EMAIL PHISHING

ELSTER and Finanzamt tax-refund phishing: is that German tax email real?

Q: How do I report a German tax phishing email?

Forward it to the Verbraucherzentrale Phishing-Radar at phishing@verbraucherzentrale.nrw, report it to the BSI at bsi.bund.de, and if you lost money or shared bank data, tell your bank. Then delete the email.

An email saying your electronic Steuerbescheid for 2026 is ready, or that a Finanzamt refund is waiting once you "verify your data," is a near-perfect ELSTER clone built to steal your login and bank details.

SafeBrowz Threat Research Security ResearchJune 18, 20269 min read

Bottom line first: is the ELSTER refund email a scam?

Verdict: scam. An email claiming your "elektronischer Steuerbescheid fuer 2026" is ready, or that a Steuererstattung (tax refund) is waiting once you confirm your details, is phishing. The real ELSTER portal lives only at elster.de. The German Finanzamt (tax office) never emails you a refund link and never asks you to "verify your data" to receive money. A German tax refund is paid automatically to the IBAN already on file. Do not click the link. Delete the email and report it to the Verbraucherzentrale Phishing-Radar.

The German terms, in plain English

This scam works partly because it borrows official German tax vocabulary that many people, especially expats and newcomers, only half understand. Here is the short glossary you need to read the rest of this article.

ELSTER ("Elektronische Steuererklaerung") is Germany's official online tax portal, run by the tax administration. It is the real place you file returns and read assessments. Its only address is elster.de.
Finanzamt is your local tax office, the government authority that processes your taxes. There are hundreds of them across Germany, each tied to a region.
Steuerbescheid is your tax assessment, the official document that says how much tax you owe or are owed back after a return is processed.
Steuererstattung is a tax refund, the money the Finanzamt pays back to you when you overpaid.

Scammers stitch these words into an email that looks like a routine government notification. The story is simple and believable: your assessment is ready, there is money waiting, and all you have to do is log in and confirm a few details to release the payout.

Why this wave is everywhere in 2026

This is not a stray email. Germany's consumer protection body, the Verbraucherzentrale Phishing-Radar, has repeatedly flagged ELSTER and Finanzamt refund emails as one of the most persistent phishing themes, and reporting through June 2026 points to a large, active wave hitting inboxes across the country. The fake-refund hook spikes around tax-filing season precisely because so many people are genuinely expecting an assessment or a payout, which makes the timing feel legitimate.

The Federal Office for Information Security, the BSI, treats tax-authority impersonation as a standard phishing pattern and gives the public the same core rule it gives for every brand: a real authority does not ask you to confirm sensitive data through a link in an email. The BKA, Germany's Federal Criminal Police Office, classifies this kind of credential and payment-data theft as phishing under cybercrime, and the cumulative losses from phishing campaigns of this type run into the millions of euros each year. A government office that nearly every working adult in Germany deals with is exactly the brand a phishing crew wants to wear.

What the scam email actually says

The wording rotates, but the skeleton is stable. A typical message arrives with a subject line and body like these:

Subject: "Ihr elektronischer Steuerbescheid fuer 2026 ist abrufbar" (your electronic tax assessment for 2026 is available). Body: your assessment has been processed and is ready to view. Log in to ELSTER to read it: [link].
Subject: "Steuererstattung: 327,48 EUR stehen zur Auszahlung bereit" (tax refund: a specific euro amount is ready for payout). Body: a refund is waiting, but your bank details could not be confirmed. Verify your data to release the payment: [link].
Subject: "Finanzamt: Letzte Erinnerung zur Datenbestaetigung" (tax office: final reminder to confirm your data). Body: confirm your details within 48 hours or the refund will be cancelled: [link].

The link leads to a near-perfect ELSTER clone. The page copies the real portal's blue-and-white layout, the official wording, and the login fields. You are asked to log in, then to "verify your data" to unlock the payout, which in practice means typing in your card number, your IBAN, your address, and your ELSTER credentials. Everything you enter is harvested. There is no refund at the end of it, because the email never came from the Finanzamt at all.

