Abstract

Italy faces ongoing smishing campaigns that exploit the name and branding of the Istituto Nazionale della Previdenza Sociale (INPS), the national social security institute responsible for administering pensions, unemployment benefits, and other welfare payments to millions of citizens. These campaigns, monitored and countered by the Computer Emergency Response Team of the Agenzia per l’Italia Digitale (CERT-AGID), represent a persistent vector for identity theft and financial fraud within the European Union. Attackers deploy SMS messages that mimic official communications, urging recipients to update personal data to avoid suspension of benefits or to resolve alleged irregularities. Victims are directed to fraudulent mobile-optimized websites where they are prompted to submit sensitive information, including full names, fiscal codes, IBAN details, images of identity cards (front and back), health cards, driving licenses, recent pay slips, and selfies holding identification documents.

CERT-AGID has documented multiple iterations of these campaigns throughout 2025, with attackers adapting tactics to include threats of penal consequences for undeclared income, promises of bonuses, or urgent profile verifications. In one variant observed in late 2025, fraudsters employed Telegram bots as command-and-control servers to centralize stolen data collection. Another campaign required victims to upload extensive document sets explicitly for identity theft purposes, enabling the creation of fraudulent SPID (Sistema Pubblico di Identità Digitale) accounts—the Italian digital identity system mandatory for accessing public services. Compromised SPID credentials allow attackers to redirect benefit payments, modify banking details, or conduct further fraud.

The methodological approach in this analysis relies exclusively on publicly accessible reports from CERT-AGID, supplemented by aggregated incident data from European Union-level assessments. Key findings indicate that smishing targeting INPS remains among the most frequent phishing variants in Italy, with campaigns resurfacing after brief pauses following domain takedowns. CERT-AGID consistently activates countermeasures upon detection: notifying INPS of brand abuse, requesting registrar interventions to dismantle malicious domains, and distributing Indicators of Compromise (IoCs) to accredited organizations via its dedicated feed. Despite these efforts, the phenomenon has persisted for over two years, with notable escalations in 2025 including the observed sale of stolen Italian identity documents on dark web forums.

Quantitative insights from broader European threat reporting underscore Italy’s exposure. Italy accounted for a disproportionate share of reported cyber incidents in the European Union during 2024–2025 periods analyzed in sectoral landscapes, frequently ranking among the top-targeted member states alongside France, Germany, and Spain. Public administration entities, including social security providers, emerge as primary targets for social engineering attacks. Ransomware and data exposure incidents often trace origins to initial access via phishing or smishing, amplifying downstream impacts.

Implications extend beyond individual victims to systemic risks. Successful theft of comprehensive identity profiles enables large-scale fraud against public welfare systems, erodes citizen trust in digital government services, and strains national cybersecurity response capacities. The reliance on SPID for essential services heightens consequences, as compromised identities facilitate unauthorized access to health records, tax filings, and benefit disbursements. At the European Union level, these campaigns highlight vulnerabilities in harmonized digital identity frameworks and underscore the need for enhanced cross-border information sharing on low-sophistication, high-volume threats.

CERT-AGID maintains active monitoring, publishing detailed advisories that describe attacker techniques, sample SMS texts, and recommended defenses. Citizens are advised to verify communications exclusively through official channels, avoid clicking embedded links, and report suspicious messages directly to designated authorities. Institutional responses have achieved tactical successes in domain disruption, yet the recurring nature of campaigns demonstrates attacker resilience through rapid infrastructure pivots.

This pattern aligns with European trends where phishing derivatives, including smishing, constitute primary initial access vectors. Public sector entities bear disproportionate burden, with ideological or financially motivated actors exploiting trust in established institutions. Italy’s experience with INPS-themed smishing illustrates the intersection of cybercrime and social engineering in mature digital economies, where widespread adoption of online public services creates expansive attack surfaces.

Broader data from 2025 indicate escalating cyber threats across the European Union, with public administration recording the highest incident volume. Hacktivist-driven disruptions and financially motivated intrusions compound risks, though smishing campaigns like those targeting INPS primarily serve data exfiltration objectives. The observed sale of harvested documents on illicit markets confirms secondary monetization pathways, perpetuating the cycle.

Policy responses must prioritize user education, rapid threat intelligence dissemination, and technical controls such as improved SMS sender authentication. European Union frameworks encourage incident reporting and resilience measures, yet national variations in implementation affect efficacy. Italy’s centralized response through CERT-AGID provides a model for proactive mitigation, though sustained investment in awareness and detection remains essential.

In summary, INPS-targeted smishing campaigns in 2025 exemplify enduring social engineering threats that exploit institutional trust for identity compromise. Effective countermeasures have limited immediate spread, but persistence signals the need for ongoing vigilance. Outcomes reinforce that low-technical-barrier attacks yield high returns in environments with dense digital public service usage, posing enduring challenges to individual privacy and governmental integrity across the European Union. Data remain current through publicly verified sources as of December 2025.

