GOVERNMENT IMPERSONATION

Agenzia delle Entrate tax refund scam 2026: real refund, or phishing?

Two parallel campaigns are wearing the logo of Italy's Revenue Agency. One dangles a tax refund, the other a crypto declaration form. Both end at the same place: your bank and card details in a stranger's hands.

SB

SafeBrowz Threat Research Security ResearchJune 18, 20268 min read

What the Agenzia delle Entrate scam is, and why it is spreading now

The Agenzia delle Entrate is Italy's Revenue Agency, the body that handles tax returns, refunds, and the codice fiscale (the Italian tax identification number every resident holds). Almost every adult in Italy interacts with it, which is exactly why a phishing crew wants to wear its name. In June 2026 the agency and Italy's national cyber response team raised the alarm on two campaigns running at once under that borrowed logo.

The first is the classic refund bait. An email styled with the agency's logo tells you a rimborso fiscale is waiting, usually a specific, believable figure, and that you only need to "confirm" your details to receive it. The link opens a form that spoofs the real portal and collects your personal data and your bank or card details. The refund never arrives, because there was never a refund. The form was the whole attack.

The second campaign is newer and rides the crypto-tax news cycle. It claims you must complete a dichiarazione cripto, a crypto tax declaration, and presents a form that first harvests your name, codice fiscale, email, and phone number, then walks you toward handing over card or debit details to "pay" a fabricated charge or "verify" your wallet. Same engine, different paint.

On June 5, 2026 the Agenzia delle Entrate published an official avviso (a public notice) confirming these messages are not from the agency and warning the public not to open the links or enter any data. Italy's CERT-AGID, the Computer Emergency Response Team for the public administration, tracks Agenzia delle Entrate themes among the most-abused brands in Italian phishing, week after week. When the impersonated agency itself tells you in plain language that it did not send the message, that statement settles the question.

What the scam message actually says

The wording rotates between the two campaigns, but the skeleton is stable. A typical message reads something like one of these (translated for clarity, with the Italian term kept):

• "Agenzia delle Entrate: a rimborso fiscale (tax refund) of EUR 731.46 is available on your account. Confirm your details within 48 hours to receive the credit: [link]"
• "Notice from the Revenue Agency: your refund request could not be processed. Update your bank data to avoid cancellation of the credit: [link]"
• "Dichiarazione cripto required: under the new rules you must declare your crypto holdings. Complete the form with your codice fiscale and contact details to remain compliant: [link]"

The crypto variant leans on real headlines about crypto-asset taxation to feel current and credible. It asks for the codice fiscale, email, and phone first, which feels harmless, then escalates to "a small verification charge" or "confirm your card to receive your reference number." That escalation to card or debit details is the harvest. Whatever the wording, the destination is a page that impersonates the agency and collects either your bank login or your card number. The real agency does not collect a refund-related payment, and it does not run a crypto declaration through an emailed form.

What the scam links look like (illustrative)

The link is built to look almost official on a phone screen. The domain crams in "agenzia," "entrate," "rimborso," or "cripto," then lands on a free hosting platform or a cheap top-level domain that the real agency would never use. The examples below are illustrative lookalikes only. The real agency uses .gov.it:

• agenzia-entrate-rimborso.vercel.app
• rimborso-fiscale-2026.pages.dev
• agenziaentrate-cripto.netlify.app

The trick is that the agency name appears somewhere in the string, but never as the real registrable domain. The true domain is the part immediately before the first single slash after https://. Everything to the left of that is dressing. The real address is agenziaentrate.gov.it. Anything hosted on .vercel.app, .pages.dev, or .netlify.app is a free-hosting page that merely contains the agency's name. Tap any of the red examples above to run them through the live checker and watch them flag.

Red flags that give it away every time

You do not need to know Italian tax procedure to spot this. The tells are structural.

• It asks for card or bank data to "receive" a refund. This is the single clearest tell. A real refund is paid out to you, not collected from you. The agency never needs your card number to send you money.
• The link is not agenziaentrate.gov.it. The real Revenue Agency uses one domain, agenziaentrate.gov.it, on the .gov.it namespace reserved for Italian public administration. Any .vercel.app, .pages.dev, .netlify.app, .com, .info, or other address claiming to be the agency is fake, no matter which words it contains.
• There is a countdown. "Within 48 hours," "before the credit is cancelled." Real tax processes run on official timelines documented through your registered account and certified mail, not a same-day SMS clock. Urgency is the lever.
• It emails a refund form or a crypto declaration form. The agency does not email either. Refunds are paid to the IBAN on your record; declarations are filed through your authenticated account, never via a link in a message.
• The sender address is wrong. A real notice does not arrive from a random Gmail, Outlook, or lookalike domain. Hover the sender and the address rarely ends in the real .gov.it.
• It asks for your codice fiscale plus contact details up front. A legitimate authenticated session already knows who you are. A form that asks you to type your codice fiscale, email, and phone into a web page reached from an email link is collecting, not verifying.
• Generic greeting, off Italian, or a pressure-filled tone. Mass phishing skips your name and leans on fear. The real agency communicates formally and through your account.

How the refund and the crypto versions differ

The two campaigns share one engine and split on the story they tell. The refund version is the warm, generous bait: you are owed money, just confirm to claim it. People relax their guard for good news, and the form sits ready to take the bank login at the moment of greatest trust.

