Fake SMS from the Treasury and it steals you card PIN

SMS scams are becoming more and more frequent. Cybercriminals pose as many companies and organizations to impersonate your identity, in what is known as smishing (the SMS variant of phishing).

To try to give more credibility to these false messages, scammers use courier companies or Post Office, as well as agencies such as the Treasury, trying to increase the number of people they can bite. If you do, you may end up losing your card PIN and exposing yourself to theft.

Fake SMS from the Treasury

New scam pretending to be the Treasury

Avast , one of the leading digital security and privacy firms, warns today about the discovery of a new smishing campaign in which the Treasury is impersonated. Cybercriminals pose as the Tax Agency by sending text messages reporting incidents in our accounts with the agency.

Smishing Agencia Tributaria

In this case, to try to make greed play against the victims, there is talk of a benefit for the taxpayer in the form of a false tax refund . The ultimate goal, as you can imagine, is to steal the victim’s bank details.

“Tax Agency: I qualify you for a tax refund, to benefit, complete the form on the [web] site”

They supplant the website of the Tax Agency

If we follow the link that comes to us by SMS, we will find a website that simulates the aesthetics of the real website of the Tax Agency, although it will suffice to take a look at the URL to verify that it is not the official one nor does it look like it.

Estafa Agencia Tributaria

The victim of the attack will have to fill out a form to proceed with the refund with their credit card details, including the CCV and the PIN code, data that would never be required for a refund. When the income statement includes a refund, it is processed through the bank account with information that the Tax Agency already has about the taxpayers.

Finally, the entry of a code is requested that will supposedly be received through an SMS (which the victim never receives), or by opening the bank’s application, from the phone itself, where it is assumed that a refund notification will be received.

“Users in doubt as to whether a received message is real or fake should not click on any links or attachments. Instead, they should contact their bank or the company the message appears to be coming from directly by visiting their website and using the contact information on their website. In addition, it advises that details can be observed that show that it is a scam. In this specific case, although it tries to imitate the real website of the entity, it lacks functionality, since, for example, it does not change the language when selecting the option, even though they appear displayed, “ recommends Luis Corrons, Security Evangelist of avast.

From INCIBE they give us a series of recommendations to avoid falling into the trap of cybercriminals:

  • Do not access messages from unknown users or that you have not requested, delete them directly.
  • Do not reply to these SMS at any time.
  • Be careful clicking on links , even from known contacts.
  • If the SMS has a link and it redirects you to download an app, do not download it in any case. Apps sent via SMS link are usually infected by any malware.
  • If you have any doubts, consult directly with the entity involved through its official channels.


If, unfortunately, you have already fallen for a scam of this type , the steps to follow should be the following, also according to the National Institute of Cybersecurity:

  • Contact your bank immediately to report what has happened and cancel any transactions that may have been made.
  • If you have also provided personal data, such as your phone number or email, remain vigilant and check that you are not subject to another type of fraud by these means or that they do not impersonate you.
  • You can also report this situation to the State Security Forces and Bodies (FCSE).