A May 2025 phishing campaign targeting Portuguese government and financial sectors uses the “ClickFix” method to trick users into executing malicious PowerShell commands. Posing as official tax authority (AT) alerts via WeTransfer, this attack distributes Lampion malware designed to steal data. To avoid this scam, verify that official communications use the gov.pt domain and manually enter website addresses rather than clicking links in emails.
Portuguese Government “Tax Refund / Social Security” Fraud
Target: Citizens and Residents of Portugal
Threat Level: High (Financial & Identity Theft)
Phishing Method Description
This attack uses a “Government Grant / Refund” pretext. Victims receive an SMS (Smishing) or Email claiming they are entitled to a “Reembolso” (Refund) from the Tax Authority (Autoridade Tributária) or a social subsidy from Segurança Social.
The link leads to a high-fidelity clone of the official Portuguese government portal (e-fatura or Portal das Finanças). To “receive the payment,” the victim is led through a series of forms designed to harvest:
NIF (Tax Identification Number)
Access Credentials (Password for the government portal)
Credit/Debit Card Details (Number, Expiration Date, and CVV)
Mobile Phone Number (for intercepting 3D-Secure codes in real-time)
⚠️ Red Flags to Watch For
The URL Trap: Official Portuguese government sites always end in .gov.pt. Phishing sites use deceptive addresses like reembolso-financas.com, seguranca-social-directa.net, portal-financas-gov.org, or free hosting platforms.
Requesting Card Details for a Refund: Government agencies already have your IBAN for tax refunds. They will never ask you to enter your credit card’s CVV or expiration date to “send” you money.
Urgent Deadlines: Phrases like “Último aviso” (Last warning) or “Expira em 24 horas” (Expires in 24 hours) are used to create artificial panic.
🛡️ How to Protect Yourself
The .gov.pt Rule: Always check the address bar. If the domain does not end in .gov.pt, close the page immediately.
Access via Official Portals: If you are expecting a refund, log in directly to the official Portal das Finanças (portaldasfinancas.gov.pt) or Segurança Social Direta by typing the address manually.
Use Chave Móvel Digital: Whenever possible, use the official Chave Móvel Digital for secure authentication. Scammers find it much harder to bypass this multi-factor system.
Verify SMS Senders: Official government alerts do not come from standard 9-digit mobile numbers. If the sender is an unknown mobile number, it is a scam.
💡 Expert Security Tip:
This is a Refund-to-Skimming attack. Government agencies pay out refunds via Bank Transfer (IBAN), not by “crediting” your debit card like a merchant refund. If a government site asks for your CVV code, it is 100% a phishing trap designed to empty your account.