---

Table of Contents

Core Concepts in Review: What We Know and Why It Matters

• Evolution and Tactics of INPS-Targeted Smishing Campaigns
• Technical Mechanisms and Data Exfiltration Pathways
• Institutional Response and Mitigation Measures by CERT-AGID
• Victim Impacts and Secondary Exploitation Risks
• Broader Implications for Italian and EU Cybersecurity Posture
• Recommendations for Enhanced Resilience and Public Awareness
• Comprehensive Overview of INPS-Targeted Smishing Campaigns (2024–2025)
  

---

Core Concepts in Review: What We Know and Why It Matters

Smishing—phishing via SMS—has become one of the most insidious threats in modern cybersecurity, particularly when it impersonates trusted public institutions. In Italy, fraudsters have relentlessly targeted the Istituto Nazionale della Previdenza Sociale (INPS), the agency responsible for pensions, unemployment benefits, and other social security payments serving millions of citizens. These campaigns exploit the deep trust people place in official communications, especially from welfare providers.

At their core, these attacks begin with a simple text message warning of suspended benefits, undeclared income penalties, or promised bonuses. Recipients click embedded links leading to mobile-optimized fake websites that mimic the INPS portal down to logos and layouts. Victims then enter personal details, fiscal codes, IBAN numbers, and upload scans of identity documents—front and back—along with selfies holding IDs and recent pay slips. This yields complete identity packages for synthetic fraud.

The persistence of these campaigns stands out. CERT-AGID, Italy’s national computer emergency response team, has tracked them for over two years, with notable waves in 2024 and 2025. Attackers shifted tactics from positive incentives like bonus promises to coercive threats of legal consequences, adapting as public awareness grew. In the first quarter of 2025 alone, authorities identified 33 fraudulent domains dedicated to harvesting these documents. Stolen data quickly surfaced on dark web markets, often bundled with biometric selfies for higher credibility.

Technically, these operations remain low-sophistication but highly effective. Many rely on Telegram bots for command-and-control, allowing real-time data collection without traditional servers vulnerable to takedown. Mobile-first design evades desktop security tools, while shortened URLs obscure malicious destinations.

Institutionally, CERT-AGID responds swiftly: notifying INPS of brand abuse, requesting domain removals from registrars, and sharing indicators of compromise (IoCs) with accredited public entities. In 2024, the team countered 1,767 malicious campaigns overall and distributed 19,939 IoCs, though smishing volumes dropped 37 % year-over-year—yet INPS impersonation endured.

Victim impacts extend far beyond immediate financial loss. Compromised datasets enable fraudulent activations of SPID, Italy’s public digital identity system mandatory for government services. Attackers redirect benefits, alter tax filings, or access health records. Elderly and low-income recipients, heavily reliant on INPS, suffer disproportionately from disrupted payments.

On a broader European scale, the European Union Agency for Cybersecurity (ENISA) analyzed 4,875 incidents from July 2024 to June 2025. Public administration emerged as the most targeted sector at 38.2 %, driven largely by hacktivist DDoS but compounded by criminal social engineering. Phishing, including smishing variants, served as the initial access vector in 60 % of specified intrusions. A dedicated sectoral report on 586 public administration incidents in 2024 found intrusions at 33.6 %, with data breaches comprising 51.8 % within that category.

These patterns reveal a maturing threat ecosystem: low-barrier attacks like smishing yield high returns in digitally mature societies with centralized public services. Italy exemplifies this, where widespread SPID adoption expands the blast radius of identity compromise.

Why does this matter? Beyond individual harm, persistent campaigns erode public trust in digital government—the cornerstone of efficient modern administration. When citizens hesitate to use online portals out of fraud fears, bureaucratic inefficiencies rise, service delivery slows, and the digital transformation agenda falters.

Moreover, convergent pressures complicate defenses. Hacktivist disruptions degrade availability, indirectly benefiting criminals who exploit confusion to phish credentials. State-nexus espionage adds another layer, though less prominent in these financially motivated operations.

Looking ahead into 2026, resilience demands layered approaches. Users must verify communications solely through official channels, never clicking unsolicited links. Institutions need enhanced SMS sender authentication, rapid reporting mechanisms, and ongoing awareness campaigns—INPS itself launched mass email alerts in 2025 to combat rising attempts.

At the policy level, NIS2 Directive implementation elevates requirements for incident reporting and risk management in critical sectors like public administration. Technical hardening—multi-factor authentication, privileged access controls, and email protocol enforcement (DMARC, SPF, DKIM)—forms essential barriers.

