New Smishing campaign pretends to offer tax refund

A new smishing campaign (fraudulent attempt to obtain personal information through SMS text messaging) has been detected impersonating La Moncloa, the Spanish government, and various banking entities, through fraudulent websites. In said SMS a fraudulent link is attached with which you can presumably claim the annual refund of taxes 2022-2023 on a supposed government page.

Once the link is accessed, various bank entity options are displayed (Bankia, CaixaBank, BBVA and Santander), among which you can choose to receive the alleged payment, but which really only serve to steal the entity’s access credentials.

If you have received a text message, but have not tried to log in with your bank, directly delete the SMS from your phone.

In case you have accessed the SMS link, you have clicked on any of the links to the banking entities and you have provided your access credentials, apply the following guidelines:

Contact your bank and report the incident so that the necessary security measures are taken.

Change the credentials you used to log in at the attached link. In case you use the same one for several accounts, do it for all of them, but remember to use unique and strong passwords for each account.

Regularly review the movements and transactions made from the affected accounts to control possible unauthorised charges.

You can file a complaint with the State Security Forces and Corps, to do so, collect evidence of fraud through online witnesses, with which you will be able to certify the evidence you have obtained.

This fraud uses the social engineering technique known as smishing. The victim receives an SMS on their mobile phone, with the aim that he clicks on the link that accompanies the message, which redirects to a web page that supplants that of La Moncloa. In turn, the latter redirects to various malicious banking web pages, in order to steal the access credentials of the victims’ accounts.

In the SMS message, the victim is informed that if they have not yet received the annual tax refund for the dates 2022-2023, they should claim their refund of 431.78 euro through the link provided.

The SMS detected maintains a correct wording, although it has some spelling mistakes. It should be noted that it is sent from a private telephone number, without official identification.

If a user clicks on the link, they will be directed to the next malicious page with a design very similar to the legitimate one, although they will only be able to interact with the pop-up window.

The false Moncloa website is shown, with a message where you accept Terms and Conditions to proceed to access the bank to request the refund.

The pop-up window alerts the victim that two emails of this notification have already been sent, but no response has been received, and therefore they are asked to complete the refund procedure immediately. If this process is not carried out, the refund will expire.

The message indicates that there is talk of a “reimbursement package”, with an amount one cent higher than that mentioned in the SMS.

An option to “Accept the Moncloa Terms and Conditions” is also displayed. But there is no link to read or expand information about these terms and conditions.

The message is displayed where Terms and Conditions are accepted to proceed to access the bank to request the refund, offering the banking options of Bankia, CaixaBank, BBVA and Santander.

The URLs that are redirected to when clicking on the images of the banking entities do not vary much from the link on the main website. They are all in the same domain, an indication that it is not the official link of the bank.

Web pages that impersonate bank identities will show a login window, which will request the account credentials and remains in a loading process that never ends or accesses any banking portal.

In these pages of access to banking entities, it can be seen that the format does not correspond to that of the current official websites. In addition, on some occasions it has bad writing.

In case of entering the bank credentials, the websites will show a waiting message simulating that they are accessing the site, but it will never load.

Once you enter the credentials, the cybercriminals will already have your access data in their possession.

Although this is a Smishing campaign, it is not ruled out that this type of fraud is being spread by other means such as email.

This increase in tax related fraudulent messaging coincides with the annual taxation period.