What the fake links look like (illustrative)

The link is engineered to look almost-official at a glance, especially on a phone. The domain crams in "elster," "finanzamt," or "steuer" plus a transactional word, then lands on a free hosting platform or a cheap domain that the real tax administration would never use. The examples below are illustrative lookalikes, the real ELSTER portal is only at elster.de:

elster-portal-2026.vercel.app
mein-elster-online.pages.dev
finanzamt-erstattung.netlify.app

The trick is that "elster" or "finanzamt" appears somewhere in the string, but never as the actual registrable domain. A free-hosting suffix like .vercel.app, .pages.dev, or .netlify.app means anyone can spin up a page in minutes, and the real owner of that page is whoever registered the subdomain, not the German tax office. The only real ELSTER address is elster.de, and the central federal tax authority sits at bzst.de. Anything else claiming to be ELSTER is a different site that merely contains the word.

🛡 LIVE CHECK

Paste the link from a suspicious ELSTER or Finanzamt email here

Got an email claiming to be from ELSTER or the Finanzamt? Paste the link below before you click it. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis → · No URL is logged to your identity.

Red flags that give it away every time

You do not need to know German tax law to spot this. The tells are structural.

It asks you to "verify your data" to receive money. This is the single biggest tell. The Finanzamt already has your IBAN. A real refund is paid automatically to the account on file. No real tax office makes you confirm bank or card details through an email link to release a payout.
The link is not elster.de. The real portal is only at elster.de. Any address on a free host like .vercel.app, .pages.dev, or .netlify.app, or any cheap lookalike domain, is fake no matter what words it contains.
There is a countdown. "Within 48 hours," "final reminder," "payout will be cancelled." Real tax administration runs over weeks and arrives in your ELSTER inbox or by post, not with a ticking clock in an email.
It asks for card details. A German tax refund is a bank transfer to your IBAN. There is no reason for the Finanzamt to ever request a card number. That request alone is conclusive.
The sender address is off. Real ELSTER notifications come from official domains and, by design, only tell you that a message is waiting inside the portal. A refund email from a random Gmail, Outlook, or unrelated domain is not the tax office.
Generic greeting and odd German. "Sehr geehrter Kunde" (dear customer) instead of your name, plus stilted phrasing or missing umlauts, are common. The Finanzamt addresses you formally and correctly and knows exactly who you are.
It pushes you to log in from the email. The real workflow is the reverse: you open elster.de yourself and check your inbox there. ELSTER does not push you outward to a login form.

How the real ELSTER and Finanzamt actually work

The defense is anchored in one fact: the genuine process never matches the email's story. When the Finanzamt finishes your assessment, the Steuerbescheid appears inside your ELSTER account, and any refund is transferred automatically to the IBAN you already provided. There is no step where you confirm bank details to "unlock" money, because the money was already routed to an account the tax office holds on record.

Real ELSTER messages are also deliberately content-light. To reduce exactly this kind of phishing, official notifications tell you only that something is waiting in your portal inbox, without embedding the sensitive content or a "log in here to claim your refund" button. If an email contains a refund amount, a verification link, and a deadline, that combination by itself marks it as fake, because the real system does not send that.

This pattern is identical to tax-refund phishing in other countries. The brand changes but the mechanic does not, which is why our coverage of the IRS tax refund scam in the US and the impots.gouv.fr refund scam in France reads almost word for word the same. A tax authority that pays refunds automatically, impersonated by an email that asks you to confirm data to release one, is the same attack everywhere.

What SafeBrowz sees on the network

When the SafeBrowz engine examines an ELSTER lookalike page, the structure of the attack is consistent enough to read across all three detection layers. A few patterns stand out.

First, the host is throwaway. The destination behind an ELSTER phishing email is almost always a free-hosting subdomain or a domain registered within the last few days. No legitimate government portal lives on .vercel.app or is days old. Host type and domain age alone flag a large share of these before any content loads.

Second, the structure is a keyword sandwich on a non-official host. The string carries "elster," "finanzamt," or "steuer" plus a transactional word like "portal," "online," or "erstattung," then resolves on a free host or cheap top-level domain that the real elster.de registrant would never use. The brand word living anywhere except the real registrable domain is itself the signal.

