Fraudulent Social Security SMS Surge in Portugal: How to Protect Your Bank Details and Personal Data
The Portugal Social Security Institute (ISS) has issued a public security warning alerting citizens to a new wave of fraudulent SMS messages impersonating the government agency—the latest front in a phishing campaign linked to a global cybercrime operation that has already compromised over 160 Portuguese organizations.
The scam, which purports to activate two-factor authentication (2FA) on Social Security accounts, is part of a coordinated effort to harvest confidential data including bank details, login credentials, and personal identification numbers. Authorities are urging residents to delete suspicious messages immediately and avoid clicking any embedded links.
Why This Matters
• Over 160 Portuguese organizations have been affected by the Tycoon 2FA phishing platform, which was dismantled in a coordinated Europol operation.
• One in four cyberattacks in Portugal during 2025 involved phishing, making it the country's most prevalent digital threat.
• The Portugal Social Security system never sends links via SMS—any message containing a hyperlink or requesting bank data is fraudulent.
The Anatomy of the Scam
The fraudulent messages circulating across Portugal follow a predictable playbook designed to create panic and urgency. Recipients receive texts claiming they must activate 2FA for their Social Security account or warning of alleged outstanding debts that require immediate payment to avoid penalty interest or asset seizure.
These SMS often include shortened URLs or links to fake web portals that mirror the official Social Security website with remarkable accuracy. Once victims click through, they're prompted to enter sensitive information: IBAN numbers, passwords, tax identification numbers, or authentication codes. In some cases, attackers use "spoofing" techniques to make the sender ID appear as the official Social Security contact number, lending false legitimacy to the scam.
The Portugal Social Security Institute has been unequivocal in its guidance: the agency never dispatches links via text message for service activation, data updates, or contact validation. Any communication requesting confidential information through SMS, email, or phone should be treated as fraudulent.
How to Protect Yourself
If you receive a suspicious message claiming to be from Social Security, follow this protocol:
Do not respond to the message under any circumstances. Do not click on links, images, or attachments included in the text. Delete the message immediately from your device.
The ISS emphasizes that 2FA activation must be performed exclusively by the user after secure authentication on the official Social Security Portal. No third party—including Social Security staff—will ever initiate this process via SMS or request you to complete it through an external link.
Residents should also activate anti-spam filters on their mobile devices, keep operating systems and security software updated, and consider switching from SMS-based 2FA to more robust authentication methods such as authenticator apps or biometric verification. SMS-based authentication remains vulnerable to interception through malware, SIM-swapping fraud, and network exploitation.
What This Means for Residents
The warning comes at a time when digital fraud has reached epidemic proportions in Portugal. According to the Cetelem Observatory's 2025 study on digital security, at least one in four Portuguese residents has fallen victim to some form of online fraud—a broader category that includes but is not limited to Social Security impersonation scams.
For anyone who suspects they may have already responded to a fraudulent message, immediate action is required. Contact the Portugal Social Security Institute directly through official channels listed on the seg-social.pt portal. If you've disclosed banking information, notify your financial institution without delay to freeze accounts and prevent unauthorized transactions.
For residents who are not fluent in Portuguese, official Social Security guidance and security alerts are available on the seg-social.pt portal. When in doubt, seek assistance from Portuguese-speaking trusted contacts or official Social Security offices rather than responding to unsolicited messages.
Residents should also be aware that updating personal data such as IBAN details can only be done through the secure, authenticated portal—never via a link received through unsolicited communication. If you're uncertain whether a message is legitimate, navigate directly to the official website by typing the URL into your browser rather than clicking any link.
The Global Context: Tycoon 2FA Takedown
The SMS scam targeting Portuguese Social Security users is part of a broader cybercrime ecosystem that was recently disrupted. In March 2026, the Portugal Judicial Police (PJ), working alongside the Europol Cybercrime Centre (EC3), participated in an international operation that dismantled Tycoon 2FA—the world's largest phishing-as-a-service platform.