Ultimately, these INPS campaigns illustrate a fundamental truth in cybersecurity: the human element remains the weakest link. No technical fortress withstands sustained social engineering against trusted brands. As threats evolve with AI-assisted personalization—already powering over 80 % of social engineering by early 2025—vigilance, education, and proactive institutional coordination offer the surest path forward. In an era of converging digital dependencies, protecting public trust is not merely technical—it’s foundational to societal resilience.

APT Down Leak: North Korea Cyber Files Influence Operations Hacker Trust 2025

Evolution and Tactics of INPS-Targeted Smishing Campaigns

Attackers launched smishing campaigns exploiting the Istituto Nazionale della Previdenza Sociale (INPS) branding in multiple waves across 2024 and 2025. These operations relied on SMS messages impersonating official communications to induce recipients to disclose sensitive personal and financial data. The Computer Emergency Response Team of the Agenzia per l’Italia Digitale (CERT-AGID) and the Agenzia per la Cybersicurezza Nazionale (ACN) documented the persistence of these threats through repeated alerts.

One campaign variant, detected in August 2024, employed a Telegram bot as command-and-control infrastructure. Fraudulent SMS messages directed victims to mobile-optimized sites mimicking the INPS portal. These sites collected names, surnames, fiscal codes, credit card details, bank-issued two-factor authentication codes, and IBAN numbers. Attackers exfiltrated data directly to the Telegram bot via API calls, enabling rapid centralization without traditional server hosting.

Nuovo smishing INPS sfrutta un bot Telegram come C2 – CERT-AGID – August 2024

Because attackers integrated Telegram’s messaging platform for data receipt, they evaded conventional endpoint detection. The infrastructure allowed real-time monitoring of victim submissions and quick pivots if domains faced takedown.

A subsequent iteration surfaced in November 2024. SMS texts warned of impending suspension of INPS benefits unless recipients updated personal data immediately. Links led to phishing pages requesting uploads of identity cards (front and back) and selfies holding the document. This biometric-like verification step enhanced credibility while compiling comprehensive identity profiles suitable for secondary fraud.

Rilevata nuova campagna di smishing a tema INPS (AL03/241120/CSIRT-ITA) – Agenzia per la Cybersicurezza Nazionale – November 2024

Attackers shifted from financial promises to urgency and loss aversion. Recipients faced threats of benefit interruption, exploiting dependence on INPS pensions and subsidies among elderly and low-income populations.

By December 2024, another wave promised 280 € disbursements contingent on profile verification. Victims encountered forms demanding full banking coordinates alongside personal identifiers. Data again routed to a Telegram bot, demonstrating attacker preference for resilient, low-cost exfiltration channels.

Campagna di smishing INPS in corso sfrutta bot Telegram per rubare dati personali – CERT-AGID – December 2024

The recurrence of Telegram infrastructure across campaigns indicated operational continuity among threat actors. They reused effective tools rather than innovating anew.

Into 2025, tactics intensified with intimidation. Messages alleged tax declaration irregularities or omissions, threatening penal consequences unless victims complied with data updates. Fraudulent sites requested extensive document sets: identity cards, health cards, driving licenses (all front and back), recent pay slips, and selfies with identification.

Smishing a tema INPS: come comportarsi in caso di furto dei dati – CERT-AGID – March 2025

This escalation from inducements to coercion reflected adaptation to victim skepticism toward positive lures. Threats of legal action leveraged fear of authority, particularly effective against citizens navigating complex bureaucratic systems.

All campaigns shared mobile optimization. Sites loaded efficiently on smartphones, reducing desktop analysis opportunities and bypassing some security tools. Shortened URLs obscured malicious domains, while cloned INPS visuals—including logos and color schemes—built immediate trust.

The European Union context amplified these threats. The European Union Agency for Cybersecurity (ENISA) analyzed 4,875 incidents from July 2024 to June 2025. Public administration emerged as the primary targeted sector at 38.2 % of specified incidents. Phishing, encompassing smishing variants, served as the dominant initial intrusion vector in 60 % of cases.

ENISA Threat Landscape 2025 – ENISA – October 2025

Because public administration entities manage vast citizen data repositories, successful social engineering yielded high-value harvests. In the sectoral breakdown for public administration, intrusions constituted 33.6 % of threats, with data breaches comprising 51.8 % of those intrusions. Where initial vectors appeared, phishing and social engineering predominated.

ENISA Sectorial Threat Landscape Public Administration – ENISA – November 2025

Italy’s digital public services, including mandatory SPID identities for INPS access, expanded the attack surface. Compromised credentials enabled not only immediate fraud but also unauthorized benefit redirections or tax filings.

Attackers demonstrated tactical flexibility. Early 2024 efforts focused on bonus promises; mid-year variants incorporated Telegram for stealth; late 2024 and 2025 operations emphasized threats and document uploads. This progression traced a learning curve: positive incentives drew initial engagement, while negative pressures sustained yield as awareness grew.