Third, the page content gives itself away. A cloned ELSTER login form, the blue-and-white government styling, a "Steuererstattung freischalten" headline, and a card or IBAN field, all served from a non-elster.de host, is a textbook brand-impersonation profile. Content-level analysis catches the impersonation even when the domain is brand new and absent from every blocklist.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

Layer 1, Local detection: 60+ URL patterns plus 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) and a community whitelist/blacklist, all running directly in the extension before the page renders. It catches government-impersonation keyword patterns on non-official hosts, free-hosting abuse, and refund-bait redirect families instantly.
Layer 2, API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, and ScamAdviser, plus domain-age lookup (most ELSTER-scam destinations are less than 30 days old) and 30+ scam TLDs.
Layer 3, AI deep scan: content-aware brand-impersonation analysis in 100+ languages catches a brand-new ELSTER lookalike that no blocklist has seen yet, reading the German page content directly.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

For people who do not want to install anything, the same engine powers the free public URL checker. Paste any link from a suspicious ELSTER or Finanzamt email and get a verdict in seconds. If you want to learn the manual checks yourself, our guide on how to tell if a website is a scam walks through reading a URL right to left.

What to do right now

If an ELSTER or Finanzamt refund email just landed, here is the whole correct response.

Do not click the link or open any attachment. The link is the entire attack surface. Curiosity is how people get caught.
Verify directly, not through the email. If you genuinely want to know whether you have an assessment or a refund, open a new browser tab and type elster.de yourself, then log in. Anything real will be in your portal inbox. Never use the link in the email.
Report it to the Verbraucherzentrale Phishing-Radar. Forward the email to [email protected] so it can be logged and warned about publicly.
Report it to the BSI. The Federal Office for Information Security at bsi.bund.de collects phishing reports to track active campaigns.
Then delete the email.

If you already clicked the link but entered nothing, you are most likely fine: close the tab and clear cookies for that domain. If you entered your bank or card details, call your bank using the number on the back of your card or in your banking app, have the card or transfers blocked right away, and watch your account. In Germany you can reach your bank or call the central blocking hotline 116 116 to freeze cards. If you entered your ELSTER credentials, log in to the real elster.de yourself and change your password, and contact your Finanzamt. Our full "I got scammed, what to do right now" walkthrough covers the first-hour playbook in detail.

Frequently asked questions

Is the ELSTER Steuerbescheid email real or a scam?

If it contains a link to view your assessment or claim a refund and asks you to log in or confirm data, it is a scam. Real ELSTER notifications only tell you that a message is waiting inside your portal at elster.de, without a refund amount or a "verify your data" link. The Verbraucherzentrale and the BSI both warn that these emails are phishing.

Does the Finanzamt ever email a tax-refund link?

No. The Finanzamt never emails you a refund link and never asks you to "verify your data" to receive money. A German tax refund is paid automatically by bank transfer to the IBAN already on file. Any email that makes you confirm bank or card details to release a payout is fake.

What is the real ELSTER website address?

The only real ELSTER portal is elster.de. The central federal tax authority is at bzst.de. Any address on a free host like .vercel.app, .pages.dev, or .netlify.app, or any other domain claiming to be ELSTER, is fake even if the words "elster" or "finanzamt" appear in the link.

I entered my login and bank details on the fake ELSTER page. What now?

Act fast. Call your bank using the number on your card or in your app and have the card or transfers blocked, or call the German blocking hotline 116 116. Then open the real elster.de yourself and change your ELSTER password, and contact your Finanzamt. Report the email to the Verbraucherzentrale Phishing-Radar and the BSI.

Why am I getting this if I have not even filed a return yet?

Attackers do not target by tax status. They send millions of emails to addresses bought from data leaks and brokers. Many recipients have no assessment or refund pending at all. Receiving the email is not evidence that you are owed anything.

The email used my correct name and looked official. Does that make it real?

No. Data leaks mean scammers often know your name, and a cloned ELSTER design is easy to copy pixel for pixel. A correct name and an official look do not make an email genuine. The only safe check is to ignore the link entirely and type elster.de yourself.

How do I report a German tax phishing email?

Forward it to the Verbraucherzentrale Phishing-Radar at [email protected], report it to the BSI at bsi.bund.de, and if you lost money or shared bank data, tell your bank. Then delete the email.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge