Impots.gouv "Tax Refund" Scam in France 2026: how the DGFiP phishing attack works and how to spot it

Why French tax season is peak scam season

The French income tax calendar concentrates an extraordinary amount of national attention on impots.gouv.fr in a narrow window. Roughly 40 million households submit a declaration each year, with online filing deadlines staggered by department through May and June. The refund and balance notices for the previous tax year are then issued through July and August, with most refunds paid by transfer at the end of July. Between April and August, in other words, almost every adult in France is either logging into the DGFiP portal, waiting for a notice, or expecting money to move in or out of their bank account. That collective focus is exactly what phishing campaigns exploit.

Cybermalveillance.gouv.fr, the French government's national cyber-victim helpdesk, reported in its 2024 annual review that phishing remained the top reported threat for individuals, with hundreds of thousands of victims and more than 100 million euros in losses across all themes. Tax impersonation is one of the largest categories in the spring quarter. The Direction Generale des Finances Publiques publishes recurring warnings on its dedicated security page at impots.gouv.fr/securite-informatique, and the ANSSI cybersecurity authority issues parallel advisories. The pattern repeats year after year because each filing season delivers a fresh wave of attentive, anxious, well-primed targets.

A second window opens after the declaration deadline. Filers who expect a refund are waiting for the transfer. Filers who owe are anxious about the levy date. Both groups react to anything that looks impots-shaped, and the scammers know it. That is why the campaigns continue right through August before tapering off until the next cycle.

How the French tax refund phishing flow works

The attack is structured almost identically across operators, which makes the pattern very recognisable once you have seen it twice.

Step 1: bulk delivery. The attacker rents a French-language SMS gateway or a hijacked email infrastructure and blasts the message to a list of French phone numbers or email addresses, often purchased from a prior breach or scraped from public sources. The volume per campaign typically runs into the hundreds of thousands of recipients.

Step 2: the hook. The message states that the recipient is owed a refund of a small and plausible amount, typically between 184 and 642 euros. The language imitates real DGFiP communications. Common formulations: "Impots: Vous avez droit a un remboursement de 384,52 EUR. Cliquez pour reclamer," or "Direction Generale des Finances Publiques: votre remboursement de 247 EUR est en attente de validation." A short link follows.

Step 3: the landing page. The link resolves to a domain that visually imitates impots.gouv.fr. The Marianne logo, the tricolour banner, the dark blue header, the small-print legal footer at the bottom referencing the Code General des Impots and the Republique Francaise wordmark, all reproduced from the real site. On a phone screen, the imitation passes a casual eye test for almost everyone.

Step 4: the harvest. The page asks for, in sequence, full name, date of birth, mailing address, numero fiscal (the 13-digit tax reference), social security number (the numero de Securite sociale, a high-value identity primitive), full bank card details with CVV and expiry, and finally an IBAN and account name "to receive the refund by virement." Some variants also ask for a copy of a piece of ID through a file upload field.

Step 5: the cash-out. The harvested package is enough for several distinct downstream attacks. The card details are used immediately for unauthorised charges, typically tested with small amounts at French e-commerce checkouts before being run against larger merchants. The IBAN and identity profile enable account opening at digital banks, credit applications, and SEPA debit fraud against the victim's existing accounts. The numero fiscal and numero de Securite sociale enable fraudulent benefits claims and identity-based fraud against the CAF, the CPAM, and various other administrations.

Common French-language templates in active rotation

The exact wording rotates frequently, but the underlying templates are stable. If your incoming SMS or email matches one of these patterns, treat it as a scam by default and do not engage.

Template 1: Remboursement Impots ("Impots Refund")

Original French: "Impots: Vous avez droit a un remboursement de 384,52 EUR au titre de la taxe sur le revenu 2025. Cliquez pour reclamer votre du dans les 24h: [link]"

English translation: "Impots: You are entitled to a refund of 384.52 EUR for the 2025 income tax. Click to claim what you are owed within 24h: [link]." This is the single most common variant. The dollar-equivalent figure (a few hundred euros) is small enough to be plausible, large enough to motivate action, and the 24-hour clock manufactures urgency. The real DGFiP never imposes such artificial deadlines by SMS.