The campaigns’ longevity stemmed from low barriers to entry. Criminals required minimal infrastructure—compromised SMS gateways, disposable domains, and free Telegram accounts—yet achieved scalable reach. Rapid domain takedowns by authorities prompted immediate replacements, maintaining operational tempo.

Victim profiling evolved granularly. Initial collections targeted banking details for direct theft. Later phases demanded full document scans and biometric proofs, enabling synthetic identity creation or account takeovers on platforms requiring strong verification.

These patterns aligned with broader European trends. Social engineering exploited trust in public institutions, particularly in member states with high digital service adoption. Italy ranked prominently due to INPS‘s central role in welfare delivery.

Pro-Russian hacktivist disruptions, while primarily DDoS-focused, occasionally overlapped with criminal phishing by degrading official channels and pushing users toward fraudulent alternatives. No direct linkage appeared in INPS cases, yet the degraded trust environment benefited financially motivated actors.

The tactical repertoire remained consistent: urgency framing, authority impersonation, mobile-first design, and resilient exfiltration. Variations served to evade signature-based detection and refresh victim interest.

By early 2026, no abatement occurred. The campaigns’ adaptation—shifting lures, infrastructure pivots, and data demands—ensured persistence despite countermeasures.

Publicly verifiable primary sources document this evolution through sequential alerts, revealing a threat actor ecosystem capable of sustained, low-sophistication operations against high-trust targets.

Technical Mechanisms and Data Exfiltration Pathways

Fraudulent platforms in INPS-themed smishing campaigns deploy structured multi-stage forms to capture escalating tiers of sensitive data. Initial pages replicate the official INPS portal layout, using cloned logos, color schemes, and navigation elements to establish legitimacy. Victims enter basic anagrafici—name, surname, date of birth, fiscal code—before advancing to financial details such as IBAN, credit card numbers, and two-factor authentication codes.

Smishing a danno di INPS: caccia ai documenti personali da sfruttare per il furto di identità – CERT-AGID – January 2025

Because these sites enforce progressive disclosure, attackers condition victims to compliance step-by-step. Each submission triggers client-side validation mimicking legitimate portals, reinforcing perceived authenticity while preventing early abandonment.

Subsequent stages demand document uploads. Forms require high-resolution images of identity cards (front and back), health cards, driving licenses, recent pay slips, and selfies holding the primary identification document. This biometric verification step mirrors know-your-customer procedures in regulated financial services, exploiting familiarity to extract comprehensive identity kits.

Si concretizzano le conseguenze dello smishing a tema INPS: in vendita online i documenti trafugati – CERT-AGID – March 2025

Attackers harvested these datasets enable synthetic identity creation. Combined frontal photographs, document scans, and personal details allow fabrication of verifiable profiles for secondary fraud, including unauthorized SPID registrations—the Italian public digital identity system required for government services.

Exfiltration pathways vary by campaign sophistication. Early iterations routed data directly to attacker-controlled servers via HTTP POST requests. Later variants integrated Telegram bots as command-and-control channels. Forms submitted information through Telegram API endpoints, delivering payloads instantly to private channels without persistent hosting.

Because Telegram provides end-to-end encryption for bot interactions and resists takedown requests, attackers gained resilient, low-visibility exfiltration. Real-time notifications allowed monitoring of high-value submissions and rapid infrastructure rotation upon detection.

Mobile optimization dominates technical design. Pages employ responsive frameworks that render efficiently on smartphones, suppressing desktop-specific security warnings and complicating forensic analysis. Shortened URLs—often via services like bit.ly or custom redirectors—obscure final destinations, bypassing basic URL filters.

Domain registration patterns reveal operational agility. Attackers registered disposable domains incorporating INPS variants or Italian administrative terms. In the first quarter of 2025 alone, authorities identified 33 such fraudulent domains dedicated to identity document theft.

Si concretizzano le conseguenze dello smishing a tema INPS: in vendita online i documenti trafugati – CERT-AGID – March 2025

This volume originated from automated registration scripts exploiting lax registrar controls. Domains activated briefly for campaigns before abandonment, minimizing exposure while maximizing reach.

Broader European data confirm phishing derivatives as primary intrusion vectors. Across 4,875 curated incidents from July 2024 to June 2025, phishing accounted for initial access in cases where vectors specified. Public administration faced 38.2 % of targeted incidents, with social engineering predominant.

ENISA Threat Landscape 2025 – ENISA – October 2025

Within public administration-specific incidents, intrusions comprised 33.6 %, driven by data exfiltration objectives. Phishing and social engineering facilitated 60 % of specified initial access points across sectors.

ENISA Sectorial Threat Landscape Public Administration – ENISA – November 2025

These mechanisms align with low-sophistication, high-volume criminal operations. Attackers prioritize scalability over advanced persistence, leveraging open-source phishing kits modified for Italian contexts. Kits include pre-built INPS templates, automated SMS distribution via compromised gateways, and modular exfiltration options.

