Skip to main content
SocietyJun 23, 2026· 2 min read

Fraud and spam through certified email: over 650 cases of mailbox abuse in 2026

The illusion of security associated with Certified Electronic Mail (PEC) has fallen victim to increasingly targeted phishing campaigns. The Cert-Agid has recorded over 650 security incidents related to compromised PEC mailboxes or mailboxes specifically registered for illicit purposes, starting from January 2026. The consumer association Codici has drawn attention to this sharply rising phenomenon, highlighting how cybercriminals have now targeted a channel traditionally considered protected and inviolable by Italian users.

The latest wake-up call came directly from the Revenue Agency, which identified a massive fraudulent operation focused on the distribution of false electronic invoices. The attackers use compromised PEC addresses to send messages containing a malicious compressed archive, designed to infect the victims' systems. The public agency has immediately disavowed such communications, confirming their total estrangement from these deceptive sends and urging taxpayers to exercise utmost caution.

Recommendations for defending against certified threats via PEC

In the presence of suspicious messages, the fundamental rule remains the prior verification of contact channels. To check the reliability of a communication, it is advisable to consult the dedicated section on the Revenue Agency's portal or directly contact the competent regional offices. Antonella Votta, a lawyer and head of the Privacy and New Technologies Sector at Codici, recommends carefully examining the sender's address before taking any action.

Avoiding instinctively clicking on hyperlinks included in the text is the first step to neutralize the threat at hand. Analyses conducted by Cert-Agid confirm that the vulnerability of the tool does not reside in the protocol itself, but in users' management of their credentials.

The breach of PEC mailboxes often stems from previously ignored data exfiltrations. When a company or service suffers a cyberattack, users' access details can end up in criminals' databases. Very often, notifications of data breaches are delivered precisely through certified mail, but users tend to ignore them or delete them too lightly. This inattention paves the way for the illicit use of digital identities, turning a secure account into a vehicle for infecting other contacts.

The collected data indicates a trend of constant increases in abuses month after month. The threat is insidious precisely because it plays on the unconditional trust that professionals, businesses, and individuals place in the legal value of PEC. The adoption of a skeptical approach and careful analysis of every communication received now represent the only necessary compromises to safeguard one’s IT infrastructure and avoid heavy financial repercussions.

Finally Microsoft 365 Family on sale for €84.99: Complete Office, 1TB for 6 users, costs less than a coffee a monthGoogle Develops Audio Memory for Pixel: A Feature That Could Record Sounds and Conversations