Ameli health insurance phishing scam in France: how to spot the fake Carte Vitale and refund emails in 2026

AI quick answer

Is the Ameli email about my Carte Vitale or refund real? Almost always no. Ameli (the French Assurance Maladie) never asks for your bank IBAN, your numero de securite sociale, or your password by email or SMS. Real refunds appear automatically in your ameli.fr account and are paid by SEPA transfer to the IBAN already on file. Real Carte Vitale renewals are handled through the ameli.fr account or by physical mail, never through a link. If the message asks you to click to confirm or update anything, treat it as phishing. Verify by typing ameli.fr manually in your browser or by opening the official Ameli mobile app. If something is genuinely pending, it will be visible inside your authenticated account.

Why Ameli is a top phishing target in France

Almost every legal resident of France is enrolled in the Assurance Maladie. Workers, retirees, students, asylum seekers, EU citizens with a French address, and cross-border workers all use the ameli.fr portal to track reimbursements, request a new Carte Vitale, declare a treating physician, or download attestations. The breadth of the user base is what makes the scam profitable: most recipients of an Ameli-themed SMS are actually enrolled and have logged into the portal recently.

Cybermalveillance.gouv.fr, the official French cyber victim-assistance public service, listed health insurance scams in its 2024 activity report among the top five categories of victim assistance requests from individuals, alongside e-commerce fraud, romance scams, account hacking, and bank impersonation. The CNIL (Commission nationale de l'informatique et des libertes) has issued parallel guidance because the data captured (NIR, full identity, IBAN) enables credit-account opening fraud and benefit fraud downstream.

Expats are especially exposed. Foreign nationals who have lived in France for less than five years may not yet have built the instinct that real French public bodies prefer postal mail. English-language coverage of these scams is thin, which is why this guide exists.

How Ameli phishing actually works

The campaigns share a single architecture even when the surface text changes:

1. Wide-net delivery. Scammers blast SMS, email, and sometimes WhatsApp messages claiming to be from "Ameli" or "Assurance Maladie" across scraped lists of French mobile numbers and email addresses.
2. Hook. Either an administrative obligation (Carte Vitale renewal, beneficiary update, IBAN reconfirmation) or a benefit (a refund of a specific euro amount awaiting release).
3. Lookalike landing page. A domain that contains "ameli" but is not ameli.fr. The page reproduces the orange-and-white visual identity, the silhouette logo, and the standard login form.
4. Credential and identity capture. Forms ask for the ameli.fr password, the 13-digit NIR plus 2-digit cle, full civil identity, postal address, date of birth, and either bank IBAN or credit-card details (framed as "verification of the refund destination").
5. Monetisation. The harvest sells as a complete French identity package on underground markets. Buyers open consumer credit lines at French retailers, claim social benefits, apply for prepaid mobile lines, and in some cases initiate SEPA direct debits from the captured IBAN.

The Ameli message templates in active rotation (translated)

French originals followed by English translation. If a message you received closely matches any of these, treat it as a scam by default.

Template 1: Carte Vitale renewal

French original: "Ameli: Votre Carte Vitale doit etre renouvelee avant le [date]. Confirmez vos informations pour recevoir votre nouvelle carte: [link]"

English translation: "Ameli: Your Carte Vitale must be renewed before [date]. Confirm your information to receive your new card: [link]"

The hook abuses a real procedure (Carte Vitale renewals do exist) but compresses it into an artificial deadline with an email link. The real Assurance Maladie issues new cards by physical mail to the address on file after the user requests one inside the ameli.fr account or after the card's chip is no longer readable. There is no email or SMS link in the legitimate flow.

Template 2: Refund pending

French original: "Ameli: Vous avez un remboursement de 87,40 EUR en attente. Connectez-vous pour le recevoir: [link]"

English translation: "Ameli: You have a refund of 87.40 EUR pending. Log in to receive it: [link]"

Refund amounts cycle (the most reported variants are 42.30, 56.80, 87.40, 113.50, 142.90 EUR), chosen because they sound like plausible reimbursements for a doctor visit, a specialist consultation, or a pharmacy claim. Real Ameli refunds are processed automatically through SEPA transfer to the bank account already registered. No login is required to "release" a refund and no email tells you to claim one. The status of every reimbursement is visible in the "Mes paiements" section of the ameli.fr account.