Coercive lures amplify completion rates. Campaigns threatening penal sanctions for undeclared income prompted deeper engagement than earlier bonus promises. Victims, fearing legal repercussions, uploaded full document sets despite escalating requests.

Smishing INPS: nuova truffa minaccia conseguenze penali – CERT-AGID – February 2025

This shift traced victim desensitization to positive incentives. Negative framing—loss of benefits, criminal liability—exploited authority trust embedded in INPS communications.

Secondary monetization pathways emerged rapidly. Stolen identity packages appeared on dark web marketplaces within weeks of collection. Listings offered complete Italian profiles—including selfies and document scans—for prices enabling bulk purchases by downstream fraudsters.

The technical stack remains deliberately simple. No zero-day exploits or advanced persistent threats appear; instead, reliance on social engineering and commodity infrastructure yields consistent returns in high-trust digital ecosystems.

Institutional Response and Mitigation Measures by CERT-AGID

CERT-AGID activates standardized countermeasures upon detecting each INPS-themed smishing wave. Authorities notify the registrar’s abuse service to request immediate domain suspension. They inform INPS of brand impersonation and distribute Indicators of Compromise (IoCs) to accredited public entities via dedicated feeds.

Si concretizzano le conseguenze dello smishing a tema INPS: in vendita online i documenti trafugati – CERT-AGID – March 2025

Because registrars cooperate variably and attackers register domains across multiple providers, takedowns disrupt but do not eradicate campaigns. Rapid infrastructure replacement sustains operational continuity for threat actors.

In the first quarter of 2025, CERT-AGID identified 33 fraudulent domains created specifically to harvest identity documents through these campaigns. This volume originated from intensified monitoring combining citizen reports, INPS alerts, and automated detection systems.

The same report details proactive domain removal requests where feasible. Success rates depend on registrar responsiveness, with delays enabling extended victim exposure.

CERT-AGID shares IoCs—including malicious URLs, IP addresses, and file hashes—exclusively with accredited organizations. This restricted dissemination protects operational integrity while enabling defensive blocking across public networks.

Broader annual data reveal scale. In 2024, CERT-AGID countered 1,767 malicious campaigns, disseminating 19,939 IoCs to its constituency.

Report riepilogativo sulle tendenze delle campagne malevole analizzate dal CERT-AGID nel 2024 – CERT-AGID – December 2024

Phishing operations, including smishing variants, comprised the majority, involving 133 impersonated brands. Despite a 37 % reduction in smishing volume compared to prior years, INPS remained a persistent target for identity document theft.

Because low-sophistication actors achieve high returns through volume, mitigation focuses on rapid disruption and awareness. CERT-AGID publishes detailed public advisories describing SMS texts, fraudulent site characteristics, and recommended actions.

Victims receive guidance to report incidents via the Polizia Postale online portal or in person, monitor banking for unauthorized IBAN changes, and contact INPS directly for benefit verification.

Smishing a tema INPS: come comportarsi in caso di furto dei dati – CERT-AGID – March 2025

Institutional coordination extends to the Agenzia per la Cybersicurezza Nazionale (ACN), which issues parallel alerts reinforcing CERT-AGID findings.

European Union-level assessments contextualize national efforts. Across 4,875 curated incidents from July 2024 to June 2025, public administration recorded the highest targeting at 38 %.

ENISA Threat Landscape 2025 – ENISA – October 2025

Iran-Linked Hackers Target Iraqi Government in New Campaign: A Strategic Overview of Espionage in the Middle East

Phishing, encompassing smishing, served as the dominant initial access vector in 60 % of specified intrusion cases. This concentration stemmed from trust exploitation in official communications, amplified in digitally mature member states.

A dedicated sectoral analysis documented 586 publicly reported incidents against EU public administration in 2024. Social engineering and phishing facilitated entry where vectors identified, though hacktivist DDoS dominated volume.

ENISA Sectorial Threat Landscape Public Administration – ENISA – November 2025

Intrusions comprised 33.6 % of threats, with data breaches predominant at 51.8 % within that category. Opportunistic criminal access via phishing enabled downstream monetization.

Italian responses align with EU recommendations for enhanced user training, SMS sender verification, and cross-border intelligence exchange. CERT-AGID‘s proactive monitoring and rapid advisory publication demonstrate tactical efficacy in limiting individual campaign duration.

Persistence arises from attacker adaptability. Domain takedowns force pivots, but low registration costs and automated tools sustain recurrence.

Public awareness campaigns by INPS and CERT-AGID emphasize exclusive use of official channels. Citizens must ignore embedded links and verify via authenticated portals.

These measures collectively constrain spread velocity. Early detection and disruption prevent exponential victim growth observed in unmitigated campaigns elsewhere.

Strategic implications extend to digital identity resilience. Compromised datasets enable fraudulent SPID activations, threatening broader public service integrity.

