A threat that is becoming increasingly tangible. In recent months, there has been a worrying increase in digital scams related to the Spid digital identity, with serious repercussions especially for Public Administration employees. In many cases, victims have seen their entire salary stolen, credited to bank accounts in the name of the scammers.
How the Spid scam works
The scam exploits a peculiarity of the Spid system, which allows the creation of multiple valid digital identities for the same person. This is how criminals, in possession of personal data and copies of identity documents (often obtained through phishing or purchased on the dark web), manage to activate a second Spid in the victim's name.
With these “parallel” credentials, hackers can access crucial portals such as NoiPA, Inps, or the Revenue Agency. Once inside, they change the registered IBAN, diverting salaries, pensions, or tax refunds to their own bank accounts.
Who is most at risk
The main targets of this scam are public sector workers, such as teachers, healthcare workers, and public administration employees, who regularly use the NoiPA portal to manage their salaries. In many cases, victims only discover what happened when the monthly payment does not arrive.
Complicating matters is the fact that the second Spid—although fraudulently created—is technically valid. The system, therefore, does not detect anomalies and recognizes the access as legitimate, making it difficult to immediately contest the illegal action. Recovering the amounts takes time, reports, complaints, and often long waits.
How to protect yourself
While waiting for technical countermeasures, defense comes through prevention. First of all, it is always good to frequently check that the IBAN registered on portals such as NoiPA, Inps, and the Revenue Agency is correct. Where possible, always enable two-factor authentication, preferably through dedicated apps. It is also advisable to avoid clicking on links received via SMS, email, and social media, especially if you do not know the sender. It should also be noted that public administrations do not request authorizations or data in this way.
Finally, you can contact your SPid provider and ask if there are other identities open in your name. Lastly, it is always better not to upload our documents to digital devices and unsecured servers. As we have seen, it is precisely the use of these materials that triggers the scam.