These two screenshots show a phishing campaign impersonating the French tax authorities (impôts), offering a fake tax refund (€227.06) to trick victims into providing personal information and full credit card details.
Security Notice: This deceptive layout was logged, cross-checked, and neutralized firsthand by the Antiphishing.biz security team during our standard URL vetting operations. To protect the public, the phishing source domain has been safely deactivated within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.
Threat Analysis: French Tax Refund Phishing – Personal & Card Data Harvesting
How the scam works:
Step 1 – Fake Refund Notification (First Screenshot)
The victim receives an email or lands on a page claiming that after the latest tax credit calculations, they are eligible for a refund of €227.06. The page includes steps to follow (click the refund form link) and shows fake news items (e.g., “Avis de CFE”, “Covid-19 – attention aux arnaques par courriel”) copied from the real French tax website to appear legitimate.
Step 2 – Personal Information & Card Details Page (Second Screenshot)
The victim is taken to a page that asks for:
- Email address
- Full name
- Date of birth
- Postal code and city
- Phone number (mobile)
- Bank card details: cardholder name, card number, expiration date, CVV
A message claims this information is needed to issue the refund to the victim’s bank account. Fake security logos (MasterCard SecureCode, Verified by Visa) are added to appear trustworthy.
The goal:
The attacker collects:
- Personal identity information (name, DOB, address, email, phone) for identity theft
- Full credit/debit card details (number, expiry, CVV) to make fraudulent purchases or clone the card
No refund is ever issued – the entire offer is fabricated.
Red flags to watch for:
- Suspicious URL: The pages are hosted on a domain that is not
impots.gouv.fr(the official French tax website). - Request for card details for a refund: Legitimate tax refunds are deposited directly to the bank account the tax authorities already have on file – they never ask for your card number, expiration date, or CVV.
- Fake news section: The “L’ACTUALITÉ EN BREF” section contains old news (dates from 2020) and includes a warning about email scams – ironically placed on a scam page itself.
- Poor design / inconsistencies: The layout and language have minor inconsistencies compared to the real French tax portal.
- Unsolicited refund offer: The French tax authorities (DGFiP) do not send unsolicited emails with links to claim refunds. Any such message is a scam.
What to do if you encounter this:
- Do not enter any personal or card information.
- If you are a French taxpayer, always access your tax account by typing
impots.gouv.frdirectly into your browser. - If you have already entered card details, contact your bank immediately to block the card and dispute any unauthorized charges.
- Report the phishing page to the French tax authorities (via their official reporting form) and to the platform hosting the page.
Protective measures:
- Never click links in unsolicited messages claiming a tax refund.
- Always type the official government URL directly into your browser.
- Never provide your card CVV or expiration date to “receive” a refund – refunds do not require this information.
- Enable two‑factor authentication on your bank account and email.
- Be suspicious of any message that creates urgency (“claim your refund now”) and asks for sensitive information.