Portugal's Tax Authority—the Autoridade Tributária e Aduaneira (AT)—has confirmed a fresh wave of email fraud targeting IRS filers, a scam that could drain bank accounts or hand over complete access to taxpayer identities. The fraudulent messages impersonate the AT and attempt to trick residents into clicking malicious links under the pretext of altering tax declarations, claiming automatic recalculations, or warning of pending invoices.
Why This Matters
• Tax season is prime hunting season: Fraudsters intensify campaigns between April and June, when millions submit their IRS returns.
• One in 4 cyberattacks in Portugal is phishing: Data from cybersecurity firm ESET shows phishing represented 25% of digital attacks, with tax-related schemes surging during filing periods.
• AI-powered fraud is harder to spot: Criminals now use artificial intelligence to create convincing fake portals and error-free messages, making traditional red flags less reliable.
• Your Portal das Finanças credentials are the prize: Gaining access to your tax account allows fraudsters to redirect refunds, file false claims, or steal identity data for resale.
The Anatomy of the Scam
The AT has released examples of fraudulent templates currently circulating. In one variant, taxpayers receive an email claiming that "a request to alter your IRS declaration has been detected" and urging immediate action to "confirm or cancel this change" via an embedded link. Other versions reference:
• An automatic recalculation of your tax return
• A data verification requirement for your Portal das Finanças account
• An electronic invoice (FE) related to your fiscal registration
• Outstanding tax debts requiring urgent settlement
All messages share a common goal: to harvest login credentials, personal data, or banking details by redirecting victims to fake websites designed to mimic official government portals.
According to the AT, these messages are entirely fabricated. The authority states unequivocally that taxpayers should never click the links or make any payments requested through unsolicited emails or SMS.
How to Recognize a Fake Message
Portugal-based cybersecurity analysts and the Centro Nacional de Cibersegurança (CNCS) have identified key markers of fraudulent communications:
Domain scrutiny: The AT communicates exclusively via @at.gov.pt email addresses. Messages from personal domains like @resolucaocidadaosempapel.blog, @rumolivre.blog, or generic Gmail accounts are always fraudulent.
Artificial urgency: Scammers deploy language designed to panic recipients—"last chance to avoid penalties," "immediate action required," or "account will be suspended." Legitimate tax notices never demand split-second decisions.
Link requests: The AT never embeds links in emails or SMS for taxpayers to update personal, fiscal, or banking information. Any message asking you to click through to "verify" or "confirm" details is a scam.
Generic greetings: Official correspondence typically addresses you by name or NIF (taxpayer identification number). Messages beginning with "Dear taxpayer" or "Valued customer" raise immediate suspicion.
Unusual sending times: Emails dispatched at odd hours often signal automated fraud campaigns operating from foreign time zones.
Recent cybersecurity research has tracked hundreds of newly registered domains mimicking tax authorities and fiscal portals, with an increasing number flagged as high-risk during peak tax season.
What This Means for Residents
For anyone living in Portugal, the IRS filing season—which runs from April 1 through June 30—represents peak exposure to these scams. Here's how to protect yourself:
Access the Portal das Finanças directly: Type portaldasfinancas.gov.pt into your browser's address bar. Never arrive at the portal via a link in an email or text message. Alternatively, download the official Finanças app directly from your device's official app store—never through links in emails or messages.
Check for HTTPS: Legitimate government sites display https:// in the URL and a padlock icon. Fake sites may use similar-looking addresses like portaldasfinancas.at or portal-financas.com.
Enable two-factor authentication: If your Portal das Finanças account supports Chave Móvel Digital, activate it. This adds a critical second layer of defense if your password is compromised.
Monitor your tax account: Log in regularly to review communications within the official portal or app. The AT delivers genuine notices through the platform's secure messaging system, not via unsolicited email.
Report suspicious messages: Forward tax-related phishing attempts to phishing@at.gov.pt. The CNCS also accepts reports for other cybersecurity incidents via cert@cert.pt or through its online incident form.
The Bigger Picture: A Europe-Wide Problem
Portugal is not alone. Tax authorities across Europe and the United States have issued parallel warnings about phishing surges tied to filing deadlines. The U.S. Internal Revenue Service (IRS) reported similar scams involving QR codes and fake refund notifications, advising taxpayers to forward suspicious emails to phishing@irs.gov.
The CNCS has highlighted that phishing and smishing remain the most common type of incident reported by Portugal's national CERT team, with incidents climbing year-over-year, driven by the increased digital exposure of individuals and families.
The Organismo Europeu de Luta Antifraude (OLAF) and Europol offer guidance on reporting cross-border fraud, particularly when scams involve multiple jurisdictions or EU funds.
Red Flags You Cannot Afford to Ignore
• Unexpected contact: The AT does not send unsolicited emails announcing refunds or demanding immediate payment.
• Non-standard payment methods: Requests for payment via cryptocurrency, gift cards, or wire transfer are 100% fraudulent.
• Attachments: Official tax notices do not arrive as email attachments. If you receive a .zip, .exe, or .pdf file claiming to be from the AT, delete it immediately without opening.
• Social media offers: Beware of Facebook, Instagram, or TikTok posts promising "IRS refund hacks" or "secret deductions." These are either scams or illegal tax advice.
What Happens If You've Already Clicked
If you suspect you've fallen victim:
Change your passwords immediately: Update your Portal das Finanças login and any other accounts using the same credentials.
Contact your bank: Alert them to potential fraud and monitor transactions for unauthorized activity.
Report to the authorities: File an incident report with the CNCS and notify the AT through the Portal das Finanças contact channels.
Check your tax account: Log in to verify no unauthorized changes have been made to your bank details, address, or pending returns.
The AT emphasizes that it never requests sensitive data via email or SMS and advises taxpayers to treat any such request as fraudulent. As the June 30 deadline for IRS submissions approaches, vigilance is the most effective defense against a scam that could cost you far more than taxes.