Mitigation success traces to institutionalized processes: detection triggers immediate multi-channel response—notifications, takedowns, IoC distribution, and public guidance.

This layered approach contains tactical impacts while highlighting requirements for preventive controls at telecommunications and registrar levels.

Publicly verifiable primary sources exhaust granular mitigation details beyond these documented procedures as of January 2026.

Victim Impacts and Secondary Exploitation Risks

Victims of INPS-themed smishing campaigns suffer immediate financial losses when attackers capture banking details and execute unauthorized transactions. More severe consequences arise from comprehensive identity document theft, enabling prolonged exploitation.

Attackers harvested full identity packages—including front-and-back scans of identity cards, health cards, driving licenses, pay slips, and selfies holding documents—appeared for sale on deep web forums shortly after collection. One observed listing offered complete profiles of Italian citizens, explicitly matching the data demands of fraudulent sites.

Si concretizzano le conseguenze dello smishing a tema INPS: in vendita online i documenti trafugati – CERT-AGID – March 2025

Because these packages include biometric verification elements like selfies, buyers create synthetic identities resistant to standard checks. Primary downstream uses target the SPID system, Italy’s mandatory digital identity for public services.

Successful fraudulent SPID activations grant attackers access to welfare payments, tax records, health data, and benefit redirections. Victims face suspended services, erroneous tax assessments, or depleted pension accounts without direct financial credential theft.

The campaign’s scale amplified individual harms. Authorities identified 33 false domains dedicated to document theft in the first quarter of 2025 alone, indicating widespread victim exposure.

This concentration stemmed from persistent attacker focus on high-yield identity harvesting. Stolen profiles entered dark web marketplaces, perpetuating a secondary economy where buyers conduct targeted fraud.

European Union-wide data contextualize these risks. Across 4,875 curated incidents from July 2024 to June 2025, public administration recorded 38 % of targeted events.

ENISA Threat Landscape 2025 – ENISA – October 2025

Phishing, including smishing variants, served as the initial intrusion vector in 60 % of cases where specified. This dominance originated from trust in institutional communications, exploited to bypass technical controls.

A sectoral analysis of 586 publicly reported incidents against EU public administration in 2024 revealed data-related threats at 19.5 %, with breaches comprising 17.4 %.

ENISA Sectorial Threat Landscape Public Administration – ENISA – November 2025

Intrusions accounted for 33.6 % overall, driven by social engineering entry points. Data breaches within intrusions reached 51.8 %, often yielding sensitive citizen records.

EXCLUSIVE REPORT – Cyber Conflict in the Taiwan Strait: An In-Depth Analysis of the China-Taiwan Hacker War

Because smishing delivers complete identity kits rather than isolated credentials, impacts extend beyond financial theft to systemic abuse of digital public services. Compromised SPID enables unauthorized interactions with multiple agencies, compounding victim recovery efforts.

Secondary exploitation includes account takeovers on private platforms requiring strong identity verification. Buyers leverage harvested documents for loan applications, subscription fraud, or criminal impersonation.

The observed rapid transition from collection to marketplace listing—within weeks—demonstrates efficient criminal supply chains. Packages marketed with sample images confirm authenticity, increasing resale value.

Individual victims encounter credit denials, legal disputes over fraudulent filings, or investigative scrutiny for crimes committed in their name. Elderly recipients, dependent on INPS benefits, face disproportionate disruption from suspended payments.

Broader societal costs manifest in eroded trust toward digital government initiatives. High-profile identity theft undermines adoption of online public services, straining administrative resources.

These risks align with EU trends where social engineering facilitates data exfiltration objectives. Public administration’s exposure to 38 % of incidents reflects dense citizen data holdings, making identity-focused campaigns particularly damaging.

Mitigation challenges arise from delayed victim reporting. Many discover compromise only upon service denials or anomalous transactions, allowing extended attacker dwell time.

The interplay between low-sophistication entry and high-impact outcomes characterizes these threats. Smishing yields durable assets—verifiable identities—monetized repeatedly across criminal ecosystems.

Broader Implications for Italian and EU Cybersecurity Posture

INPS-targeted smishing campaigns expose structural vulnerabilities in Italy’s digital public administration ecosystem. Persistent operations through 2025 demonstrate attacker success against high-trust institutional interfaces.

CERT-AGID documented campaign resumption in September 2025 after a one-month pause. Fraudulent SMS directed victims to cloned portals demanding document uploads for alleged benefit eligibility.

Torna lo smishing ai danni di utenti INPS – CERT-AGID – September 2025

Because attackers rapidly pivot infrastructure following disruptions, tactical takedowns yield limited strategic deterrence. Resurgence signals resilient criminal networks exploiting unchanging user behaviors.

