A new computer scam takes advantage of the possibility of creating a second spid on behalf of the victim. Here’s how it works, the real risks and the measures to defend themselves
Beware of the “double spid” scam. With a simple SMS we run the risk of opening the doors of pensions and tax reimbursements to cybercriminals. The system conceived by the scammers is simple and, with the tax returns at the gates, the risk of digital identity theft is growing. The bad guys push the victims to provide all the data necessary to create a second Spid, which becomes the key to access, on behalf of the victim, to all the online services of the Public Administration, with the aim of subtracting money.
The scam develops as follows. An SMS or e-mail arrives that seem to come from INPS. The scammers use Spoofing techniques to deceive and redirect people on false websites identical to the officers, where personal data, copies of documents and even selfies are required, necessary for the creation of a second Spid. Once created, the new SPID allows you to access the INPS portals and the Revenue Agency, change the IBAN to collect reimbursements and contributions, digitally sign documents, open current accounts and activate services.
The exploited vulnerability is the possibility of creating more spid related to the same natural person, a practice allowed by current legislation. In the first three months of 2025, the Digital Italy Agency identified 33 False Inps domains created to subtract personal documents. The phenomenon has intensified, so much so that data and selfies of Italian users are now on sale on Forum del Dark Web, an industrialized activity.
There are clear signals to recognize and prevent scam. The messages often arrive by threatening sanctions or asking for urgent updates of the profile, and contain links to trap sites where sensitive data are asked.
To protect yourself, it is essential to never click on suspected links received via SMS or e-mail; access only by manually typing the official addresses (for example, those of the INPS); activate two -factor authentication where possible; Periodically check the IBAN recorded in the public administration portals and activate notifications for each banking operation.
In the event that he has already been a victim of the “double spid” scam, the first action to be made is to file a complaint with the postal police. It is also important to check your current account and the PA portals to check for any suspicious changes and contact your bank for any refunds.
