⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could ⚠ NCSC: Week 18: Parcel phishing with a devious twist – The "double phishing" scam 🔴 CVE: CVE-2026-40393 (CVSS 8.1) — In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can o… 📰 New article: The CISO Game in Chiasso: What a Simulated Cyber Crisis Teaches That No Presentation Ever Could
← Back to articles
Incident Report 30 March 2026 8 min read

Identity Fraud with a Swiss Face: The NCSC's Warning on Fake Company Job Scams

In its Week 12 alert, the NCSC described a campaign that no longer invents companies — it clones real ones. Scammers are impersonating registered Swiss businesses to post job advertisements in legitimate newspapers and harvest personal data at scale.

MS

Marco Scarito

30 March 2026

8 min read

On 24 March 2026, the Swiss NCSC published its Week 12 alert. The subject was job fraud — but not the variety most security teams or HR departments have been trained to recognise. The campaign it describes represents a structural escalation in the sophistication of identity-based fraud in Switzerland: scammers are no longer fabricating companies from scratch. They are cloning real ones, exploiting a specific blind spot in the country's commercial register infrastructure, and distributing fraudulent job advertisements through channels — including printed newspapers — that carry a baseline level of institutional credibility. The personal data being harvested in these interactions has value well beyond the immediate scam.

The Anatomy of the Campaign

Stage 1 — Target Selection from the Commercial Register

Switzerland's commercial register (Handelsregister / registre du commerce) is a public database containing the legal names, registered addresses, company purposes, and official contacts of all registered Swiss legal entities. It is a legitimate instrument of commercial transparency — and a structured source of targeting data for this campaign. Attackers systematically query the register to identify companies that are legally registered but have no public website or minimal online presence. These entities are particularly vulnerable: they cannot be easily verified through a web search, they have no existing domain to compare against, and they are unlikely to be monitoring for fraudulent use of their identity.

Stage 2 — Creating the Fake Infrastructure

Once a target company is identified, the attackers register a lookalike domain — typically within days of launching the campaign — and build a professional-looking website using the company's registered name, address, and commercial register information. The NCSC notes that these websites are convincing precisely because the underlying data is accurate: the company genuinely exists, the address is real, and the registration number is valid. The fraud is not in the identity itself but in the digital infrastructure built around it. The newly registered domain is a reliable detection indicator — the NCSC explicitly flags recent domain registration dates as a warning sign.

Stage 3 — Multi-Channel Job Advertisement Distribution

The fraudulent job advertisements are then placed on legitimate Swiss job platforms — Ricardo, Jobs.ch, and similar services — and, in a development the NCSC describes as previously unobserved, in the employment sections of legitimate printed newspapers. The roles advertised are typically flexible, home-based positions in logistics or similar sectors. The use of printed media is operationally significant: it introduces a channel that many security-aware individuals and HR professionals still associate with verified, editor-curated content, rather than the more familiar risk of online platforms where fraudulent listings are a known issue.

Stage 4 — Data Harvesting via Element

Applicants who respond are asked to install Element — an open-source, end-to-end encrypted messaging application built on the Matrix protocol. The choice of Element is deliberate: it is a legitimate, privacy-oriented tool used by security-conscious organisations and governments, which reduces the applicant's suspicion compared to being directed to WhatsApp or Telegram. During the application process conducted via Element, victims are asked to submit their CV, employment references, and diplomas. This yields a comprehensive identity package — personal details, employment history, educational credentials, and professional references — with immediate value for identity theft, targeted social engineering, and dark web resale.

Stage 5 — Monetisation: Cryptonow Vouchers

In at least one confirmed case, the fraud progressed to a direct financial demand: the victim was asked to purchase Cryptonow vouchers — a Swiss cryptocurrency cash voucher product available at retail outlets — worth up to CHF 2,500, with a refund promised later in the hiring process. This is a classic advance fee structure applied to a new delivery mechanism. Cryptonow vouchers are attractive to fraudsters for the same reasons that cryptocurrency generally is: transactions are effectively irreversible, the physical purchase can be made anonymously at retail, and the voucher codes are transmitted digitally with no chargeback path.

◆ Key Takeaway

The primary value in this campaign may not be the Cryptonow payment — it is the identity data. A complete profile containing name, address, CV, employment history, diplomas, and professional references is sufficient to support identity theft, targeted CEO fraud, fake loan applications, and long-form social engineering attacks. Swiss HR departments and recruitment teams are the unintended intermediaries in this pipeline.

Why This Campaign Is Structurally Different

Previous generations of job fraud in Switzerland followed recognisable patterns: invented companies, implausible salaries, obvious grammatical errors, requests for upfront payments before any interview process. This campaign defeats those detection heuristics systematically. The company is real. The address is real. The registration number is real. The job platform is legitimate. The newspaper may be legitimate. The messaging application is used by security-conscious organisations. At no point in the early stages of the interaction does anything appear out of place to a non-specialist. The only technically detectable indicators are the domain registration date, the absence of a real web presence prior to the domain registration, and — if the victim or a security team checks — the absence of any genuine contact at the company whose identity has been cloned.

The campaign is also cross-linguistic. The NCSC explicitly notes that all linguistic regions of Switzerland are affected, including Ticino — indicating that the operation has the capacity to produce convincing content in German, French, and Italian, consistent with the use of AI-assisted translation and content generation tools.

Defensive Actions for Swiss HR, Legal, and Security Teams

  • Search for your company's name on job platforms and commercial register databases. If your organisation is registered in the commercial register but has a limited web presence, you are a candidate target for this campaign. Proactively search for your company name on the major Swiss job platforms — Jobs.ch, Indeed.ch, LinkedIn, Ricardo — and set up Google Alerts. If fraudulent listings appear, report them to the platform and to the NCSC.
  • Register your company's primary domain and common variants. If your company does not have a website, register a domain and put a basic holding page in place. This eliminates the primary attack vector: a newly registered lookalike domain standing in for a company with no digital presence. Consider registering common variants — .com, .net, .ch — to reduce the risk of domain squatting.
  • Instruct job seekers not to install messaging applications as part of application processes. Legitimate Swiss employers do not require applicants to install specific messaging platforms to submit CVs. If an application process begins on a job platform and then migrates to Element, Telegram, or WhatsApp, this is a strong indicator of fraud. HR managers should include explicit warnings about this pattern in job posting templates.
  • Never purchase cryptocurrency vouchers in the context of employment. No legitimate Swiss employer requires job applicants or new employees to purchase Cryptonow, Natel, or similar vouchers as part of an onboarding or advance payment process. This is a categorical indicator of fraud, regardless of the refund promise accompanying the request.
  • Report confirmed or suspected instances to the NCSC. Reporting to the NCSC at report.ncsc.admin.ch provides the Centre with data to assess the scale and evolution of the campaign, enables faster takedown requests for fraudulent domains and job listings, and contributes to the warning capacity that protects other Swiss organisations and individuals.

The Broader Trend: Identity as Infrastructure

This campaign reflects a trend identified in the NCSC Annual Report 2025: Swiss threat actors are moving away from opportunistic, high-volume fraud toward precision attacks that invest significantly in the quality of deception. The use of real commercial register data, multi-channel distribution including print media, and a professional-grade encrypted communications channel to conduct the fraud represents exactly the kind of operational sophistication the NCSC described as the defining characteristic of 2025's threat landscape — and it shows no sign of abating. For Swiss organisations, the response is not more security awareness training alone. It is proactive monitoring of their own identity in public databases, coupled with clear internal policies that remove the ambiguity attackers exploit.