CAF data breach phishing scam in France 2026: is that CAF message real?
A large dump of CAF beneficiary data is circulating on a cybercrime forum, and scammers are using it to send convincing fake CAF texts and emails. If you receive an SMS about a CAF refund or a request to update your RIB, here is the honest answer first.
Is the CAF refund SMS or email real?
Verdict: treat any CAF SMS or email that asks you to click a link and confirm your bank card, RIB, or Mon Compte password as a phishing scam. The real CAF never asks for your bank card number or your password through an SMS or email link. The only official website is caf.fr, reached through mesdroitssociaux.gouv.fr or directly at caf.fr. A message that pushes a refund, an account verification, or an urgent RIB update through a link like caf-remboursement-allocataire.com is fake. To check, ignore the link, open a new tab, and type caf.fr yourself.
The Headline
A dataset claimed to contain around 22 million lines of CAF beneficiary information (names, postal addresses, email addresses and phone numbers) was put up for sale on a cybercrime forum in late 2025. On 18 December 2025, the Cnaf (Caisse nationale des Allocations familiales) stated that no intrusion or flaw was found in its own systems and that the data appears to come from other public-service systems it exchanges data with. The Cnaf confirmed the leaked data contains no bank details and no Mon Compte passwords. The real risk now is targeted phishing built on real, accurate personal data.
What actually leaked, in plain terms
In late 2025 a listing appeared on a cybercrime forum advertising a CAF-linked database described as roughly 22 million lines of personal data covering millions of allocataires. The fields reported included full names, postal addresses, email addresses and phone numbers. The asking price was strikingly low, which is exactly what worries researchers: a cheap dataset moves fast and ends up in many criminal hands at once.
The Cnaf responded publicly on 18 December 2025. Its position is specific and worth quoting in spirit: after immediate investigation, no intrusion and no vulnerability was detected in its own information system, and no technical breach of its information flows was observed. The Cnaf said the data circulating appears to originate from the systems of other public services with which it exchanges information to administer benefits, not from a hack of caf.fr itself. Crucially, the Cnaf stated the leaked data does not contain banking information and does not contain the passwords used to access Mon Compte.
That last point matters for two reasons. First, it should calm the worst fear: your CAF login and your bank account were not handed over wholesale. Second, it explains the scam wave perfectly. Attackers do not have your card, so they have to trick you into typing it. And the cleanest way to do that is a message that already knows your name, address and phone number, because that is the part that did leak.
Why this breach makes the phishing far more dangerous
Generic phishing is easy to ignore. "Cher client" with no name, a wrong region, a clumsy link. This wave is different. When a text greets you by your real name, references your real city, and arrives on the exact mobile number you registered with public services, your guard drops. The message feels personal because, in a narrow sense, it is. The criminals are not guessing. They are reading from a list.
This is classic data-fueled social engineering. The leaked fields (name, address, email, phone) are precisely the ingredients that turn a clumsy mass text into a believable, targeted one. Researchers flagged targeted phishing, vishing (scam phone calls) and smishing (scam texts) as the most probable outcomes of this leak, exactly because the attacker already holds accurate identifying details. The data that leaked is not enough to drain your account on its own, but it is more than enough to make you believe the next message.
How the fake CAF scam actually works
The cascade runs across SMS and email, and sometimes a follow-up phone call. All roads lead to the same place: a clone of the CAF or Mon Compte login page, or a fake payment form, that harvests what the leak did not contain.
The fake refund. An SMS or email claims CAF owes you money, a "remboursement" or a newly created aide, and you must confirm your bank details to receive it. The link leads to a page styled like caf.fr that asks for your RIB, then your bank card number, expiry and CVV. Real CAF refunds are paid automatically to the bank account already on file. CAF does not need your card to send you money.
The account verification. A message warns that your CAF file is suspended, incomplete, or must be "verified" within 24 to 48 hours or your allocations stop. The link opens a fake Mon Compte login that captures your numéro allocataire and password. With those, attackers log into the real account, change the RIB on file, and redirect your genuine payments to their own account.
The RIB update. A message says your bank details are out of date and payments will fail unless you update your RIB now. This is the most direct version: the form simply collects your IBAN and identity, which is enough to attempt fraud or to set up the redirection above.
Some variants add a vishing layer: a caller claiming to be a "conseiller CAF" follows up, references the details from the leak to sound legitimate, and walks you through "confirming" a code your bank just texted you. That code authorizes a real transaction. Never read a bank code to anyone on the phone.
The exact phrases these messages use
Once you have seen them, they jump out of any inbox. Real CAF notices do not write this way.
- "CAF: un remboursement de XX,XX EUR vous attend. Confirmez vos coordonnées bancaires: [lien]"
- "Votre dossier CAF est incomplet. Vérifiez vos informations sous 48h pour éviter la suspension de vos droits."