Template 2: Credit d'impot PAJE ("Family Childcare Tax Credit")

Original French: "DGFiP: Votre credit d'impot PAJE de 612 EUR est disponible. Validez vos coordonnees bancaires sur l'espace particulier: [link]"

English translation: "DGFiP: Your PAJE childcare tax credit of 612 EUR is available. Confirm your bank details in your personal space: [link]." PAJE (Prestation d'Accueil du Jeune Enfant) is a real CAF benefit linked to childcare costs, and the credit d'impot famille is a real DGFiP credit. Mixing them in one message lends the bait a thin coat of plausibility for parents of young children, who form a large and easily targeted segment.

Template 3: TVA refund pour entreprises ("VAT Refund for Businesses")

Original French: "Service des Impots des Entreprises: votre remboursement de TVA de 2 847 EUR a ete valide. Confirmez l'IBAN du compte professionnel pour reception sous 48h: [link]"

English translation: "Business Tax Office: your VAT refund of 2,847 EUR has been validated. Confirm the IBAN of the business account for receipt within 48h: [link]." Aimed at micro-entrepreneurs, SAS, and SARL directors who routinely manage VAT returns. The amounts in business variants are larger because they need to feel proportional to a corporate refund. The bait pairs naturally with VAT filing cycles at the end of each quarter.

Template 4: Prelevement a la source ajustement ("Pay-As-You-Earn Adjustment")

Original French: "Impots.gouv: ajustement du prelevement a la source en votre faveur. Solde de 218,40 EUR a recuperer avant le 15/06: [link]"

English translation: "Impots.gouv: pay-as-you-earn adjustment in your favour. 218.40 EUR balance to recover before June 15: [link]." Plays on the prelevement a la source system (the French equivalent of PAYE withholding) introduced in 2019. Most filers do not have a clear mental model of how withholding adjustments actually settle, which gives the scam its room to operate.

Template 5: Avis d'imposition rectificatif ("Corrected Tax Notice")

Original French: "DGFiP avis n. 2025-FR-7842: rectification de votre avis d'imposition - remboursement de 471 EUR. Identifiez-vous pour traitement: [link]"

English translation: "DGFiP notice no. 2025-FR-7842: correction to your tax assessment - 471 EUR refund. Sign in to process: [link]." Fake notice reference numbers add a bureaucratic-feeling layer to the bait. Real avis d'imposition are never circulated by SMS link, and the rectificatif process is handled inside the espace particulier or by mailed letter on official letterhead.

Template 6: Email with attached PDF

A growing variant arrives as a French-language email with an attached PDF "avis de remboursement" rather than a clickable link. The PDF itself looks like an official notice, complete with the Marianne header, and embeds either a clickable link or a QR code that resolves to the phishing landing page. Opening the PDF is safe, but tapping the link or scanning the QR code is the attack. The DGFiP does not issue refund notices as unsolicited email attachments.

Lookalike Impots domains observed in 2026

The real DGFiP property is on a single, well-known domain: impots.gouv.fr. Every legitimate French tax service web property lives under that domain or a clearly identifiable sister .gouv.fr subdomain. Anything outside that pattern is impersonation.

Pattern 1: Impots keyword on a non-.gouv.fr TLD

Examples in active rotation:

• impots-gouv[.]fr (note the hyphen, the real site has no hyphen)
• impots-gouv[.]com
• impots-remboursement[.]fr
• impotsfr-gouv[.]net
• gouv-impots-refund[.]fr
• fiscal-france[.]com
• dgfip-remboursement[.]fr

The .gouv.fr namespace is restricted to verified French government entities. Scammers cannot register a .gouv.fr domain. They settle instead for similar-looking strings on .fr, .com, .net, or .online, hoping that a hyphen or a re-ordering of words goes unnoticed in the address bar. On mobile, where the URL is truncated, the deception is even more effective.