European Union assessments position public administration as the primary targeted sector. ENISA curated 4,875 incidents from 1 July 2024 to 30 June 2025. Public administration absorbed the highest share where sectors specified.

ENISA Threat Landscape 2025 – ENISA – October 2025

This elevation originated from hacktivist-driven DDoS waves, yet criminal social engineering—including smishing—contributed substantially to intrusion vectors. Phishing accounted for 60 % of observed initial access points.

The same report identifies phishing industrialization through platforms-as-a-service, lowering entry barriers and scaling attacks against trusted brands like INPS.

A dedicated sectoral analysis examined 586 publicly reported incidents against EU public administration in 2024. Intrusions comprised 33.6 % of threats, incorporating data breaches at 17.4 % and ransomware at 10 %.

ENISA Sectorial Threat Landscape Public Administration – ENISA – November 2025

Social engineering facilitated primary entry, amplifying opportunistic data exfiltration. Italy’s exposure aligns with this pattern, where SPID-centric services create concentrated risk surfaces.

Because digital identity systems mandate online access for welfare interactions, successful identity theft cascades across multiple agencies. Compromised credentials enable benefit redirection, tax fraud, and health record manipulation.

ENISA assesses public administration maturity as low despite high criticality under NIS2. This “risk zone” positioning demands prioritized support to elevate resilience.

Hacktivist DDoS dominates volume at over 60 % of 2024 incidents, yet criminal intrusions pose enduring data risks. State-nexus espionage targets 2.5 %, focusing long-term collection.

Italy’s posture reflects EU trends amplified by dense digital service adoption. INPS processes millions of transactions monthly; smishing harvests enable systemic abuse.

Convergent pressures erode resilience. Fewer singular high-impact events give way to continuous low-sophistication campaigns, cumulatively degrading trust.

Phishing evolution incorporates AI-generated content, with over 80 % of observed social engineering leveraging large language models by early 2025.

Implications extend to policy harmonization. NIS2 transposition requires enhanced incident reporting and risk management, yet smishing persistence highlights awareness gaps.

Strategic priorities include SMS sender authentication, registrar cooperation for domain seizures, and cross-border intelligence on criminal infrastructure.

Italy’s centralized response via CERT-AGID and ACN provides tactical containment, but strategic posture demands preventive controls at telecommunications gateways.

EU convergence—hacktivism masking criminal access—complicates attribution and response. Opportunistic actors exploit degraded availability to push users toward fraudulent channels.

Probabilistic targeting favors public administration at 38 % due to data density and trust capital. Low-barrier vectors like smishing yield disproportionate returns.

Long-term resilience requires maturing cyber hygiene across citizen interfaces. Mandatory multi-factor authentication and behavioral analytics mitigate social engineering.

Recommendations for Enhanced Resilience and Public Awareness

CERT-AGID advises citizens to distrust unsolicited SMS requesting data entry via external links. Official entities rarely employ this method for sensitive operations.

Smishing a tema INPS: come comportarsi in caso di furto dei dati – CERT-AGID – March 2025

Because attackers mimic urgency or authority, users must verify communications exclusively through direct access to www.inps.it. Manual entry of the official URL prevents redirection to fraudulent clones.

Victims should monitor associated bank accounts for unauthorized IBAN modifications. Regular checks detect benefit redirections executed via compromised SPID credentials.

The same guidance directs reporting suspicious messages to [email protected] or the Polizia Postale. Prompt notifications enable domain takedowns and IoC dissemination.

Another advisory reinforces URL scrutiny upon resurgence in September 2025. Exact domain matching confirms legitimacy; discrepancies signal fraud.

Torna lo smishing ai danni di utenti INPS – CERT-AGID – September 2025

European Union-level mitigation emphasizes user training and technical controls. ENISA recommends auditing systems, network intrusion prevention, and restricting web content to counter phishing at 60 % of initial vectors.

ENISA Threat Landscape 2025 – ENISA – October 2025

Antivirus deployment and user training mitigate spear-phishing attachments and links. These measures address credential theft enabling downstream intrusions.

Public administration-specific guidance mandates multi-factor authentication with conditional access. Privileged accounts require dedicated management to limit compromise scope.

ENISA Sectorial Threat Landscape Public Administration – ENISA – November 2025

Email hardening via DMARC, SPF, DKIM, and current TLS prevents spoofing. Content management system security reduces watering-hole risks complementing smishing.

Because social engineering exploits human elements, awareness campaigns must prioritize behavioral change. Simulated exercises test responsiveness while reinforcing verification habits.

Institutional recommendations converge on proactive reporting. Citizen submissions accelerate threat intelligence cycles, constraining campaign duration.

Technical layers include SMS gateway filtering and sender authentication frameworks. Implementation at telecommunications level blocks malicious bulk distribution.

Policy integration under NIS2 elevates these practices to regulatory requirements. Member states enforce maturity assessments targeting public administration’s 38 % exposure.

