As Spain’s tax declaration period begins, cybersecurity agencies warn of a surge in impersonation scams targeting taxpayers. Fraudsters are exploiting the rental income declaration process by posing as Spain’s tax authority (Agencia Tributaria or “Hacienda”) through sophisticated phishing campaigns1. These attacks coincide with the online tax filing window opening, when users frequently interact with digital tax services.
Attack Vectors and Malware Payloads
The campaigns employ multiple delivery methods, including SMS phishing (smishing) with fake QR codes, emails mimicking official Hacienda communications, and fraudulent payment requests through legitimate platforms like Revolut3. Security researchers have identified several malware families being distributed, including Rhadamanthys, zgRAT, and VenomRAT, which are delivered via malicious attachments or compromised links. These RATs (Remote Access Trojans) enable full system compromise, allowing credential theft and financial fraud.
Attackers use generic sender addresses (e.g., “[email protected]”) and URLs that closely resemble legitimate tax portals. A recent sample analyzed by Revista Byte showed attackers using HTTPS domains with “agenciatributaria” subdomains to bypass basic security checks3. The messages typically claim unpaid taxes or promise refunds to create urgency.
Technical Indicators and Detection
The campaigns exhibit several identifiable patterns that security teams can monitor:
| Indicator Type | Example | Detection Method |
|---|---|---|
| Email Subjects | “URGENTE: Su declaración de alquiler pendiente” | Content filtering regex patterns |
| Attachment Hashes | SHA256: a1b2c3… (Rhadamanthys loader) | EDR signature updates |
| Network IOCs | hxxps://agenciatributaria[.]online/declaracion | Web proxy/DNS filtering |
Proofpoint’s threat intelligence reports a 30% increase in malicious domains mimicking tax authorities across Europe and North America during early 2025 tax seasons4. Spain’s rental declaration period (April-May) appears particularly targeted due to the complexity of rental income reporting requirements.
Defensive Recommendations
Organizations handling financial or tax data should implement layered defenses:
- Deploy email security solutions with advanced phishing detection capabilities, focusing on sender spoofing and lookalike domain analysis
- Block execution of macros in Office documents from external sources
- Monitor for suspicious process chains involving document readers spawning PowerShell or cmd.exe
- Implement network segmentation for financial systems to limit lateral movement post-compromise
The Spanish Cybersecurity Agency (INCIBE) emphasizes that legitimate tax communications will never request sensitive data via email or SMS5. Users should verify all tax-related messages by logging directly into the official Agencia Tributaria portal rather than clicking links in unsolicited communications.
Broader Implications
This campaign reflects a global trend of tax-themed cybercrime, with similar attacks targeting IRS processes in the U.S. and HMRC systems in the UK. The modular nature of the malware used suggests professional cybercrime groups rather than opportunistic attackers. Security teams should expect these campaigns to evolve throughout tax season, potentially incorporating new evasion techniques as defenses adapt.
The combination of social engineering and technical exploitation makes these attacks particularly effective. As noted in Silicon.es, attackers are increasingly bypassing traditional credential theft by initiating fraudulent transactions directly through compromised but legitimate financial platforms4.
Organizations should conduct targeted user awareness training focusing on tax-related scams during declaration periods. Technical controls should be complemented by procedural safeguards, such as requiring secondary approval for all financial transactions during high-risk periods.
References
- “Alerta por ciberfraudes de Hacienda en la campaña de alquiler,” CyberSecurity News, 2025.
- R. Hernampérez, “Alerta por ciberfraudes de Hacienda,” LinkedIn, 2025.
- “Renta: aumentan los fraudes digitales,” Revista Byte, 2025.
- “Ojo con Hacienda: aumenta el riesgo de ciberfraudes,” Silicon.es, 2025.
- “Alerta sobre el fraude de Hacienda,” El Mon, 2025.
