Saturday, December 3, 2022
No menu items!

Beware of cyber risks when making the income statement

Cybercriminals take advantage of the campaign to steal personal and banking data from taxpayers through 'phishing', 'smishing', 'vishing' or with malicious 'apps'

Must Read

The income campaign corresponding to the 2021 financial year began on April 6 and, until June 30, taxpayers can submit their personal income tax return to the Treasury. Citizens who choose to do it through the Internet should know that they are not exempt from certain risks. During this period of the year, cybercriminals find the perfect opportunity to supplant the identity of the Tax Agency and thus steal bank details, above all. S21sec, a cybersecurity services company, has prepared a report that includes the most common cyber threats at this time.

First of all, an increase in cybercrime by hackers is expected. In addition, the main attacks that will take place this year are social engineering, theft of banking credentials, personal data, compromise of networks or devices, and ransomware , the company points out. “Cybercriminals use a set of tactics, techniques, and procedures (known as TTPs) to defraud and defraud taxpayers. This fraud usually begins in the months prior to the income filing deadline, but it reaches its peak during the campaign and extends, although with less intensity, to the subsequent months,” says Sonia Fernández, head of the S21sec intelligence team.

S21sec, cybersecurity company, foresees an increase in cybercrime by hackers

Using the bait of the collection period, one of the most recurrent scams is phishing , a method of deception that uses email. During the rental campaign, cybercriminals send fraudulent mass emails. The objective is the theft of personal or banking data, either by referring the victim to a false website that supplants the Tax Agency or by downloading files with malicious programs. “The content of the email contains numerous grammatical errors that make it suspicious of its veracity and, therefore, of its origin,” warns Fernández.

Smishing or sending text messages (SMS) that include malicious links is also used . They offer a URL to make an appointment or modify the draft. If the victim agrees, a website will appear where they will find a form where personal and financial data is collected.

Fraudsters also use the telephone channel to deceive citizens and companies with the IRPF hook. Vishing uses the VoIP (voice over IP) methodology through telephone calls pretending to be the Tax Agency to carry out social engineering and steal information from taxpayers.

The Tax Agency never requests confidential data by email

On the other hand, and taking advantage of the fact that in 2018 the official application of the Tax Agency was launched for the iOS and Android operating systems, through which it is possible to carry out various procedures and generate and present the income tax return, cybercriminals often They pose as legitimate applications by tricking users into downloading a malware-infected app in order to steal credentials when trying to log in and enter data.

S21sec experts recommend having an updated antivirus and, if you have installed any suspicious files, disinfecting the device. The Tax Agency never requests confidential information by email.


Blue team, red team and purple team. Cyber ​​attacks in Spain have grown by 125% in the last year, reaching 400,000 daily. This increase is mainly due to the rapid incorporation into the digital world of many companies. For this reason, the implementation of cybersecurity today is considered so important. From Tranxfer, which offers a B2B solution that allows having a single document communication channel between the company and external recipients, they explain that there are three teams in the world of cybersecurity.

The blue team is defensive security; seeks to protect critical assets of an organization against any threat and tries to proactively defend real attacks. Its main objective is to analyze patterns and behaviors that are out of the ordinary.

The red team is the offensive security. It is in charge of testing the blue team looking for vulnerabilities; It radically attacks the system to test the effectiveness of the security program, with an attack that is not warned so that the defense is as objective as possible. The attacks carried out can be internal to the company itself or from an external company.

Finally, the purple team exists to analyze and maximize the effectiveness of the previous two teams. Pit the blue team’s defense techniques against the red team’s attack techniques; in this way it is possible to see if the system is working or is prepared correctly.


Please enter your comment!
Please enter your name here

Latest News

Brazil’s coffee crop in 2023 will be 50-56 million bags, according to a report

Brazilian farmers will produce a minimum of 50 million and a maximum of 56 million bags of coffee next...

More Articles Like This