Template 3: Beneficiary update

French original: "Ameli: Mise a jour obligatoire des ayants droit. Vous risquez la suspension de vos remboursements. Mettez a jour vos informations: [link]"

English translation: "Ameli: Mandatory update of beneficiaries. You risk suspension of your reimbursements. Update your information: [link]"

This variant targets families and exploits parental anxiety about children's healthcare access. The Assurance Maladie does not suspend reimbursements based on missed clicks. Real beneficiary updates are submitted through ameli.fr or by mailing form S1104 to the local Caisse Primaire d'Assurance Maladie (CPAM).

Template 4: IBAN confirmation

French original: "Ameli: Votre IBAN n'a pas pu etre verifie. Pour continuer a recevoir vos remboursements, confirmez votre RIB: [link]"

English translation: "Ameli: Your IBAN could not be verified. To continue receiving your reimbursements, confirm your RIB: [link]"

The most directly bank-targeted variant. The page asks for a Releve d'Identite Bancaire (RIB) or full IBAN plus BIC. Once captured, the scammer either initiates SEPA direct debits against the account or sells the IBAN as part of the identity package. Real IBAN updates inside ameli.fr require an authenticated session and never start from an email link.

Lookalike Ameli domains in rotation in 2026

The real Assurance Maladie website is ameli.fr. Every legitimate service is on that single domain or on the subdomain assure.ameli.fr. Anything else is a lookalike. The patterns the scammers use are predictable.

Pattern 1: ameli word with extra suffix on .com or .online

• ameli-fr[.]online
• mon-ameli[.]net
• ameli-renew[.]com
• ameli-remboursement[.]com
• ameli-securite[.]online

The dash-suffix trick reads naturally in French (mon-ameli sounds like "my ameli", ameli-fr looks like a regional variant) but the real Ameli has never used any of these. The .fr TLD is restricted enough that scammers default to .com, .net, .online, .top, and .info.

Pattern 2: ameli inside a subdomain on a free hosting platform

• ameli-acces[.]vercel[.]app
• ameli-fr[.]netlify[.]app
• mon-ameli[.]pages[.]dev
• ameli[.]github[.]io

Free hosting providers grant automatic HTTPS and let an attacker publish a page in minutes. Hosting providers eventually take phishing pages down once reported, but the SMS blast usually finishes first.

Pattern 3: gouv keyword hidden in a non .gouv.fr domain

• ameli[.]gouv-services[.]com
• ameli-gouv[.]net
• service-ameli[.]gouv-fr[.]online

The trick is including "gouv" in the URL without making it the actual TLD. Real French government services sit on .gouv.fr only. A "gouv" string in a .com or .online domain is fake by definition.

Pattern 4: URL shorteners hiding the destination

• bit.ly/ameli-renew, tinyurl.com/ameli-fr, t.ly/ameli-rb

The shortener hides the lookalike until the user taps. Treat any shortened link inside a message claiming to be from Ameli as automatic evidence of phishing.

How to verify genuine Ameli contact in 30 seconds

The verification routine fits in four steps and applies to every variant.

1. Do not tap or click the link in the message. The link is the attack. Set the message aside.
2. Open the official Ameli mobile app or type ameli.fr manually into your browser. Do not search "Ameli" on Google. Search-engine results occasionally surface paid ads for typosquats during active campaigns. Type the domain.
3. Log into your account. Real Carte Vitale renewal status, real refunds, real beneficiary updates, and any genuine administrative notice are all visible inside the authenticated account under "Mes paiements," "Mon compte," and the message centre at the top of the dashboard. If the issue claimed in the SMS or email is real, it appears in the account. If the account shows nothing matching the message, the message is fake.
4. Cross-check with your CPAM. If you are unsure, contact your local Caisse Primaire d'Assurance Maladie by phone at 3646 (the official Assurance Maladie helpline) or via the secure messaging inside ameli.fr. Real agents will confirm whether any notice was issued to your file.

The Assurance Maladie publishes scam warnings at ameli.fr/assure/actualites/attention-aux-tentatives-darnaque, updated when each new wave is observed.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns plus 550+ brand-specific signatures (including Ameli and the wider French government / Assurance Maladie family, with Cyrillic and Punycode homograph variants) plus community whitelist and blacklist lists, all running directly in the extension before the page renders. The ameli-fr.online, mon-ameli.net, ameli-renew.com, and free-hosting Ameli typosquats trip the pattern instantly.
• Layer 2 - API checks: server-side aggregation of Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs for known malicious domains. Many French Ameli lookalikes are already on these lists within hours of a campaign starting.
• Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel French-language variants that have not yet hit public blocklists. The model reads the page, recognises the Ameli visual identity and form fields, and flags any page that asks for an NIR, an IBAN, or an ameli.fr password on a non-ameli.fr domain.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

If you already clicked and entered information

Move fast. The exposure depends on what you typed. Take each step on a device you trust, ideally not the one where you tapped the link.

