Phishing Targeting VZP Clients

A phishing campaign is currently spreading through the Czech Republic trying to scam money out of clients of the General Health Insurance Company.

Scammers Strike Again!

Online scammers are once again using a well-known method to steal sensitive data. They are sending fraudulent emails promising refunds or contributions. In reality, however, they aim to gain access to victims' bank accounts to steal their money. This is a well-known technique called phishing .

As highlighted  by the General Health Insurance Company (VZP), these messages seem trustworthy at first glance — with subject lines like Refund from VZP ČR, and sender names such as VZP ČR – Client Center or another official-sounding name.

The email gives the impression of direct communication from the health insurance company and urges the recipient to provide sensitive information. In reality, it is a fraudulent attempt to gain access to the bank account and steal the victim’s money.

An example of a fraudulent email is shown in the image below:

If the user is "fooled" and clicks the Confirm details button, the following screen appears:

At first glance, it looks well-designed, with no grammar mistakes or other signs that it’s a scam.

What should immediately catch the user’s attention in the top left corner is that the domain is not vzp.cz, but a domain controlled by the scammers (marked in red in the image below).

All data entered on this page is sent to the scammers, and they can misuse it instantly! For example, entering payment card details means it can be used for purchases immediately, without the victim’s knowledge.

“VZP ČR never requests updates to bank information, even in the case of insurance overpayments or underpayments. By entering your bank details, you are giving the scammer access to your account and your savings,” warns Jan Svoboda, Director of the VZP ČR Security Department.

How to protect yourself from this type of fraud?

1. Always carefully check which email address the message came from. In the case of VZP, it should always be from @vzp.cz.
2. Think twice before clicking any links in an email. It’s not always a link to the institution’s official site.
3. Never enter your personal, banking, or financial information on a website unless you are absolutely sure it belongs to the relevant bank or insurance provider.

Want more information about phishing? Read our article .

What can we do for you?

Use Safe Surfing  — an easy-to-use and lightweight VPN in our Redamp.io app, which can filter out harmful URLs.