Almost five-fold increase in reports of online investment ad scams
Bern, 18.11.2025 — The latest semi-annual report from the National Cyber Security Centre (NCSC) shows that the centre continued to receive large numbers of reports in the first six months of 2025. The number of reports concerning fraud – over half of the total – also remains high. There has been a marked increase in reports of online investment advertising scams. Cybercriminals often misuse celebrities as decoys to gain the trust of potential victims. The semi-annual report also focuses on various targeted phishing campaigns aimed at bank customers, the ongoing ransomware threat and hacktivism at major events such as the WEF and the Eurovision Song Contest.
The latest semi-annual report from the National Cyber Security Centre (NCSC) shows that the centre continued to receive large numbers of reports in the first six months of 2025. A total of 35,727 reports were received, 58% of which concerned attempted fraud, making this one of the most frequently reported phenomena. Around a third of these concerned fraudulent calls in the name of public authorities, a category which recorded a marked decline from 13,730 to 10,578 reports in the reporting period. By contrast, 3,485 reports were received regarding online investment advertising fraud, an almost five-fold increase over the same period last year (729 reports).
Significant increase in online investment advert scams
Fraudulent adverts touting alleged investment opportunities are currently one of the fastest growing phenomena. Well-known people such as Swiss president Karin Keller-Sutter are often used as decoys to gain the trust of potential victims. People are tricked into investing money on fraudulent platforms via fake online adverts in search engines or on social media. They are generally more inclined to trust videos featuring familiar faces than plain text ads. Deepfakes such as TV news interviews with well-known personalities are increasingly being used – also to lend credibility to these fraudulent advertisements.
Phishing: Bank customers targeted
Phishing remained a dominant issue in the first half of 2025. Cybercriminals use paid adverts in search engines to try to get their phishing pages listed above the banks’ genuine login pages in the search results. Users who do not pay careful attention run the risk of entering their login details on a fraudulent website. In two-step phishing, victims are first asked to enter innocuous information, such as their telephone number, on a website purporting to be from a bank. The fraudsters then contact potential victims by telephone to tell them that there has been fraudulent activity on their account, thereby tricking them into disclosing their login details.
Ransomware and data extortion
Ransomware and the frequently associated threat to publish stolen data on the darknet remain a major challenge. Compared to 44 reports in the same period of the previous year, the NCSC received 57 reports in the first half of 2025, mainly from organisations and companies. In recent months, for example, the ransomware group Akira has intensified its attacks. Since April 2024, the Office of the Attorney General of Switzerland has been conducting criminal proceedings against persons unknown for several ransomware attacks on Swiss companies carried out between May 2023 and September 2025.
Hacktivism: DDoS attacks as an established tool
In collaboration with numerous other partners, during the first six months of 2025 the NCSC was responsible for cybersecurity at a number of major events: the World Economic Forum (WEF) in Davos, the Eurovision Song Contest (ESC) in Basel and the European Women's Football Championship, which was held across several Swiss cities. Hacktivists use such major events for their own purposes, to try to gain attention for their cause and unsettle the general public. Thanks to targeted prevention and cyberdefence measures, all DDoS attacks were successfully fended off.
Reporting obligation for critical infrastructures
During the reporting period, an obligation to report cyberattacks on critical infrastructures was introduced. This has been binding in Switzerland since 1 April 2025. The progress to date shows that the relationship of trust that already existed between the NCSC and operators of critical infrastructures prior to the introduction of the reporting obligation has contributed significantly to the successful launch of this requirement. Thanks to the 180 reports received since 1 April 2025, the NCSC can form a better picture of the national threat situation and can warn affected organisations at an early stage. The improved exchange of information increases Switzerland's resilience to cyberthreats long term. The threat situation remains tense, but close cooperation between the state, the business community and the public is continuously strengthening cybersecurity in this country. The NCSC pursues this path with a consistent approach.