The crypto version is the timely, anxious bait. It leans on real reporting about crypto-asset tax obligations to suggest you are out of compliance and must act. It collects identity first (name, codice fiscale, email, phone), which feels procedural, then escalates to card or debit details under a "verification" or "small charge" pretext. The harvest at the end of the link is the same in both: payment credentials. The brand and the pretext change; the mechanic does not. That is exactly why a structural defense beats trying to memorize each new story.

What SafeBrowz sees on the network

When the SafeBrowz engine examines an Agenzia delle Entrate lookalike page, the structure reads clearly across all three detection layers.

First, the host is wrong. The destination behind these campaigns is almost always a free-hosting subdomain (vercel.app, pages.dev, netlify.app) or a freshly registered cheap domain, often days old. No legitimate .gov.it portal is days old or hosted on a free platform. The host alone flags a large share of these before any content loads.

Second, the structure is a keyword sandwich. The string carries "agenzia," "entrate," "rimborso," or "cripto" plus a transactional word, then resolves anywhere except the one real registrable domain. The agency name living off agenziaentrate.gov.it is itself the signal.

Third, the page content gives itself away. The real agency logo, a "conferma i tuoi dati" headline, a bank or card form, and a countdown timer, all served from a non-.gov.it host, is a textbook brand-impersonation profile. Content-level analysis catches the impersonation even when the domain is brand new and absent from every blocklist.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. It catches government-impersonation keyword patterns on non-.gov.it hosts, free-hosting abuse, and refund-claim redirect families instantly.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, plus domain-age lookup (most of these destinations are less than 30 days old) and 30+ scam TLDs and free-hosting platforms.
• Layer 3 - AI deep scan: content-aware brand-impersonation analysis in 100+ languages, including Italian, catches a brand-new lookalike that no blocklist has seen yet, including both the refund and the crypto-declaration variants.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

For people who do not want to install anything, the same engine powers the free public URL checker. Paste any link from a suspicious Agenzia delle Entrate message and get a verdict in seconds.

What to do right now

If one of these messages just landed, here is the whole correct response.

1. Do not click the link or open any attachment. The link is the entire attack surface. Curiosity is how people get caught.
2. Verify directly, not through the message. Open a new browser tab and type the real address yourself: agenziaentrate.gov.it. Log in to your authenticated area with SPID, CIE, or your credentials. If there were a real refund or a real obligation, it would appear there, not in your inbox.
3. Report it in Italy. Forward the phishing to CERT-AGID, which collects and tracks Italian public-administration phishing. Report fraud and cybercrime to the Polizia Postale at commissariatodips.it.
4. Tell the agency. The Agenzia delle Entrate maintains an official phishing-notice page and asks the public to report suspicious messages so it can warn others.
5. Then delete the message.

If you already clicked but entered nothing, you are most likely fine: close the tab and clear cookies for that domain. If you entered card or bank details, contact your bank immediately using the number on the back of your card, block or freeze the card in your banking app, and watch your statements. If you handed over your codice fiscale and full personal data, monitor for misuse and keep the evidence. Our full "I got scammed, what to do now" walkthrough covers the first-hour playbook in detail.

Related scams worth knowing

The structure here is the same one behind a dozen other brands. If you want to harden your instincts, three reads pair well with this one. Our guide on how to tell if a website is a scam walks through reading a URL the way the checker does. If you have already lost money or data, the 2026 recovery guide is the step-by-step. And because the crypto-declaration variant edges toward wallet theft, what to do if your crypto seed phrase is stolen covers the worst case if a "crypto verification" page ever talks you into revealing a recovery phrase. No legitimate tax form will ever ask for a seed phrase. None.

Frequently asked questions

Is the Agenzia delle Entrate tax refund email real or a scam?

It is a scam. The Italian Revenue Agency does not email refund forms asking you to confirm bank or card details. Real refunds (rimborso fiscale) are paid automatically to the IBAN already on your record. The agency published an official avviso on June 5, 2026 warning that these refund and crypto-declaration messages are phishing, and CERT-AGID tracks the agency among the most-abused brands in Italian phishing.

What does the real Agenzia delle Entrate website address look like?

The real Revenue Agency uses one domain only: agenziaentrate.gov.it, on the .gov.it namespace reserved for Italian public administration. Any link ending in .vercel.app, .pages.dev, .netlify.app, .com, or .info that claims to be the agency is fake, even if the words agenzia, entrate, rimborso, or cripto appear in the address.

The email asks me to fill in a crypto declaration (dichiarazione cripto). Is that legitimate?

No. The agency does not collect a crypto declaration through a form sent by email. The dichiarazione cripto campaign harvests your name, codice fiscale, email, and phone first, then pushes you toward entering card or debit details. Any real declaration is filed inside your authenticated account at agenziaentrate.gov.it, never via a link in a message.

Why does the agency need my card number to send me a refund?

It does not, and that is the giveaway. A refund is money paid to you, sent to the IBAN on your record. Any message that asks for your card number, debit details, or bank login to "receive," "unlock," or "verify" a refund is collecting your payment credentials to steal, not to pay you.

I clicked the link and entered my details. What now?

If you entered card or bank details, call your bank immediately using the number on the back of your card, block or freeze the card in your banking app, and monitor your statements. Report the fraud to the Polizia Postale at commissariatodips.it and forward the phishing to CERT-AGID. If you only opened the page and entered nothing, close the tab and clear cookies for that site.

How do I report an Agenzia delle Entrate phishing message in Italy?

Forward the message to CERT-AGID, which collects and tracks Italian public-administration phishing. Report fraud and cybercrime to the Polizia Postale through commissariatodips.it. You can also report the suspicious message to the Agenzia delle Entrate through its official phishing-notice page so it can warn the public.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge