Topics
Services
Home > Targeted, compl ...
EN
EN DE FR IT

More targeted, more complex, more sophisticated - almost 65,000 reports to BACS in 2025

The BACS received around 65,000 reports of cyber incidents in 2025. The increase was significantly lower than in previous years. Although threatening calls in the name of the police continued to dominate, these declined in the second half of the year in particular and were partially replaced by reports of online investment fraud. Despite the smaller increase, the qualitative development is remarkable.

Editorial - January 8, 2026
Photo: Depositphotos/denisismagilov

With a total of just under 65,000 reports, the number of reports received increased slightly compared to the previous year. With a share of 26 %, ’calls in the name of fake authorities« are still the most frequently reported phenomenon. This is followed by phishing with 19 % and »advertising for online investment fraud« with 9 %.

The ratio of reports from the general public (90 %) to those from companies, associations and authorities (10 %) remains stable. Among the most frequently reported fraud offenses by companies, CEO fraud has also increased this year (2025: 970 / 2024: 719). In contrast, there was only a slight increase in reports of invoice manipulation fraud (2025: 132 / 2024: 114).

After a significant drop in reports of ransomware last year (2024: 92), the number of reports rose slightly again this year to 104, but is still below the level of 2023 (109). However, the number of cases says nothing about the extent of the damage. Attackers are increasingly focusing on lucrative targets, meaning that the damage per case is likely to increase in the future. It should also be noted that ransomware attacks are now almost always accompanied by a data outflow, which further increases the extent of the damage. Reports of DDoS attacks are on the decline. While 48 reports were received last year, there were 35 this year.

More targeted, more complex, more sophisticated

While reports of fraud fell by around 5,500 cases, reports of spam rose by around 6,500. The other categories remained virtually unchanged. The decline in fraud is almost exclusively due to fewer reports of the ’fraudulent calls in the name of authorities’ phenomenon. On the other hand, the increase in spam is mainly due to the phenomenon of «advertising for online investment fraud», while phishing reports remained stable. At first glance, the figures seem unspectacular, but the quality of the attacks is changing significantly. This is particularly evident in the phishing phenomenon. The trend is moving away from mass attacks towards individually tailored attacks. Attackers are taking their time to target individual victims. Apparently, the increasing effort is paying off.

This becomes clear in phishing attacks in connection with classified ads, which increased in the first half of 2025 in particular. Fraudsters pose as prospective buyers and pretend to go to a special page during the payment process in order to receive the money. Depending on which bank you are with, various access data for e-banking is then requested. In this case, however, the fraudsters are not directly targeting e-banking. The fraudsters are targeting the victim's TWINT account. In many cases, this is linked to the bank account. In contrast to the bank account, payments are executed immediately. The amount of the transactions is only limited by the limit set by the victim. In addition, criminals use hacked TWINT accounts to launder money and conceal the origin of the payments.

New dimension: Sophisticated phishing attacks with SMS blasters

This year, a new variant was also observed to spread phishing messages. From the summer onwards, the BACS received numerous reports of text messages with alleged parking fines in French-speaking Switzerland. The BACS was already aware of phishing attempts with alleged parking fines, albeit mostly in the form of e-mails. What was new, however, was the targeted delivery by SMS. It was particularly noticeable that the recipients had been in the same geographical areas shortly before receiving the message. This indicated that the cybercriminals were using technical tools to manipulate the sending of the text messages. As it turned out later, the attackers used so-called «SMS blasters»: mobile devices that pretend to be legitimate mobile phone stations. This allowed the attackers to send fake text messages directly to the devices in the vicinity. The victims received the message without their phone number being known to the perpetrators. The link contained in the message led to a deceptively real payment page that tapped into credit card data.

Attackers also target «inconspicuous» data

In addition to the known data leaks, the BACS observed an increase in attacks last year in which fraudsters actively collected personal information. While classic phishing is primarily aimed at taking over e-banking or email accounts, these campaigns had a different goal: to build up as complete a data profile of the victim as possible. The perpetrators created deceptively real websites in the design of trustworthy institutions such as banks, insurance companies, health insurance companies or payment service providers. Under the pretext of «verifying» or «updating» data, users were asked to disclose extensive information. The data requested went far beyond access data. In one recent case, a fake page asked for a digital signature as well as personal details in connection with an alleged refund. The profiles of victims created in this way are particularly valuable for criminal activities, as they enable identity theft, targeted social engineering attacks or the resale of data on the black market. The more complete the information is, the higher the potential profit.

Company names are being misused more and more

Not only private individuals are the target of identity theft, but increasingly also companies. The reason for this is the high level of trust in an established company name, which fraudsters misuse for their own purposes. Companies without their own website are particularly at risk, as they are hardly present on the Internet and their identity can be easily imitated. Cyber criminals take a systematic approach: They search commercial registers for such companies, register suitable domains and create deceptively genuine websites. To feign respectability, they use official details such as the address and commercial register number of the real company. On this basis, they launch a variety of scams - from fake job offers and fake online stores to professionally designed investment platforms. The misuse of a real company identity considerably reduces the skepticism of potential victims and increases the chances of success for the perpetrators without them having to build up a credible reputation themselves.

The role of artificial intelligence in cybercrime

Although artificial intelligence is playing an increasing role in cybercrime, it is not yet as dominant as one might expect. Last year, the use of AI in advertising campaigns for online investment fraud was particularly striking. For example, deceptively real interviews were generated with well-known politicians who allegedly recommended a secret method for investing money with high returns. Such deepfake content uses trust in celebrities to manipulate victims. There are now also the first cases in which compromising images have been created using AI to blackmail people. This development shows that artificial intelligence opens up new opportunities for cyber criminals to make their attacks more credible and personalized. In view of the rapid technological advances, it can be assumed that such methods will keep BACS much more busy in the coming years. However, it should not be forgotten that these possibilities can also be used to better understand complexity and reduce risks at an early stage.

Mandatory reporting of cyber attacks on critical infrastructure

Since April 1, 2025, operators of critical infrastructures have had to report cyberattacks to the BACS within 24 hours. The 221 reports received so far enable the BACS to gain an improved overview of the cyber threat situation in Switzerland and the attackers' methods. The knowledge gained supports the management of specific incidents, the assessment of the national threat situation and the early warning of potentially affected organizations. It is also particularly positive that since the reporting obligation came into force, a growing number of organizations (currently 1,660) have been actively participating in the exchange of information, which the BACS will continue to pursue in order to further strengthen Switzerland's cyber security.

Source: BACS

(Visited 54 times, 1 visits today)

More articles on the topic

The BACS and the SIA focus on cyber security at Swissbau 2026

Axis Communications: The four most important technology trends for the security sector in 2026

Warnings of serious cyber threats now also via Alertswiss

SECURITY NEWS

Stay informed about current security topics - practical and reliable. Receive exclusive content directly to your inbox. Don't miss any updates.

Register now!
register
You can unsubscribe at any time!
close-link