Spotting the Tax Refund Phishing Scams Targeting Your Team

Why should your security team worry about tax season?

Phishing attempts targeting the Direction Générale des Finances Publiques (DGFiP) are not just a nuisance for individuals. For a startup or a growing business, these emails represent a significant entry point for credential theft and financial fraud. Attackers know that tax deadlines create a sense of urgency, making even technical employees more likely to click on a malicious link without thinking twice.

The current campaign uses a classic hook: a supposed tax refund or a notification of an unpaid balance. These emails often mirror the exact visual identity of official government communications, using authentic logos and formal language to bypass your initial skepticism. If a member of your team enters their credentials into one of these spoofed portals, you aren't just losing their personal data; you are potentially exposing any shared accounts or corporate payment methods linked to their identity.

How do you identify a fake Treasury email?

• Check the sender's actual address: Scammers often use display names like 'Trésor Public' or 'Impôts Gouv,' but the underlying email address usually comes from a compromised private domain or a generic service.
• Analyze the link destination: Hover over any button or link before clicking. Official French government sites always end in .gouv.fr. If you see a .com, .net, or a shortened URL, it is a fraud attempt.
• Look for the refund hook: The DGFiP never asks for credit card details via email to issue a refund. Refunds are handled through the secure portal you access with your fiscal identifier.
• Urgent or threatening tone: Phrases demanding immediate action to avoid a fine are red flags designed to bypass your logical reasoning.

What technical safeguards can you implement?

Relying on employee vigilance is a losing strategy. You need to harden your infrastructure to catch these threats before they reach the inbox. Start by ensuring your mail server strictly enforces SPF, DKIM, and DMARC policies. This helps filter out spoofed domains that haven't been properly authenticated.

Implement a company-wide password manager to break the habit of manual entry. These tools generally won't auto-fill credentials on a domain they don't recognize, providing a mechanical layer of protection against phishing sites. Additionally, enforce multi-factor authentication (MFA) on every internal tool. Even if an attacker steals a password via a fake tax portal, MFA keeps them out of your actual systems.

Run a quick briefing during your next stand-up. Remind your developers and ops teams that the Treasury will never ask for a credit card number or a password via an unsolicited email. If they receive a suspicious message, they should report it to the Signal-Spam platform or the official internet-signalement.gouv.fr portal rather than simply deleting it. This helps the broader community by flagging the malicious infrastructure faster.