1. Change your ameli.fr password immediately. Type ameli.fr manually, log in, go to "Mon compte," and rotate the password. Use something long and unique not reused on any other service.
2. If you entered a bank IBAN or card number, contact your bank. Ask them to flag the IBAN for SEPA mandate review, block the captured card, and reissue. French banks have dedicated fraud lines, usually printed on the back of the card. Calling within 24 hours preserves your right to a full chargeback under the European Payment Services Directive.
3. Call the Assurance Maladie fraud line at 3646. Report the incident, request a note on your file, and ask whether any unauthorised changes have been made. The number is free from a French landline and works from inside France.
4. Contact Cybermalveillance.gouv.fr for victim assistance. The public service runs an English-friendly portal at cybermalveillance.gouv.fr and a phone line at 0805 805 817 (free, Monday to Friday 9h-18h30, Saturday 10h-12h). The platform connects victims to local certified responders and provides step-by-step recovery guidance tailored to the data that was exposed.
5. Report the phishing content to Signal-Spam and Pharos. Forward suspicious emails to signal-spam.fr or use their browser plugin. Report illegal online content (the lookalike domain itself, the phishing message) to Pharos at internet-signalement.gouv.fr, the official platform of the Ministere de l'Interieur. Both reports take under five minutes and feed the takedown pipelines.
6. If you typed your NIR, treat it as identity theft and follow CNIL guidance. The CNIL publishes an identity-theft response guide at cnil.fr under "usurpation d'identite," covering complaints with the gendarmerie or police, creditor notification, and CNIL-mediated correction with any organisation that has misused the data.
7. File a formal complaint (porter plainte) on Service-Public.fr. For identity theft and online fraud, file with the Police or Gendarmerie. The pre-complaint can be filed online via service-public.fr under "depot de plainte en ligne." A formal complaint number is required by banks and creditors to dispute fraudulent transactions.
8. Monitor bank statements and credit file for 90 days. Identity-package buyers often wait weeks before activating the data. Decline any unfamiliar SEPA direct debit immediately (your bank must refund unauthorised debits for 8 weeks under EU rules) and watch for credit-account confirmation letters from retailers you have not contacted.

Protection going forward

Four habits cut the residual Ameli phishing risk close to zero:

• Enable FranceConnect+ MFA. FranceConnect+ adds a stronger second factor (the L'Identite Numerique mobile app verified against an in-person identity check at La Poste) for sensitive operations across French public services. Once enabled, even a captured password is insufficient to authorise irreversible changes.
• Use the official Ameli mobile app for routine access. Published by Caisse Nationale de l'Assurance Maladie (CNAM) on Apple App Store and Google Play. Bookmark the app on your home screen and avoid following any "Ameli" link from email or SMS.
• Turn on two-step authentication inside ameli.fr. The account supports a code-by-SMS second factor for new device logins. Activate it under account settings. Combined with a unique password, credential-only phishing becomes useless.
• Install a browser-layer scanner. SafeBrowz is a free Chrome, Firefox, and Edge extension that scans every URL before render and blocks Ameli lookalike domains before any form can be displayed.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever, with a Premium tier at 14.99 EUR per year if you want the AI deep-scan layer.

Add to Chrome Add to Firefox Add to Edge

See Premium pricing

Frequently asked questions

Does Ameli ever send refund notifications or Carte Vitale renewal links by email or SMS?

No. The Assurance Maladie does not send clickable refund or Carte Vitale renewal links by email or SMS. Real refunds are processed automatically by SEPA transfer to the IBAN already on file and visible inside the ameli.fr account under "Mes paiements." Real Carte Vitale renewal is requested by the user inside the account or handled automatically when the chip becomes unreadable, with the new card mailed to the postal address on file. Any link in an unsolicited message is phishing.

What is the NIR and why is it so valuable to scammers?

