CERT-AGID published details today, June 30, 2026, of active phishing campaigns impersonating the Ministry of Health to steal personal data and credit cards. Attackers use the pretext of a mandatory health card replacement, calibrating the requested amount at a psychologically trivial level to lower the victim's defenses. The campaign is ongoing: CERT has requested the takedown of malicious domains, with success in the majority of cases.
- CERT-AGID detects multi-domain phishing campaigns with an identical schema: collection of personal data, formal summary with itemized costs, exfiltration of full credit card details
- The requested amount is €6.39 (€2.50 production, €0.99 handling, €2.90 Poste Italiane shipping), described by the source as a deliberate choice to make the payment "perceived as negligible"
- Sites replicate high-fidelity institutional elements: Ministry logo and colors, expandable FAQs, fake protocol numbers, plausible update dates
- For citizens enrolled by right in the National Health Service, the health card renews automatically and free of charge via the Revenue Agency: the Ministry never requests online payments
The Three-Step Funnel: From Personal Data to Credit Card
CERT-AGID describes a structured conversion path in three successive phases. In the first, the victim lands on a site requesting first name, last name, tax code or identity document, phone number, and alternative shipping address. The second phase presents a formal summary with itemized costs: €2.50 production, €0.99 handling, and €2.90 shipping, each with its own specific line item. The third requires the entry of full credit card details.
The progression is engineered to build trust through form. The itemized summary does not serve to justify the amount, but to legitimize the operation: the granularity simulates administrative transparency. CERT-AGID explicitly notes that the low amount is "a deliberate choice" to lower the user's defenses.
The €6.39 Lever: Psychology of the Institutional Micropayment
"The low amount is a deliberate choice: it lowers the user's defenses, making the payment perceived as negligible and not worthy of much attention."
The mechanism is not new, but its application to a healthcare pretext is specific to the documented campaign. Attackers split the cost into three line items to avoid the alert threshold that a single lump sum, even an identical one, might trigger. The reference to Poste Italiane for shipping adds an element of national familiarity.
The payment page includes the statement "100% secure payment. Your data is protected with SSL encryption" — a formula CERT-AGID reports verbatim as present on the fraudulent sites. The mention of SSL functions as an authenticity seal for non-technical users, despite guaranteeing no real protection against exfiltration to attacker-controlled servers.
Institutional Verisimilitude: When the Ministry of Health Is Not the Ministry
Beyond the amount, the campaign invests in graphical replication. Sites reproduce the Ministry of Health's institutional logo and colors, include expandable FAQs with plausible answers, and assign fake protocol numbers with plausible update dates. The narrative pretext is the mandatory replacement of the health card "starting from 2026" for a "new electronic health identification system," with a fictitious reference to January 2023 as the deadline for cards to be replaced.
CERT-AGID does not describe sophisticated infrastructure evasion techniques. The campaign's quality lies in social engineering, not in malware engineering or traffic obfuscation. Domains have been taken down at CERT's request to registrars, with success in the majority of cases: the phrasing suggests at least a portion remain active at the time of publication.
What to Do Now
For anyone who has received communications about the alleged health card replacement, the first check is to verify that the Ministry of Health never requests online payments for this service. Citizens enrolled by right in the NHS must know that the health card renews automatically and free of charge via the Revenue Agency: no paid procedure is envisaged.
Anyone who has already entered data on these sites must immediately contact their bank to block the credit card and report the incident. CERT-AGID has shared indicators of compromise (IoCs) with accredited entities through institutional channels: organizations with access to these channels can verify whether the domains appear in their corporate navigation logs.
CERT-AGID requested the takedown of malicious domains from registrars, which complied in the majority of cases. However, it remains possible that new domains with the identical schema will be activated: the campaign is ongoing at the time of publication.
Fraud as a Product: Chronicles from a Single Source
The campaign described by CERT-AGID confirms a consolidated trend in Italian phishing: welfare and healthcare pretexts convert better than others because they trigger both regulatory urgency and institutional deference. The tactical novelty here is the care in administrative packaging: not a spammed email, but a multi-step funnel that simulates the user experience of a real public portal.
The risk for businesses is indirect but concrete. Employees who receive these communications on corporate devices — perhaps on personal email accounts checked during breaks — expose payment data that can be reused in other contexts or sold on fraud platforms. CERT-AGID has informed interested entities, but the perimeter of "interested" is not detailed in the dossier.
The limitation of the documentation is also its merit: CERT-AGID describes what it can verify, without amplifying the threat beyond the facts. The result is a technical framework usable by those who must filter traffic or educate users, but not a scalable impact estimate. In a field where security vendors tend to inflate numbers, institutional sobriety is itself a data point.
Sources
Information is based on the cited source and current as of publication.