A Wave of Fake Tax Refund Messages is Targeting Portuguese Taxpayers—Here's How to Stay Safe
The Portugal Tax Authority (Autoridade Tributária e Aduaneira, or AT) has issued a warning about a surge in fraudulent communications impersonating its official channels. Criminals are weaponizing promises of IRS refunds and fabricated debt warnings to harvest login credentials and bank details from residents across the country through email, text message, and social platforms.
Why This Matters
• Immediate red flag: Unsolicited messages claiming urgent payment demands or pending refunds are almost certainly a scam—the AT only communicates through your authenticated Portal das Finanças account.
• Growing threat: Phishing and smishing campaigns have become increasingly sophisticated, with fraudsters using AI-assisted techniques to create messages that closely resemble legitimate government communications.
• Your defense: The AT never requests personal data, banking information, or payments via links embedded in emails or SMS. Period.
How Criminals Clone the AT's Identity
Attackers begin by drafting emails or text messages that mirror official AT correspondence, complete with government branding, formal titles, and specific fiscal terminology. The message typically triggers one of two emotional responses: relief (a refund is waiting) or panic (an imminent debt or asset seizure).
Within each message sits a hyperlink. This is the trap. Clicking it redirects the user to a counterfeit Portal das Finanças, visually indistinguishable from the legitimate site. The fake portal prompts entry of a taxpayer identification number (NIF), password, and often banking credentials or Chave Móvel Digital codes. Data flows directly to the criminal network, which either exploits it immediately—draining linked accounts or filing false tax claims—or sells it to other operators.
Sender addresses can be spoofed to appear official, or criminals register lookalike domains with minor typographical deviations. SMS-based attacks often use generic sender identifiers like "AT.GOV.PT" that display identically to legitimate messages on many devices.
What Legitimate AT Communications Actually Look Like
The AT operates exclusively from email addresses ending in @at.gov.pt. Any message arriving from another domain—regardless of how credible the name or branding—is fraudulent. This is non-negotiable.
The authority never includes clickable links in emails or SMS that direct you to data-entry screens. It does not ask you to alter, confirm, or input personal, tax, or banking details through any message. It does not request payments via email links or text-message shortcuts.
All genuine AT communications are logged in a secure inbox within the Portal das Finanças itself. To access this, you must:
Navigate directly to the portal at https://www.portaldasfinancas.gov.pt (note the "https://" prefix, which signals encryption).
Authenticate with your NIF and password.
Click the "Comunicações" menu option on the left sidebar.
Any message that does not appear in this authenticated section is fabricated. If you receive an email or text claiming to be from the AT with a refund notice or payment demand, do not click anything. Instead, log into the Portal das Finanças yourself—directly, not via any link sent to you—and check the Comunicações section. If the message isn't there, delete it.
Red Flags and Defense Tactics
Recognizing fraud before clicking requires a combination of technical awareness and behavioral discipline. Watch for:
Sender and Address Anomalies: Emails from domains other than @at.gov.pt, or sender names using abbreviations like "AT Finance Deduction" or misspellings, are red flags. SMS messages claiming to be from the AT but requesting immediate action are suspect by default.
Artificial Urgency: Phrases like "immediate action required," "last day to pay," "your account will be blocked," or "seizure proceedings initiated" are designed to suppress rational thought. The AT does not conduct official business by inducing panic.
Data Requests: No legitimate government agency sends unsolicited requests for passwords, NIF numbers, or bank details via email or SMS. If you see one, it is fraud.
Shortened or Unfamiliar URLs: Hover over any embedded link to reveal its true destination. If the URL does not begin with portaldasfinancas.gov.pt or at.gov.pt, do not click. Shortened links (bit.ly, tinyurl, etc.) should be treated with extreme suspicion.
Unexpected Refunds or Debts: If a message claims you have a pending refund or owe money, verify independently through the Portal das Finanças. Do not assume the email is telling the truth.
Attachment Requests: The AT never sends executable files or attachments demanding download. If an email claims to be from the AT and includes an attachment, delete it immediately.
Other Portuguese Institutions Under Fire
The AT is not alone in being targeted. Reports suggest criminals have launched phishing campaigns impersonating:
• Segurança Social (Social Security): False account-lockout notices demanding password reset or payment of fabricated debts.
• Serviços Partilhados do Ministério da Saúde (SPMS) and SNS 24: Fraudulent SMS messages citing emergency department charges or urgent account verification needs.
• Chave Móvel Digital and ePortugal: Fake authentication requests seeking PIN codes or authorization tokens.
The pattern is clear: any institution managing money, identity, or access is a target.
Protecting Yourself Going Forward
Your first line of defense is skepticism. Treat every unsolicited electronic message—email, SMS, or social media notification—as potentially fraudulent unless you initiated the contact or can independently verify the source.
Enable two-factor authentication on the Portal das Finanças and any other critical account that offers it. Check your "Comunicações" section regularly to stay informed about genuine correspondence from the AT. If your contact information (email or phone number) has changed, update it on the portal to prevent misdirected fraud targeting old credentials.
If you receive a suspicious message, contact your local PSP (Polícia de Segurança Pública) or GNR (Guarda Nacional Republicana) precinct to report it. Screenshots of the fraudulent message are helpful for authorities tracking patterns.
Most critically: never, under any circumstances, respond to or follow instructions embedded in unsolicited messages claiming to be from the AT or any other government entity. If something feels urgent, make a separate phone call to the institution using a number you know is legitimate. Wait a business day. Verify independently. The refund or debt will still exist tomorrow if it was real. The fraud will be gone if you ignore it today.
