A smishing campaign that impersonates the Tax Agency has been detected. Through an SMS, the user is asked to provide bank card information to receive a tax or income refund for 2022. However, this is a scam, and the real purpose is to steal the victims’ bank details.
If you have received an SMS with the characteristics mentioned above, but you have not clicked on the link, block it, mark it as spam and delete it from your inbox.
What to do if you have been affected
However, if you have received the malicious SMS and have provided your bank card details, the OSI (Oficina de Seguridad del Internauta) suggest you do the following;
- Notify your bank to inform them and block any movements that have been made without your authorisation.
- Change your credit card security codes and PIN immediately.
- Gather the evidence of the fraud: URL of the fraudulent page on which you left your data, bank statements and all the information that can be provided to file a complaint with the State Security Forces and Bodies (FCSE).
- Collect the evidence with witnesses online and present it to the FCSE. Then you will have to request a copy of the complaint and deliver it to your bank.
- If the complaint does not help you recover the money that has been stolen, you can file a claim through the Bank of Spain.
- Thge OSI also recommend that you also practice egosurfing to ensure that the private information you gave to the malicious page has not been shared. You can use advanced search tools like Google Dorks. In the case of having found your data, request your right to be forgotten through the Spanish Agency for Data Protection.
- Over the next few weeks or months, they recommend you review the movements you made from your bank account and, in the event you detect any that are not known or without your authorisation, immediately contact your bank to deny it.
Still have doubts?
If you have received a notification from the Tax Agency and you still have doubts, you can visit their website and see examples of fraud that they have carried out impersonating them and even report them if you have received one.
In addition, you can contact them directly to verify the information in the emails or SMS you have received and they will help you solve the problem through their online chat.
Never give your bank details
This smishing campaign is impersonating the Tax Agency by sending an SMS. The message tells the victim that they have been qualified for a refund and that they must click on the link provided to process it correctly.
As mentioned above, the objective of this fraud is to steal the victim’s bank card details through a fraudulent web page that contains a form.
Furthermore, the SMS that have been identified so far contain spelling and grammatical errors in their wording. This has therefore raised suspicions about their veracity. Here are some examples of the process the scammers will attempt to take you through.
This technique is used by cybercriminals so as not to arouse suspicion and for the victim to think that they have carried out a safe procedure, when they have actually been the victim of fraud.