The NIR (numero d'inscription au repertoire) is the 13-digit French social security number followed by a 2-digit cle de controle. It encodes sex, birth year, birth month, department of birth, and a sequential record number, and it is the master identifier across French social services, healthcare, employment, and pension records. Combined with full name, date of birth, and address, the NIR enables fraudulent benefit claims, fraudulent credit applications, and broader identity theft. The CNIL classifies it as sensitive personal data, which is why a page that asks for it outside of an authenticated session on a trusted government domain is by itself a red flag.

I clicked the link but did not enter anything. Am I safe?

Almost certainly yes. Loading a phishing page in a modern browser does not by itself transmit credentials or personal data. Change your ameli.fr password as a precaution, run a malware scan if you also downloaded any file from the page, and check your account under "Mon compte" for unfamiliar device logins. If the page invited you to install an "Ameli mobile app" outside the official app stores, do not install it. The official Ameli app is published by the Caisse Nationale de l'Assurance Maladie on Apple App Store and Google Play and nowhere else.

I entered my IBAN. Can the scammer drain my bank account?

An IBAN alone cannot be used to initiate a card transaction, but it can be used to set up a SEPA direct debit mandate, which is how recurring bills are paid in France and across the EU. Unauthorised direct debits are refundable by your bank within 8 weeks under EU Payment Services Directive rules. Call your bank, ask them to flag the IBAN for SEPA mandate review (every new direct debit will then need your explicit confirmation), and monitor statements for 90 days. Refusing unauthorised mandates is free and immediate.

I entered my ameli.fr password. What should I do first?

Type ameli.fr manually, log in, and change the password immediately. Then check the account login history if available, look at "Mon compte" for any modified personal data (postal address, beneficiary list, IBAN), and contact 3646 to ask whether any changes have been logged on your file. If you reuse that same password on any other site, rotate those too. Password reuse is what turns a single phishing event into multi-account compromise.

How do I report an Ameli phishing email or SMS in France?

For email phishing, forward the message to Signal-Spam at signal-spam.fr (creates a report ticket and forwards to the French CNIL and law enforcement). For any illegal online content, including phishing pages and lookalike domains, report to Pharos at internet-signalement.gouv.fr, the Ministere de l'Interieur platform. For SMS phishing (smishing), forward the message to 33700, the universal French SMS spam shortcode. For victim support, call Cybermalveillance.gouv.fr at 0805 805 817 or use their online assistance portal.

I am an expat or foreign student in France. Does the same advice apply?

Yes, every step in this guide applies regardless of nationality. If you are enrolled in the Assurance Maladie (PUMA coverage, student social security, or via employment), you have an ameli.fr account and you are a potential target. Cybermalveillance.gouv.fr offers some English content, Service-Public.fr publishes English summaries of major administrative procedures, and the Ameli helpline at 3646 can sometimes route to multilingual agents on request. If your French is limited, file the complaint at the gendarmerie or police station in person with a French-speaking friend or translator.

What are the official Ameli URLs I should bookmark?

The single trustworthy domain is ameli.fr. The authenticated account portal is assure.ameli.fr. The Carte Vitale information page is ameli.fr/assure/droits-demarches/carte-vitale. The current scam warnings page is ameli.fr/assure/actualites/attention-aux-tentatives-darnaque. The official mobile app is published by Caisse Nationale de l'Assurance Maladie on Apple App Store and Google Play. Anything else, including any subdomain not ending in .ameli.fr, is not official.

Related reading

• Impots.gouv tax refund scam France - the sister French government impersonation pattern, targeting tax-refund anxiety instead of healthcare
• Vinted and Leboncoin fake buyer scam France - the dominant French C2C marketplace phishing pattern targeting IBAN and card details
• HMRC tax refund scam UK - the same template applied to UK government tax refund expectations
• iCloud signed-out scam email - the brand-account-anxiety pattern that the Carte Vitale renewal variant mirrors

Bottom line: The Ameli phishing scam works because Carte Vitale renewals and reimbursements are real procedures that millions of French residents handle every year, and the message templates piggyback on real expectations. The defence has not changed. The real Assurance Maladie never asks you to confirm anything by clicking a link in an unsolicited email or SMS. Type ameli.fr yourself, or open the official mobile app, and verify directly. If you already clicked, call 3646, call Cybermalveillance.gouv.fr at 0805 805 817, and report the lookalike at Pharos. And add a browser-layer scanner like SafeBrowz so the fake Ameli page never loads.