- "Mise à jour requise: votre RIB n'est plus valide. Mettez à jour pour continuer à percevoir vos allocations."
- "Suite à un incident, reconnectez-vous à votre espace Mon Compte: [lien]"
Test a suspicious link right now
Got a CAF text or email you are not sure about? Paste the link below. Our 3-layer engine (Local + APIs + AI) returns a verdict in ~3 seconds. Free, no signup.
The wording feels official because scammers copy real CAF templates. But the rhythm is wrong. Genuine French public-service messaging is dry, formal and never compresses a deadline into "sous 48h ou suspension". The real CAF will tell you to log in to your espace personnel; it will not push a one-tap refund through a link, and it will never ask for your card number.
What the real CAF actually does vs the fake
This is the section to memorize. Three rules cover almost every fake CAF message.
Rule 1: the real CAF never asks for your bank card or password by SMS or email link. CAF already holds the bank account on file for your allocations and pays into it automatically. It does not need your card number, your CVV, or your Mon Compte password sent through a message. Any link asking for those is harvesting them. This single rule defeats the refund, verification and RIB-update versions at once.
Rule 2: the only official address is caf.fr. You reach your account at caf.fr, or through the government social-rights portal mesdroitssociaux.gouv.fr, which is itself a .gouv.fr address. Anything with "caf" glued to a non-government domain, a hyphenated lookalike, or a different TLD is hostile. The CAF itself states that only links beginning with https://www.caf.fr lead to its real site.
Rule 3: a refund does not require you to "confirm" anything by link. If CAF genuinely owes you money, it lands in the account already registered, with no action from you. There is no legitimate flow where receiving a CAF payment depends on you re-entering your card details on a web page.
Lookalike URLs to watch for
These illustrate the pattern in CAF phishing waves. The list is not exhaustive, attackers register new domains daily, but the shape is always the same: glue "caf", "allocataire", "remboursement" or "rib" onto a non-government domain, or hyphenate to bury the real one.
- caf-remboursement-allocataire.com (real is caf.fr)
- caf-mon-compte-verification.fr (CAF uses caf.fr, not a separate verification domain)
- mise-a-jour-rib-caf.com (no such CAF service exists)
- caf-allocations-gouv.fr (looks official but the real domain is caf.fr under .gouv.fr only via the official portal)
- espace-caf-securise.net (real espace is on caf.fr, not a .net)
On a phone, the danger is that the address bar is short and the page looks pixel-perfect. The fix is the same on every device: do not trust the link in the message. Open a new tab, type caf.fr yourself, and log in there.
Red flags: spot it in 30 seconds
- It asks for your bank card, CVV, RIB or password by link. Real CAF never does this.
- It promises a refund you did not expect. CAF pays into the account on file, no card needed.
- It threatens suspension of your droits within 24 to 48 hours. Manufactured urgency.
- The URL is not exactly caf.fr. Hyphens, extra words, or a non-.gouv.fr TLD are tells.
- It greets you by your real name and address. After this leak, that proves nothing. Accurate details are now in criminal hands.
- A follow-up call asks you to read a code from your bank. That code authorizes a payment. Hang up.
Any one of these is enough to delete the message. Two or more is a confirmed phishing attempt.
What to do (the safe routine)
If you want to check whether CAF really needs something from you, do not tap the link. Open a new browser tab and type caf.fr directly, or go through mesdroitssociaux.gouv.fr. Log in to your espace Mon Compte. Any genuine message, missing document, or pending action appears inside your account. If your account shows nothing, the message was a scam, full stop.
Because the leak exposed your phone, email and address, also assume more scam contact is coming. Be skeptical of any unexpected message that references CAF, even one that knows your details. Knowing your name is now a low bar, not proof of legitimacy.
What to do if you already entered your details
Speed matters. Move in this order.
- If you entered card or bank details, call your bank immediately and block the card or oppose the transaction. The opposition number is on the back of your card or inside your banking app.
- If you entered your Mon Compte password, change it now by typing caf.fr yourself, and check that the RIB on file is still yours. Attackers redirect payments by swapping the RIB.
- Dispute any unauthorized charge under PSD2. Under Article L133-18 of the French Code Monétaire et Financier, your bank must refund unauthorized card transactions unless it proves gross negligence, and you have up to 13 months to dispute.
- Report and get help at cybermalveillance.gouv.fr, the official French cybercrime support platform. It gives you a written reference and next steps.
- File a plainte at your local commissariat or gendarmerie with screenshots of the message, the fake URL and any receipts. A plainte often helps push the bank refund through.
- Watch your statements and your CAF account daily for 30 days. Some attackers wait before acting, hoping you stopped looking.
How to report the fake CAF message
Reporting protects the next allocataire. Each takes under two minutes.
- SMS smishing: forward the text to 33700, the free French short code for reporting fraudulent SMS, then delete it.