Pattern 2: Free-hosting subdomains

Examples:

• impots-refund[.]vercel[.]app
• impots-particulier[.]netlify[.]app
• dgfip-fr[.]pages[.]dev
• impots-france[.]github[.]io

Free hosting platforms such as Vercel, Netlify, Cloudflare Pages, and GitHub Pages take minutes to set up and serve automatic HTTPS. Attackers spin up a fresh subdomain, upload the fake espace particulier clone, and start sending SMS within an hour. The hosting providers shut down reported phishing rapidly, but a window of several hours is more than enough for a campaign to harvest thousands of victims.

Pattern 3: SMS short links and shorteners

Examples:

• bit.ly/impots-rembours-2026
• tinyurl.com/dgfip-fr
• t.ly/impots
• French SMS gateway short URLs such as sms[.]fr/ variants

Shorteners are attractive to scammers because the SMS preview does not unwrap them. The recipient sees only the shortener domain, not the final destination. Hovering on a phone is impractical, and tapping the link is exactly what the scam needs.

Pattern 4: Lookalike government wordmarks in the path

Examples:

• refund-portal[.]online/impots.gouv.fr/login
• verify-fr[.]net/dgfip/particulier/auth
• secure-id[.]top/impots-gouv-fr/espace

The "impots.gouv.fr" string is embedded in the URL path or as a fake subdomain on an attacker-owned base. The trick exploits how non-technical readers scan URLs left to right and stop at the first familiar token. The actual domain is the part immediately before the first slash, not the part containing the impots string.

How to verify a genuine DGFiP contact

The simplest defense is knowing what real DGFiP contact looks like. Memorise these facts.

• Real refund notifications appear inside your espace particulier. Sign in by typing impots.gouv.fr directly into the browser address bar, never by clicking a link in a message. Your messagerie securisee inside the espace particulier is the only authoritative channel for personal tax correspondence.
• The DGFiP never requests payment card details, IBAN, or social security number by email or SMS. The agency already has your bank details from your declaration and pays refunds by SEPA virement to the account on file. There is no scenario in which it asks you to re-enter that information by clicking a link.
• Real DGFiP emails come from impots.gouv.fr, dgfip.finances.gouv.fr, or finances.gouv.fr. Anything else, including impots-gouv.fr, dgfip-info.com, or generic Gmail or Outlook addresses, is impersonation. Be aware that the "from" header can be spoofed; verify by signing into the espace particulier rather than by trusting headers alone.
• The DGFiP never imposes 24-hour or 48-hour deadlines by SMS. Real procedures have weeks or months of statutory delays, formal appeals rights, and mailed letters at every step. Urgency by SMS is itself the giveaway.
• QR codes in DGFiP messages are not used for identity verification. If a "DGFiP" letter, email, or PDF includes a QR code that takes you to a sign-in page, treat the entire message as suspect and verify by signing in directly at impots.gouv.fr.
• For specific notice questions, call your centre des impots. The phone number is listed inside the espace particulier under "Contact" once you sign in, or at impots.gouv.fr/contact. Do not call numbers given in unsolicited messages.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including impots, DGFiP, gouv.fr lookalike rules) + community whitelist/blacklist, all running directly in the extension before the page renders. Catches the impots-gouv.{tld}, dgfip-{word}.{tld}, gouv-impots-{word}.{tld} patterns and free-hosting impots/DGFiP subdomains instantly.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs for known malicious domains. URL shorteners are unwrapped server-side, so the verdict runs against the real destination even when the SMS only contains a bit.ly or tinyurl link.
• Layer 3 - AI deep scan (Premium): 100+ language content analysis identifies government brand impersonation in French, English, Arabic, and dozens of other languages. A page rendering the Marianne logo or impots.gouv.fr branding on any domain that is not impots.gouv.fr or finances.gouv.fr is flagged as government impersonation.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

What to do if you already clicked or entered information

If you clicked the link and the page opened but you did not enter anything, you are probably safe. Close the tab, clear browser cookies for that domain, and move on. Do not download any file the page offers. If a download started automatically, do not run it, and treat the device as suspect until you have run a full antivirus scan.

If you entered card numbers, IBAN, identity details, or numero fiscal, act in this order.

1. Call Cybermalveillance.gouv.fr at 0 805 805 817 (free, Monday to Friday). This is France's national cyber-victim helpdesk, operated by the GIP ACYMA under public authority. Trained operators guide victims through the immediate steps and route them to local resources. The full reporting flow is also available online at cybermalveillance.gouv.fr.
2. Report the scam to Pharos at internet-signalement.gouv.fr. Pharos is the official French police portal for reporting illegal online content, including phishing pages. The report feeds the Office Central de Lutte contre la Criminalite liee aux Technologies de l'Information et de la Communication (OCLCTIC) within the Police Nationale.
3. Report SMS phishing to 33 700. Forward the suspicious SMS to the short code 33700, the official French national SMS spam reporting service. Reports help mobile operators block sending numbers and feed intelligence to law enforcement.
4. Report email phishing to Signal-Spam. Forward the email to signalement@signal-spam.fr or use the Signal-Spam browser plugin available at signal-spam.fr. The service is operated under a public-private partnership with the French data protection authority (CNIL) and law enforcement.
5. Call your bank's fraud line immediately if you entered card details or IBAN. The number is on the back of your bank card or on your most recent statement. Do not search for it online. Ask the bank to issue a faire opposition (stop payment) on the card, freeze SEPA debits from the account, and reissue a new card. French law (article L. 133-19 of the Code Monetaire et Financier) limits your liability on unauthorised card transactions if you report quickly.
6. If your identity may be at risk, request a credit-history check from Banque de France. The Banque de France maintains the FICP (Fichier des Incidents de remboursement des Credits aux Particuliers) and the FCC (Fichier Central des Cheques). You have the right to consult your own records under articles L. 751-1 and L. 751-7 of the Code de la Consommation, by appointment at any Banque de France branch with a piece of ID.
7. File a formal complaint at your local police or gendarmerie. A plainte is required for many subsequent steps, including civil claims and identity-theft remediation. The pre-plainte en ligne service at pre-plainte-en-ligne.gouv.fr lets you file the initial paperwork online before booking an in-person appointment.
8. Notify the DGFiP from inside your espace particulier. Sign in at impots.gouv.fr, open the messagerie securisee, and inform the agency that your numero fiscal may have been compromised. This puts a flag on your file and helps the agency detect any subsequent fraudulent activity in your name.
9. Monitor your bank statements daily for at least 90 days. SEPA debits and small test transactions are the most common follow-on, and disputing them is easier within the statutory deadlines.

Protecting yourself in advance

The strongest defenses are the ones that are already in place before the first scam SMS arrives.

Enable strong sign-in on your espace particulier. The DGFiP supports two-step verification via the FranceConnect+ pathway, which uses La Poste's Identite Numerique or an equivalent identity-verified service. Once enabled, even a stolen numero fiscal and password cannot be used to sign in without your phone or hardware token. Activate it at impots.gouv.fr under your profile.

Use FranceConnect with care. FranceConnect itself is safe and operated by the French state, but phishing pages occasionally clone its login screen. Always reach FranceConnect through the official starting service (impots.gouv.fr, ameli.fr, ants.gouv.fr, and so on) rather than by clicking a link in a message. The FranceConnect domain you should see in the URL bar is franceconnect.gouv.fr and nothing else.

Bookmark impots.gouv.fr. Once you have signed in correctly, bookmark the URL and use the bookmark for all future visits. This removes the small but non-zero risk of typing a typo and landing on a typosquat domain.

