8 min read

NCSC Alerts: Swiss Summer Scam Wave Defence Guide 2026

Three concurrent campaigns are working the Swiss public and its SMEs with distinctly Swiss lures — a motorway vignette, a video call, an invoice. None is technically sophisticated. All of them work, and all of them are cheap to shut down.

While the industry's attention was on agentic ransomware and consultancy breaches, the NCSC's incident desk spent early July on threats of a humbler kind. Three campaigns are running concurrently against the Swiss public and, through their employees, against Swiss SMEs: phishing emails claiming the motorway E-Vignette has been deactivated over a billing problem — a lure the NCSC has been warning about since spring, now circulating in renewed waves that even name the NCSC itself as sender; invoices from swissnovachat.ch and swissnovacare.com demanding payment for subscriptions that were never taken out, flagged by the NCSC on 1 July and traced to a Hong Kong-registered operator; and fake Zoom meeting invitations that prompt the target to install an "update" which is, in fact, malware or a remote-access tool. None of this is novel tradecraft. That is precisely why it deserves an article: these are the attacks that actually reach every Swiss mailbox, and the defences are concrete, cheap, and this afternoon's work.

Why Swiss-Specific Lures Outperform Generic Phishing

Each campaign borrows trust from an institution embedded in Swiss daily life. The E-Vignette lure works because the vignette is a near-universal obligation with a real payment relationship behind it, because the switch to the electronic vignette left genuine uncertainty about how renewals and receipts look, and because the emails impersonate federal authority — some versions listing the NCSC's own contact address to borrow credibility from the very agency warning about them. The fake-subscription invoices work on a different psychological rail: not urgency but nuisance — a small-enough amount that paying feels cheaper than disputing, which is exactly the calculation the operator's business model prices in. The fake Zoom invitation works because meeting invitations are the one email category that professionals process on autopilot, and "please update your client before joining" matches a real, familiar friction of video-conferencing.

Seasonality sharpens all three. Summer means travel (vignettes on the mind), thinner staffing (approval shortcuts, unfamiliar substitutes handling invoices), and out-of-office context that makes an unexpected meeting link or payment reminder easier to misjudge. The NCSC's mid-June warning about fake QR codes on physical collection notices belongs to the same pattern: the lures rotate with the calendar, the mechanics stay constant.

The Employee Is the Target; the SME Pays the Bill

It is tempting to file consumer-facing scams outside the corporate threat model. That is an accounting error. The same employee who receives the E-Vignette phishing on a private address reads it on a corporate device at lunch; the fake Zoom update installs its remote-access tool on whatever machine the invitation was opened on, and a personal-webmail infection on a company laptop is a corporate incident with extra steps. The subscription-invoice trap scales into finance departments directly: accounts-payable teams process high volumes of small invoices, and a CHF-double-digit line item from a plausible-sounding "Swiss" provider passes many SMEs' controls without a second look. The NCSC's standing advice — ignore, don't click, don't pay — is correct and insufficient for an organisation, because an organisation needs the advice to be enforced by process and tooling rather than by each employee's judgment on a warm Friday afternoon.

Turning Three Warnings into One Afternoon of Controls

The defensive translation is unusually direct. On the mail layer: block or quarantine the known campaign domains and their look-alikes, add detection for vignette-themed lures in German, French, and Italian (these campaigns are reliably multilingual), and flag external meeting invitations that carry links to non-standard download hosts. On the endpoint layer: software installation policy is the entire kill chain of the fake Zoom campaign — if users cannot install "updates" outside managed channels, the lure is inert; application allowlisting or, at minimum, admin-rights restriction closes it. On the finance layer: a standing rule that no new supplier gets paid without a purchase-order match or a named internal owner turns the fake-invoice model from profitable to pointless — the operator's economics depend on frictionless small payments. And on the human layer: a five-minute briefing this week beats a semi-annual awareness course in October; the message is not "be careful" but the three concrete stories, because employees who have heard the specific lure recognise it in the wild.

◆ Key Takeaway

The NCSC's July alerts describe commodity scams with Swiss-tailored lures: federal-authority phishing, autopilot meeting invitations, and nuisance-priced fake invoices. For an SME the correct response is not more vigilance appeals but three process controls — managed software installation, PO-matched supplier payments, and mail rules tuned to the campaigns the NCSC is naming — each deployable in a day.

  • Brief every employee on the three specific lures this week. Five minutes, three stories — E-Vignette billing, fake Zoom update, subscription invoice — in the languages your workforce actually reads.
  • Add mail-filter rules for the named campaigns. Block swissnovachat.ch and swissnovacare.com and typosquat variants; quarantine vignette-themed senders impersonating federal domains; flag calendar invitations linking to non-standard download hosts.
  • Enforce managed software installation. No user-initiated "client updates" outside your deployment tooling — this single control neutralises the fake-meeting campaign and most of its relatives.
  • Require PO-match or named-owner approval for all new-supplier invoices. Small-amount fraud lives on frictionless payment; one lightweight check ends it.
  • Tell staff how to report, internally and nationally. A one-click internal report address, plus the NCSC's reporting form for confirmed attempts — reported lures become mail rules for everyone else.
  • Extend the guidance to private devices and mailboxes. BYOD reality means the employee's personal inbox is part of your attack surface; share the NCSC alerts internally rather than assuming staff saw them.
  • Verify unexpected payment claims out-of-band. For anything invoking a federal service — vignette, tax, customs — the rule is: never through the email link, always through the official portal typed by hand.

Campaigns like these never make the annual threat-report headlines, and they will collectively extract more money from Swiss SMEs this quarter than most of the vulnerabilities this site covers. The asymmetry cuts both ways: the attacks are cheap, but so are the defences, and an SME that implements the process controls above is protected not just against this summer's three lures but against their autumn successors — the QR code on the parcel notice, the tax-refund SMS, whatever rotates in next. The NCSC keeps publishing the specific warnings; the organisations that convert each warning into a standing control, rather than a forwarded email, are the ones that stop appearing in its statistics.