Active since August 2023, Tycoon 2FA operated as a subscription-based crime tool that allowed even low-skill criminals to bypass multifactor authentication systems and hijack email accounts and cloud services in real time. According to 2025 data from cybersecurity firm ESET, the platform was responsible for approximately 62% of all phishing attempts blocked by Microsoft in mid-2025.
Globally, Tycoon 2FA facilitated attacks on roughly 100,000 organizations, including critical infrastructure such as schools and hospitals. The platform's reach extended to over 55,000 Microsoft customers and enabled the theft of login credentials, MFA codes, and session cookies. In Portugal alone, more than 160 organizations were directly compromised, resulting in financial losses that authorities describe as substantial, though the full extent remains under investigation.
The takedown, coordinated across six countries—Portugal, Latvia, Lithuania, Poland, Spain, and the United Kingdom—resulted in the seizure of 330 malicious domains that formed the platform's technical backbone. Microsoft led the technical neutralization, while law enforcement agencies conducted physical infrastructure seizures and operational actions. The alleged architect of Tycoon 2FA remains a target of ongoing international investigations.
Portugal's Phishing Epidemic
The Tycoon operation may have been neutralized, but the threat landscape remains active. According to 2025 data from cybersecurity firm ESET, phishing accounted for one in every four cyberattacks recorded in Portugal during that year. The most frequently detected threat was HTML/Phishing.Agent, which refers to fake web pages distributed via email, SMS, and social media that impersonate legitimate services—including banks, the Portugal Tax Authority (AT), delivery companies, and popular digital platforms.
These campaigns rely on a combination of technical sophistication and psychological manipulation. Fraudulent messages often contain grammatical errors or vague references ("your package," "your reference") designed to prompt curiosity or anxiety. Others deploy urgent language warning of imminent financial consequences, legal action, or service interruptions unless immediate action is taken.
The Portugal Social Security Institute has reiterated that vigilance is a collective responsibility. Citizens who encounter suspicious communications should consult official sources before taking any action. The agency's official contact channels and updated security guidance are available exclusively through the seg-social.pt portal.
Regulatory and Legal Implications
Portugal's legal framework for data protection and digital fraud is governed by national implementations of the EU General Data Protection Regulation (GDPR) and specific cybercrime statutes. Victims of phishing who suffer financial loss or identity theft may have recourse through the National Cybercrime Unit of the Judicial Police, which investigates digital fraud and coordinates with Europol on cross-border cases.
However, prevention remains the most effective defense. The Portugal Social Security Institute and cybersecurity experts stress that no technological safeguard can replace user awareness. Residents should treat unsolicited messages requesting personal or financial information with extreme skepticism—regardless of how convincing the sender appears to be.
Practical Steps Moving Forward
To minimize your exposure to phishing attacks:
Verify every communication by navigating directly to official websites rather than clicking links. Never share authentication codes, passwords, or bank details via SMS, email, or phone—legitimate agencies will never request this information through these channels. Enable advanced authentication methods beyond SMS, such as app-based tokens or biometric systems, wherever possible. Report suspicious messages to the Portugal Judicial Police or the Social Security Institute to assist ongoing investigations.
The current wave of fraudulent SMS messages represents a persistent and evolving threat. While law enforcement has achieved significant victories—such as the dismantling of Tycoon 2FA—the criminal ecosystem adapts quickly. For residents of Portugal, the message is clear: when it comes to unsolicited digital communication, skepticism is not paranoia—it's common sense.
The Portugal Post in as independent news source for english-speaking audiences.
Follow us here for more updates: https://x.com/theportugalpost
New arrivals in Portugal use crypto wallets for instant payments, avoiding weeks of bank paperwork and NIF hurdles. Discover legal, tax and security tips.
Portugal’s messaging apps may face voluntary child-safety scans under new EU rules, risking end-to-end encryption. Learn what expats need now.
Continente SMS scam drains cards via fake points alerts. Learn signs, protect your data, and report fraud to Portuguese police. Act if you clicked.
Smishing targets Portugal's SNS clients with fake €18 fees. Learn 5 quick steps to spot and block fraudulent texts before money vanishes.