Use a password manager. A password manager will auto-fill your espace particulier credentials only on the exact correct domain. On a lookalike like impots-gouv.fr, the manager simply does not offer the saved password, which is itself a strong signal that the page is not real.

Install a phishing-blocking browser extension. SafeBrowz, Web of Trust, and similar tools shift the burden of URL verification away from human attention. Even when concentration lapses (a tired evening, a busy commute, a SMS read between meetings), the extension still inspects the destination before the page renders.

Educate vulnerable family members. Elderly parents, students managing their first declaration, and small-business owners filing TVA returns are the highest-risk segments. A five-minute conversation explaining the one-rule defense (real DGFiP only writes to you inside the espace particulier) saves the same family a six-month identity-recovery process.

Why French tax phishing keeps working

The scam succeeds because of three specific psychological levers, not because victims are careless.

Lever 1: Authority of the French state. The DGFiP is one of the most powerful administrations in France. It can levy bank accounts, impose penalties, and pursue tax fraud through criminal courts. That authority generates a reflex of prompt compliance with anything that wears its branding. When a scammer borrows the Marianne logo and the tricolour banner, the reflex fires before evaluation begins.

Lever 2: Refund anticipation. Variants that promise a refund work on existing positive expectation. The recipient already wants a refund to be real. A message confirming it feels like welcome news rather than a suspicious solicitation. Confirmation bias does the scammer's work.

Lever 3: Tax-system complexity. The French tax code is dense, the prelevement a la source is comparatively recent, and most filers have only a rough mental model of which notices are legitimate, which avis correspond to which declarations, and which channels the DGFiP actually uses for correspondence. In that fog, anything that looks impots-shaped is plausible. The complexity of the real system is the cover under which the fake one operates.

For accountants, expert-comptables, and tax preparers in France

If you operate a tax practice or accounting firm, your clients receive forgeries of DGFiP messages and many route them to you for verification. A short checklist for client education:

• Add a paragraph to your engagement letter. One sentence is enough: "The DGFiP never asks for payment card details or IBAN by email or SMS. We will never ask you to confirm refund information by clicking a link." This saves hours of panicked calls per filing season.
• Encourage clients to enable FranceConnect+ strong authentication. The setup takes ten minutes and blocks the largest class of follow-on fraud.
• Recognise the templates yourself. Familiarity with the recurring patterns helps you answer client questions confidently and avoid clicking forwarded scam emails as you triage them.
• Forward client-received examples to Signal-Spam and Pharos. Reports feed law enforcement signals that help shut down active campaigns. Cybermalveillance.gouv.fr also accepts professional reports through its corporate-services channel.

The bigger picture

The Impots.gouv refund phishing campaign is one specific instance of a broader pattern: government-impersonation phishing rises every year because government authority is the highest-trust mask available in the impersonation toolkit. The same template, urgency plus official branding plus a verification link, drives parallel campaigns against the Caisse d'Allocations Familiales (CAF), the Assurance Maladie (Ameli), La Poste, EDF, the Agence Nationale des Titres Securises (ANTS), and Pole Emploi (now France Travail). The brand changes. The harm shape stays the same: identity profile harvested, card details abused, IBAN drained, recovery measured in months.

The defense is one rule: real French administrations communicate through their secure portals after authenticated sign-in, or by mailed letter on official letterhead with a verifiable phone number. Everything else is impersonation until proven otherwise. Tools like the SafeBrowz extension and the free URL checker exist because human discipline is not consistent enough to defend against daily, multi-channel phishing volume, especially during tax season when cognitive load is already maximal.

Block French tax phishing destinations automatically

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge that detects DGFiP, CAF, Ameli, La Poste, EDF, and other French government and utility impersonation phishing the moment the page loads. The core protection is free forever. Premium adds unlimited daily AI scans and wallet-drainer JavaScript detection for $14.99 per year, or hold 10 million $SAFEBROWZ tokens on Base for unlimited Premium access. No install required to check a single link: the free public URL checker handles one-off cases.