Be vigilant against online fraud.

Unfortunately, the SBB brand is regularly misused by scammers who send phishing e-mails. Report any fraudulent messages and always be wary if you receive any unexpected messages.

Online phishing attacks aim to obtain your login details (e.g. passwords) or personal customer data (e.g. credit card information) by using fake websites or e-mails. Scammers are often so creative that these phishing e-mails aren’t always recognisable at first glance. We do everything we can to protect your customer data from being misused. For example, we closely monitor phishing campaigns and share information with the National Cyber Security Centre (NCSC). This ensures that fake websites can be shut down as quickly as possible.  

We advise all SBB customers to activate two-factor authentication as an additional security level when making purchases in their customer account. A code is then sent to you via SMS each time you log in. This provides better protection against third-party access. Only use secure passwords which meet the minimum security requirements.

Only download SBB smartphone apps via the App Store (for Apple devices) or the Google Play Store (for Android devices).

N.B.: Whether by telephone, e-mail or SMS, SBB will never ask you to reveal your personal or confidential information, such as your SwissPass e-mail address, password or credit card details. It will not ask you to install any software on your PC or smartphone or to open file attachments either.

Be wary of adverts on social media.

Fake adverts and posts using SBB’s name also regularly appear on Facebook, Instagram and other social media platforms. Scammers often advertise SBB travelpasses at ridiculously low prices or promise vouchers as rewards for entering competitions. Their aim is to obtain personal information, such as login or credit card details, or to infect your PC or smartphone with malware via a link or file attachment.

Double-check sender of e-mail correspondence.

E-mails from the following sender addresses are legitimate and never constitute phising:


Advice for when you receive a suspicious message.

Be wary of any unsolicited or unexpected e-mails you may receive. Compare the name and the sender because these details often don’t match up if the e-mail is fraudulent.

  • Never click on attachments or links in suspicious e-mails.
  • Do not scan QR codes in suspicious messages. They can lead you to a fake website.
  • Never share personal, login or credit card details in response to this kind of e-mail. SBB never requests your security details, such as your password, whether by e-mail, SMS or telephone.
  • Phishing e-mails often give recipients the impression that urgent action is needed. This make people respond to the message without thinking, instead of carefully scrutinising the e-mail’s content. If you have any suspicions, you can contact the SBB Contact Center at any time on 0848 44 66 88 (CHF 0.08/min.). SBB staff will be happy to help you if you are not sure what to do.
  • Report suspicious e-mails to the National Cyber Security Centre via the website so that fraudulent websites or offers can quickly be blocked.  

What if something has happened?

Have you trusted that a link was safe, clicked on it, entered your login e-mail and password and now you are wondering whether you have fallen victim to a phishing e-mail? If in doubt, reset your password in the customer account at (on the login screen by clicking on ‘Forgotten your password?’) or contact the SBB Contact Center immediately (0848 44 66 88, CHF 0.08/min.). We will be happy to help you to quickly restore the security of your customer account and your data.

If you use your SwissPass e-mail address and password for other services too, we recommend resetting your password for them as well. If you have disclosed your credit card information in addition to your SwissPass details, you should immediately contact your bank too.

Examples of malware and phishing e-mails.

  • Example of a malware/phishing e-mail.
  • Another example of a malware/phishing e-mail.
  • The attachment contains a fake invoice.
  • Excample of a fake social media post.