- Email phishing: report it through signal-spam.fr, the reporting service associated with the CNIL.
- Phishing sites and cybercrime: report at cybermalveillance.gouv.fr, which also connects you with certified help.
- Fraudulent content and certain scams: report to Pharos at internet-signalement.gouv.fr, the Ministry of the Interior reporting platform.
- Confirm what CAF is really doing: read the official phishing alerts on caf.fr, where the Cnaf publishes guidance on the current wave.
Updated June 28, 2026.
How SafeBrowz blocks this threat
SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. The leak put your real identity in the attacker's hands, so the only thing left to defend is the moment you land on the clone page. That is where SafeBrowz works.
- Layer 1 - Local detection: 60+ URL patterns + 550+ brand signatures (including French public-service impersonation patterns like caf-{variant}.{tld}, mon-compte-{variant}, and rib-update lookalikes) run inside the extension before the page renders. caf.fr, mesdroitssociaux.gouv.fr and service-public.fr are in the brand database, so a lookalike trips a block before the fake login finishes loading.
- Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser and scam-TLD intelligence to catch known malicious CAF lookalike domains.
- Layer 3 - AI deep scan (Premium): AI content analysis via our proxy reads the page in French and 100+ languages, recognizes CAF and Mon Compte page mimicry (Marianne logo, République Française header, RIB and card-capture forms), and flags brand-new CAF clones the moment they go live, before any blocklist has them.
The live SafeBrowz Android app on Google Play applies the same engine to links you open on your phone, which is exactly where these CAF texts land, and the free browser extension does the same on desktop, flagging the fake CAF login or payment page before you type anything into it.
Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. No per-user browsing history is stored.
Block fake CAF sites before you click
SafeBrowz is a free browser extension for Chrome, Firefox and Edge (Safari coming soon) plus a live Android app that blocks fake French public-service pages automatically. It recognizes 550+ brands including CAF, Ameli, impots.gouv.fr, FranceConnect, La Poste and more, all auto-flagged when a page tries to impersonate them. AI content analysis works in French and 100+ other languages and spots new phishing domains the moment they go live. Free forever, no account needed. Questions: [email protected].
Add to Chrome
Add to Firefox
Add to Edge
Get it on Google Play
Frequently asked questions
Is the CAF refund SMS or email real?
Almost always no. The real CAF never asks you to confirm your bank card, RIB or Mon Compte password through an SMS or email link. CAF pays refunds automatically into the bank account already on file. A message that pushes a refund, an account verification, or an urgent RIB update through a link is phishing. The only official site is caf.fr, reached directly or through mesdroitssociaux.gouv.fr. To verify, open a new tab and type caf.fr yourself instead of clicking the link.
Was the CAF itself hacked in the 2025 data breach?
According to the Cnaf statement of 18 December 2025, no. The Cnaf said it found no intrusion and no vulnerability in its own systems, and that the circulating data appears to come from other public-service systems it exchanges information with. The Cnaf also confirmed the leaked data does not contain banking information and does not contain Mon Compte passwords. The data reported in the leak is names, postal and email addresses, and phone numbers, which is enough to power targeted phishing.
What data was in the CAF leak?
The dataset advertised on a cybercrime forum was described as around 22 million lines covering names, postal addresses, email addresses and phone numbers of allocataires. Per the Cnaf, it did not include bank details or the passwords used to log in to Mon Compte. The danger is that accurate personal details make follow-up phishing, smishing and scam phone calls far more convincing.
Does the CAF ever ask for my bank card or password by link?
No. This is the single most reliable rule. The real CAF never asks for your bank card number, CVV, or Mon Compte password through an SMS or email link. It already holds your bank account for payments and does not need your card to send you money. Any message that asks for those details is harvesting them for fraud.
Is caf-remboursement-allocataire.com a real CAF site?
No. The only official CAF address is caf.fr, accessed directly or through the government portal mesdroitssociaux.gouv.fr. Domains like caf-remboursement-allocataire.com, mise-a-jour-rib-caf.com or caf-mon-compte-verification.fr are fakes. The CAF states that only links beginning with https://www.caf.fr lead to its genuine website.
How do I report a fake CAF text or email?
Forward fraudulent SMS to the free short code 33700, then delete the text. Report phishing emails through signal-spam.fr. Report phishing sites and get help at cybermalveillance.gouv.fr, and report fraudulent content to Pharos at internet-signalement.gouv.fr. For confirmation of the current wave, read the official alerts on caf.fr.
What should I do if I already entered my details on a fake CAF page?
Act fast. If you entered card or bank details, call your bank and block the card immediately. If you entered your Mon Compte password, change it by typing caf.fr yourself and check that the RIB on file is still yours. Dispute any unauthorized charge with your bank under PSD2, report at cybermalveillance.gouv.fr, file a plainte at your local commissariat with screenshots, and watch your statements and CAF account daily for 30 days.