Press Room
Prosegur Cybersecurity identifies increase in digital fraud linked to annual tax filing, warns of increasingly sophisticated attacks
With the end of the financial year, phishing and smishing attacks are being carried out by criminals impersonating tax authorities to steal personal data, bank details and credentials.
Madrid, 14 April 2026. – As the end of the financial year approaches, taxpayers filing their annual return are increasingly the target of digital criminal activity. The Spanish Tax Agency says nearly 25 million people will file their returns in Spain this year, making this period one of the busiest times for online fraud.
Prosegur Cybersecurity, the Prosegur Group's specialized cybersecurity unit, has identified a significant increase in phishing and smishing campaigns that purporting to come from the State Tax Administration Agency (AEAT) with the aim of obtaining personal data, access credentials or banking information. The company warns that cybercriminals are deploying more advanced and segmented techniques, taking advantage of the urgency and complexity of the tax process to maximize its impact.
Greater sophistication and automation
Prosegur Cybersecurity analysts have observed a common pattern during these past weeks:
Fake Tax Agency emails and SMS replicating the administrative language and page design of AEAT. The messages usually refer to pending returns, incidents in the processing or requests for additional documentation.
Links to highly realistic fraudulent pages designed to mimic the official website. On these sites, the user is asked to enter credentials such as the digital certificate, the electronic ID card or the Cl@ve system.
Malware through attachments that are presented as tax documentation. These files may contain banking Trojan horses or remote access tools capable of capturing sensitive information or taking control of the device.
Automated and segmented campaigns, powered by AI and mass mailing systems, which allow messages to be adapted to different taxpayer profiles and increase the success rate.
Exploitation of the fiscal context through messages that appeal to urgency – blockages in processing, imminent deadlines – or to economic incentives such as immediate refunds.
Main security measures
Prosegur Cybersecurity highlights the need for extreme caution during the annual income tax return period and to adopt basic digital security practices to reduce the risk of exposure. For example, it advises manually accessing the Tax Agency's website by entering the address in the browser and verifying that the connection is secure, as well as protecting digital credentials by avoiding sharing verification codes or storing passwords in unprotected environments.
It also stresses the importance of filing tax returns from up-to-date devices and trusted networks, as well as not opening unverified attachments, especially if they have unusual extensions or executables that could contain malicious software.
Prosegur Cybersecurity notes that the two-month annual tax return period is characterized by fraudulent activity and that vigilance is the first line of defense against cyberattacks. Early detection of anomalous behavior in accounts or devices, together with a more established cybersecurity culture among taxpayers, is essential to minimize the impact of these threats. Maintaining a critical attitude in the face of any unexpected communication and acting quickly in response to warning signs are, according to the company, key elements to avoid incidents and protect personal information.