-related cases is primarily due to more reports in the category 'online investment fraud'. The number of phishing-related cases remained stable. While the figures appear unremarkable at first glance, the attacks are becoming more sophisticated. This is particularly true of phishing attacks, which are moving away from mass attacks to individually tailored attacks, with attackers spending more time targeting specific individuals. Apparently, this increased effort is paying off.
This is evident in the increase in phishing attacks related to classified ad platforms, particularly in the first half of 2025. In this scam, scammers pose as prospective buyers and trick victims during the payment process into visiting a specific – fake – payment provider website in order to receive the money. Depending on the victim's bank, the scammers request various online banking login details, whereby their aim is not to infiltrate the victim's bank account, but rather their TWINT account, which is often linked to their bank account. Unlike bank transfers, TWINT payments are executed immediately, with the transaction amount being limited only by the amount set by the victim. Fraudsters also use hacked TWINT accounts to launder money and conceal the origin of payments.
Sophisticated phishing attacks using SMS blasters: A new dimension
A new method of disseminating phishing messages was also observed this year. From the summer onwards, we received numerous reports of text messages that appeared to be parking fines in western Switzerland. While the NCSC was already aware of phishing attempts involving alleged parking fines, these had previously taken the form of emails. What was new, however, was that they were now being sent by text message and, strikingly, all of the recipients had been in the same geographical area shortly before receiving the message. This suggested that the scammers were using a method that allowed them to target their text messages directly at people in a specific location. It later transpired that the scammers were using so-called SMS blasters: mobile devices that imitate a mobile phone mast. These were allowing the scammers to send fake messages directly to their victims' phones without knowing their telephone number. The link contained in the message led to a genuine-looking payment site that captured victims' credit card details.
Scammers even targeting insignificant data
In addition to well-publicised data breaches, the NCSC observed an increase in attacks last year during which scammers were actively collecting personal information. While classic phishing attacks primarily target online banking or email accounts, the aim of these scams is to compile as comprehensive a data profile as possible of the victim. The scammers created deceptively genuine-looking websites designed to resemble those of reputable institutions such as banks, insurance companies, health insurers and payment service providers. Under the pretext of 'verifying' or 'updating' data, users were asked to disclose a great deal of information far beyond access details. In a recent case, for example, a fake website offering refunds requested not only personal details, but also a digital signature. Profiles created in this way are particularly useful to criminals for committing identity theft, carrying out targeted social engineering attacks or reselling the data on the black market. The more comprehensive the information, the higher the potential profit.
Misuse of company names on the rise
Identity theft poses a threat not only to private individuals, but to companies as well. This is because established company names are associated with a high level of trust, which scammers exploit for their own gain. Companies without their own website are particularly vulnerable as they have little online presence, making it easier to emulate their identity. Cybercriminals proceed systematically, searching commercial registers for such companies and registering suitable domains in order to create deceptively genuine-looking websites. To make them appear legitimate, they use official information such as the address and commercial register number of the real company. Using this information, they launch various scams, including fake job offers, counterfeit online shops and professional-looking investment platforms. Misusing a real company's identity significantly reduces people's scepticism, thereby increases the scammers' chances of success without them having to build up a credible reputation themselves.
The role of artificial intelligence in cybercrime
Although artificial intelligence is playing an increasingly important role in cybercrime, it is not as prevalent as one might expect. AI has been particularly noticeable in advertising campaigns involving online investment fraud. Fraudsters have generated deceptively realistic interviews with well-known politicians recommending secret methods of investing money with high returns. These deepfakes exploit people's trust in prominent figures in order to trick them into taking part in a scam. Initial cases have also emerged of people being blackmailed using compromising images created using AI. This demonstrates that AI is providing cybercriminals with new opportunities to make their attacks more credible and personalised. Given the rapid pace of technological progress, it is reasonable to assume that such methods will become a much greater concern for the NCSC in the coming years. However, it should not be forgotten that these technological capabilities can also be used to improve our understanding of complex operations and reduce risks at an early stage.
Mandatory reporting of cyberattacks on critical infrastructure
Since 1 April 2025, operators of critical infrastructure have been required to report cyberattacks to the NCSC within 24 hours. The 221 reports received to date have provided the NCSC with a clearer picture of the cyberthreat landscape in Switzerland and the tactics employed by the perpetrators. These insights are useful for managing specific incidents, assessing the national threat situation and warning operators in time. Another positive development is that, since the reporting obligation came into force, a growing number of operators – currently 1,660 – have actively participated in exchanging information. The NCSC will continue to support this in order to further strengthen cybersecurity in Switzerland.
The National Cyber Security Centre would like to thank you for your trust and support. We wish you a fraud and virus free New Year, and a happy and healthy start to 2026!
Current statistics
Last week's reports by category:
Last modification 30.12.2025
