Deadline as bait: a comparative analysis of tax-themed smishing campaigns targeting Spain and Portugal

This is a reserve paper. Should it not be required to replace a paper on the main programme, it will be presented in the Small Talks room on Friday 16 October.   

Natasha Márquez & Ghyorka Kpee (Group-IB)

Last March, two major Spanish government agencies, the Spanish Tax Agency (AEAT) and the Directorate General of Traffic (DGT), were simultaneously targeted by two separate phishing campaigns. Although these campaigns employed different technical methods, they had one thing in common: the fraudulent collection of personal and banking information from specific targets.

The campaign targeting the DGT relies on smishing, or SMS phishing, by posing as an official notification of an unpaid fine that must be paid immediately. This attack vector warrants special attention because, unlike email phishing, text messages are perceived as an intimate and direct form of communication, which significantly increases their success rate. The fabricated sense of urgency combined with impersonation of institutional authority constitutes a formidable social engineering tactic.

The campaign targeting the AEAT reveals a higher degree of technical sophistication. Rather than replicating the official website, attackers load content directly from the AEAT's servers and control only the data collection form. This hybrid architecture makes detection difficult for both victims and automated security systems. Two data collection objectives have been identified: one targeting identity and banking data, notably the IBAN, with the aim of direct bank fraud; and the other focused on the theft of payment card data.

These campaigns are exceptional for reasons that go beyond their technical sophistication. They are part of a broader trend also observed in Portugal, where similar campaigns impersonate the Autoridade Tributária e Aduaneira (AT). Thus, the Iberian Peninsula is at the centre of a coordinated regional attack strategy that exploits the institutional trust citizens place in their national tax authorities. These attacks are not isolated incidents; they represent a systemic problem with serious consequences for individuals who fall victim to financial fraud and for the credibility and functioning of government agencies.

This presentation offers a combined technical and behavioural analysis of these campaigns. It highlights the social engineering mechanisms exploited and the attack infrastructures identified. Additionally, it discusses the implications for the cybersecurity of public institutions within a shared Iberian context.

Key points of the presentation:

1. Smishing as an underestimated attack vector: SMS is not just an alternative to email; it's a different attack vector from a psychological standpoint. The personal nature of SMS, the lack of effective spam filters on mobile devices, and the brevity of messages drastically reduce the time victims have for critical thinking. In Spain and Portugal, the high mobile phone penetration rate makes it a particularly fertile attack vector.
2. Unprecedented technical sophistication: phishing without replication: The AEAT campaign introduces a rarely documented technique in the region: exploiting the target institution's legitimate servers to load the content of the phishing page. Only the data collection form is under the attackers' control. This method bypasses many detection solutions based on URL or page content analysis, representing a significant evolution in institutional phishing tactics.
3. Dual data collection objectives: bank fraud and card theft: The identified campaigns do not pursue a single objective. Analysis reveals two distinct monetization models: one focused on bank transfer fraud through the collection of IBANs and the other focused on reselling payment card data. This segmentation suggests the existence of multiple actors or affiliates operating under a shared infrastructure.
4. A deliberate focus on the Iberian region: Spain and Portugal were not chosen at random. Their cultural proximity, similar tax systems, and comparable institutional trust allow for the near-immediate adaptation of campaigns from one market to the other. This cross-border dimension has yet to be thoroughly examined in cybersecurity literature and calls for a coordinated response between the two countries.
5. Social engineering through authority and urgency: Both campaigns exploit identical psychological triggers: state authority and time pressure. An unpaid fine or pending tax refund, for example, trigger fear and urgency mechanisms that override rational judgment. This presentation will analyse why tax authorities are particularly effective decoys compared to other institutions.
6. Implications for public institutions and citizens: Beyond individual financial losses, these campaigns erode trust in digital government services, hinder the adoption of online tax services, and impose communication and crisis management costs on relevant government agencies. Therefore, the response cannot be purely technical; it must incorporate public awareness efforts and inter-institutional coordination.

Back to VB2026 Programme page

Back to VB2026 conference page

Register your interest for VB2026

Other VB2026 papers