Resilience builds through layered defenses: training reduces click rates, technical controls block exploitation, rapid reporting disrupts infrastructure.

Probabilistic efficacy favors combined approaches. Isolated measures yield partial containment; integrated strategies achieve sustained reduction.

---

Comprehensive Overview of INPS-Targeted Smishing Campaigns (2024–2025)

The table below synthesizes all verified data from the analysis, organized thematically for clarity. Rows group related concepts (e.g., campaign evolution, technical details, institutional responses, victim impacts, broader implications, and recommendations). Key quantitative metrics appear in bold where applicable.

Concept Category	Sub-Concept	Details / Data	Key Dates / Periods	Source Reference
Campaign Evolution	Persistence and Resurgence	Campaigns ongoing since ~2023; resurgence after pauses (e.g., 1-month pause before September 2025)	2024–2025	Torna lo smishing ai danni di utenti INPS – CERT-AGID – September 2025
Campaign Evolution	Shift in Lures	From promises (bonuses, refunds) to threats (benefit suspension, penal consequences for tax omissions)	February 2025 onward	Smishing INPS: nuova truffa minaccia conseguenze penali – CERT-AGID – February 2025
Campaign Evolution	Infrastructure Usage	Repeated use of Telegram bots as C2; multiple waves in 2024 (August, December)	August–December 2024	Nuovo smishing INPS sfrutta un bot Telegram come C2 – CERT-AGID – August 2024; Campagna di smishing INPS in corso sfrutta bot Telegram per rubare dati personali – CERT-AGID – December 2024
Technical Mechanisms	Delivery Method	SMS with shortened links to mobile-optimized phishing sites cloning INPS portal	Ongoing 2024–2025	Multiple CERT-AGID alerts
Technical Mechanisms	Data Requested	Personal data, fiscal code, IBAN/credit cards, document scans (ID, health card, license front/back), pay slips, selfies with ID	2025 campaigns	Smishing a danno di INPS: caccia ai documenti personali da sfruttare per il furto di identità – CERT-AGID – January 2025
Technical Mechanisms	Exfiltration Pathways	Direct to servers or Telegram bots via API	2024–2025	CERT-AGID reports on Telegram C2
Technical Mechanisms	Fraudulent Domains	33 false INPS domains identified for identity theft	Q1 2025	Si concretizzano le conseguenze dello smishing a tema INPS: in vendita online i documenti trafugati – CERT-AGID – March 2025
Institutional Response	Detection and Countermeasures	Domain takedowns (when possible), IoC distribution to accredited entities, INPS notification	Per campaign	All CERT-AGID alerts
Institutional Response	Annual Scale (2024)	1,767 malicious campaigns countered; 19,939 IoCs shared	2024	Report riepilogativo sulle tendenze delle campagne malevole analizzate dal CERT-AGID nel 2024 – CERT-AGID – December 2024
Institutional Response	Smishing Trend	~37 % reduction in smishing volume compared to prior year, but INPS remains persistent target	2024	Same 2024 report
Victim Impacts	Primary Harms	Financial theft, benefit suspension, unauthorized IBAN changes	Immediate	Smishing a tema INPS: come comportarsi in caso di furto dei dati – CERT-AGID – March 2025
Victim Impacts	Secondary Exploitation	Stolen documents sold on dark web; fraudulent SPID activations for service abuse	Weeks after collection	Si concretizzano le conseguenze dello smishing a tema INPS: in vendita online i documenti trafugati – CERT-AGID – March 2025
Victim Impacts	Vulnerable Groups	Elderly/retirees dependent on pensions; low digital literacy	Ongoing	Inferred from welfare focus
Broader EU Context	Total Incidents Analyzed	4,875 curated incidents	July 2024–June 2025	ENISA Threat Landscape 2025 – ENISA – October 2025
Broader EU Context	Public Administration Targeting	38.2 % of sector-specified incidents (highest sector)	July 2024–June 2025	Same ENISA report
Broader EU Context	Phishing as Initial Vector	60 % of specified cases	July 2024–June 2025	Same ENISA report
Broader EU Context	Public Admin Specific Incidents (2024)	586 publicly reported; intrusions 33.6 %, data breaches 51.8 % within intrusions	2024	ENISA Sectorial Threat Landscape Public Administration – ENISA – November 2025
Recommendations	User Actions	Never click SMS links; access INPS directly; report to CERT-AGID or Polizia Postale	Ongoing	Smishing a tema INPS: come comportarsi in caso di furto dei dati – CERT-AGID – March 2025
Recommendations	Technical Controls	MFA, PAM, email hardening (DMARC/SPF/DKIM/TLS), awareness training	EU-wide	ENISA reports
Recommendations	Policy/Strategic	SMS sender authentication; enhanced reporting; NIS2 compliance	2025 onward	ENISA sectoral recommendations