Between September 2025 and February 2026, according to data collected by Check Point Research and reported by several specialized media, hundreds of new domains were registered each month that included keywords related to taxes or names of tax authorities. And one in every 15 newly registered tax-related domains has already been classified as malicious or suspicious. A trend that has been growing with the tax campaign and that may continue with this trend in the 2026 Income Tax Return.
With the Income Tax Campaign recently started, it is important to take protective measures against cybercriminals. ESET experts give a series of recommendations in this regard. Firstly, they indicate what the warning signs are that may indicate an attempt at fraud.
- Requests for personal or banking data through links or web forms that do not belong to the official site.
- Messages that appeal to urgency, such as supposed immediate refunds or file blocks to pressure you into acting without verifying.
- Suspicious domains or senders that do not match “agenciatributaria.gob.es” nor with the official electronic notification channels, in order to redirect you to fraudulent pages.
How to protect yourself?
These are the recommendations from ESET to be protected:
- Always manually access the electronic headquarters of the Agencia Tributaria (by typing the URL in your browser or through official channels), avoiding clicking on links from unsolicited emails or SMS.
- Carefully check sender and domain before entering any personal or banking data on a page, and distrust any request for passwords or codes through insecure means. If they ask for banking data outside the official environment, it is a scam.
- Do not provide sensitive information in response to messages you have not requested or that do not come from the official channels of the AEAT.
- Keep security systems and solutions updated, including antivirus and antiphishing filters, to increase your defenses against known threats.
- Verify before acting. When in doubt, it is recommended to use the services of the AEAT to cross-reference documents and consult notifications securely.
What to do if you have clicked on a fraudulent link?
- Gather evidence of the incident (screenshots, links, messages).
- Change your compromised passwords and monitor associated bank accounts.
- Report the fraud to the State Security Forces and Corps.
- Request specialized guidance from the Cybersecurity Helpline (017) to receive expert assistance.
The Government reactivates the Action Protocol for Impersonated Taxpayers
With the start of the Income Tax Campaign 2026, the Ministry of Consumer Affairs has launched for the third consecutive year the Protocol for Action for Impersonated Taxpayers (PACS). The initiative is promoted through the Directorate General for the Regulation of Gambling (DGOJ) and is coordinated with the State Security Forces and Corps and the Tax Agency (AEAT).
The protocol is aimed at people whose identity has been used by third parties on platforms of online gambling, generating profits that they do not recognize as their own. To facilitate the management of these cases, a specific website has been enabled with a practical guide that explains the steps to follow, how to report identity theft and how to regularize the situation with the Tax Agency.
According to the data collected, 8,675 people filed complaints for identity theft in 2025, which represents a 12% increase compared to 2024. These complaints are related to 15,871 gaming accounts, a figure equivalent to 4% of taxpayers who received tax information linked to online gaming.