Preparation to carding with phishing page of income tax credits refund in France detected

Posted byAnti-phishing Leave a comment on Preparation to carding with phishing page of income tax credits refund in France detected

These two screenshots show a phishing campaign impersonating the French tax authorities (impôts), offering a fake tax refund (€227.06) to trick victims into providing personal information and full credit card details.



Threat Analysis: French Tax Refund Phishing – Personal & Card Data Harvesting

How the scam works:

Step 1 – Fake Refund Notification (First Screenshot)
The victim receives an email or lands on a page claiming that after the latest tax credit calculations, they are eligible for a refund of €227.06. The page includes steps to follow (click the refund form link) and shows fake news items (e.g., “Avis de CFE”, “Covid-19 – attention aux arnaques par courriel”) copied from the real French tax website to appear legitimate.

Step 2 – Personal Information & Card Details Page (Second Screenshot)
The victim is taken to a page that asks for:

  • Email address
  • Full name
  • Date of birth
  • Postal code and city
  • Phone number (mobile)
  • Bank card details: cardholder name, card number, expiration date, CVV

A message claims this information is needed to issue the refund to the victim’s bank account. Fake security logos (MasterCard SecureCode, Verified by Visa) are added to appear trustworthy.

The goal:
The attacker collects:

  • Personal identity information (name, DOB, address, email, phone) for identity theft
  • Full credit/debit card details (number, expiry, CVV) to make fraudulent purchases or clone the card

No refund is ever issued – the entire offer is fabricated.

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not impots.gouv.fr (the official French tax website).
  • Request for card details for a refund: Legitimate tax refunds are deposited directly to the bank account the tax authorities already have on file – they never ask for your card number, expiration date, or CVV.
  • Fake news section: The “L’ACTUALITÉ EN BREF” section contains old news (dates from 2020) and includes a warning about email scams – ironically placed on a scam page itself.
  • Poor design / inconsistencies: The layout and language have minor inconsistencies compared to the real French tax portal.
  • Unsolicited refund offer: The French tax authorities (DGFiP) do not send unsolicited emails with links to claim refunds. Any such message is a scam.

What to do if you encounter this:

  • Do not enter any personal or card information.
  • If you are a French taxpayer, always access your tax account by typing impots.gouv.fr directly into your browser.
  • If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to the French tax authorities (via their official reporting form) and to the platform hosting the page.

Protective measures:

  • Never click links in unsolicited messages claiming a tax refund.
  • Always type the official government URL directly into your browser.
  • Never provide your card CVV or expiration date to “receive” a refund – refunds do not require this information.
  • Enable two‑factor authentication on your bank account and email.
  • Be suspicious of any message that creates urgency (“claim your refund now”) and asks for sensitive information.

Leave a comment

Your email address will not be published. Required fields are marked *