A phishing campaign impersonating German tax authorities (Finanzamt/ELSTER) is targeting taxpayers with fraudulent “Erstattung Ihrer persönlichen Einkommensteuer” (Income Tax Refund) emails and SMS, directing them to a fake portal designed to steal banking credentials (PINs/TANs). The attack uses a “Multi-Bank” approach, presenting a list of major German banks to intercept credentials in real-time, often using lookalike URLs.
Target: Taxpayers in Germany
Threat Level: Critical (Tax Fraud & Multi-Bank Phishing)
Phishing Method Description
This attack uses Government Impersonation to exploit the annual tax return season. Victims receive a professional-looking email with the subject “Erstattung Ihrer persönlichen Einkommensteuer” (Refund of your personal income tax), claiming that a significant tax overpayment is waiting to be claimed.
The link leads to a sophisticated “Gateway” Page. Instead of mimicking just one bank, this phishing kit shows a list of major German financial institutions (Sparkasse, Deutsche Bank, Postbank, Volksbanken Raiffeisenbanken, etc.). Once the victim selects their bank, they are redirected to a pixel-perfect clone of that specific bank’s login portal.
The site is designed to harvest:
Full Personal Identity (Name, Address, Tax ID)
Online Banking Credentials (PIN, Customer ID)
PhotoTAN / PushTAN / SMS OTP: The fake site intercepts the authorization code in real-time, allowing the attacker to empty the account or authorize fraudulent transfers under the guise of “confirming the refund.”
⚠️ Red Flags to Watch For
The Lookalike Gateway URL: Official tax refunds in Germany are handled via ELSTER (elster.de) or by post. The phishing site will use deceptive domains like finanzamt-erstattung.online, steuer-deutschland.net, or bundesfinanzministerium.com.
Method of Delivery: The German Tax Office (Finanzamt) never sends notifications about tax refunds via email or SMS containing clickable links for bank details. Official communication is always sent via the secure ELSTER inbox or by physical mail.
Bank Selection Menu: A real government site will never ask you to click on your bank’s logo to log in and “receive” money. Refunds are automatically sent to the IBAN already on file with the tax office.
🛡️ How to Protect Yourself
The ELSTER Rule: If you are expecting a refund, log in directly to your official ELSTER account at www.elster.de. If there is a notification, it will be there.
Don’t Click, Just Wait: Official tax assessments (Steuerbescheid) always arrive by post. If you haven’t received a letter, the email is 100% a scam.
Never Log In via Links: If an email asks you to log into your bank to “verify a deposit,” it is a trap. Banks do not require you to log in to receive an incoming wire transfer.
Report the Scam: Forward suspicious tax-related emails to the official Federal Central Tax Office or use the 7726 short code for SMS reporting.
💡 Expert Security Tip:
This is a Multi-Bank Phishing Kit. By offering a choice of banks, scammers cast a wide net to catch any victim regardless of where they hold an account. Remember: The Tax Office already has your bank details. They will never ask you to “log in and choose your bank” to send you money.