CERT-AGID has detected active phishing campaigns that abuse the name, logo, and visual identity of the Agenzia delle Entrate to induce victims to declare alleged digital crypto assets. A specific campaign identified today, June 19, 2026, introduces a novel tactical element: an adaptive flow that branches between crypto and banking data collection, then pivots to vishing through a simulated technical error. At stake are the credibility of Italy's tax institutions and the financial security of citizens exposed to advanced social engineering techniques.
- CERT-AGID has detected multiple active phishing campaigns exploiting the Agenzia delle Entrate name with a plausible regulatory pretext: mandatory declaration of crypto assets.
- A specific campaign from June 19, 2026 combines phishing and vishing with an adaptive flow: the form branches based on the victim's response, collecting data on crypto wallets or traditional bank accounts.
- After form submission, a screen simulates a synchronization error with a threat of tax assessment and presents a phone number for a "Milan Verification Office," transforming the phishing into vishing.
- CERT-AGID has requested takedown of the malicious domains from registrars, notified the Agenzia delle Entrate, and shared indicators of compromise with accredited entities on its feed.
How the Scam Works: The Adaptive Flow
The campaign identified by CERT-AGID today stands out for an interactive structure that surpasses the static model of traditional phishing. The entry point is a fraudulent form that initially requests a tax code and mobile phone number, data that serve as identifiers to personalize the subsequent attack.
At this point the branching occurs. If the victim declares they possess crypto assets, the form asks for information on the wallet or exchange used, the date of the last deposit, and the estimated portfolio value. If the response is negative, the path shifts to traditional banking data: credit institution and current account balance. This client-side state machine represents a level of adaptivity that maximizes financial intelligence gathering based on the exposed profile.
"The attack flow combines phishing and vishing techniques, dynamically adapting to the responses provided by the victim"
— CERT-AGID
From Form to Phone Call: Escalation to Vishing
The transition from digital to voice channel is the campaign's most dangerous distinctive trait. After the victim completes and submits the form, regardless of the path chosen, the system presents a screen simulating a synchronization error with Agenzia delle Entrate servers. The message includes an explicit threat: notice of assessment and precautionary asset freeze.
The error screen presents a phone number for an alleged "Milan Verification Office." This is the moment, as documented by CERT-AGID, that phishing transforms into vishing. Driven by urgency and fear of tax consequences, the victim calls the number and engages with human operators who continue harvesting sensitive data. The shift to voice interaction bypasses automated security filters and exploits the human capacity to build trust through voice.
The dossier does not specify whether the phone number remains active at the time of publication, nor does it document its actual geographic location.
Remediation Actions and Dossier Limits
CERT-AGID has undertaken three documented lines of action. It requested takedown of the malicious domains from the relevant registrars, informed the Agenzia delle Entrate of the issue, and shared indicators of compromise with entities accredited to its feed. These actions do not equate to confirmation of campaign neutralization: the requested takedown is not verifiable as completed, and the distributed nature of the attack infrastructure allows rapid migration to new domains.
The brief does not document specific corrective measures for potential targets. No indications emerge of any public advisories issued independently by the Agenzia delle Entrate, nor of coordinated awareness campaigns. The actual number of victims or successful attempts remains unknown, as does the economic extent of damages suffered. The identity of the threat actors, their possible affiliation with structured groups, or their geographic location are not attributed in the dossier.
What to Do Now
For citizens receiving tax-themed communications, domain verification is the first filter: the URL of the June 19, 2026 campaign does not belong to the institutional domain agenziaentrate.gov.it. CERT-AGID has not published the exact address, but the verification logic remains valid for any unsolicited contact.
Anyone who has already entered data into a suspicious form should consider the tax code and phone number provided in the first step compromised. The subsequent branching of the adaptive flow exposes victims to differentiated risks: those who indicated crypto wallets must monitor for unauthorized movements on reported exchanges and addresses; those who provided banking data must check statements for anomalous operations.
The phone number for the "Milan Verification Office" must be treated as an attack element, not a support channel. CERT-AGID has documented that this voice step is designed to harvest further sensitive data, not to resolve technical issues.
For organizations, the CERT-AGID IoC feed is the authorized sharing tool: accredited entities receive verified indicators of compromise from the government body. Feed subscription requires formal accreditation with CERT-AGID.
Why This Matters
The campaign detected by CERT-AGID signals a relevant tactical evolution in the Italian phishing landscape. The hybridization with vishing through an adaptive flow reduces the effectiveness of defenses based on static recognition of fraudulent templates: the form is not a fixed document, but a state machine that reacts to user choices. The simulation of a technical error as a bridge to the voice channel adds a layer of plausibility that exploits citizens' familiarity with malfunctions in digital public services.
The chosen regulatory pretext — the declaration of crypto assets — sits within a real topic on the Italian and European political agenda, increasing the perceived credibility of the deception. The dossier does not specify whether crypto asset declaration is actually mandatory in Italy; what matters is that criminals built the campaign on a sufficiently plausible premise to induce victim compliance.
For organizations, the most significant element is employee exposure to social engineering techniques that harvest both crypto and banking data. This financial intelligence, if combined with information obtained in other contexts, could enable unauthorized access or corporate fraud. The dossier does not document such cases, but the collection mechanism makes theoretical reuse possible.
Frequently Asked Questions
Has the Agenzia delle Entrate been breached?
No. CERT-AGID documents abuse of the Agenzia delle Entrate name, logo, and branding by criminal actors, not a compromise of the institution's systems. The Agency has been informed of the issue.
Is crypto asset declaration actually mandatory?
The dossier reports only the pretext used by criminals. It does not document the actual regulatory status of the declaration obligation in Italy.
Is the phone number for the "Milan Verification Office" linked to a real office?
The brief confirms no connection with a real Agenzia delle Entrate office. The number appears in the simulated error screen as an element of the escalation to vishing.
CERT-AGID has classified the escalation to vishing via the error screen as "a tactical evolution element." In a context where citizens are accustomed to interacting with imperfect public portals, the mimicry of technical malfunction becomes a vehicle for trust rather than alarm. The challenge for defenses is no longer recognizing the fake, but following the adaptive reasoning of those who build it.
Information is based on the cited source and current as of publication.