Spain tax scams 2026: how to identify fake Hacienda SMS and emails

In every Spain tax campaign, real notifications are mixed with fake ones that impersonate Hacienda to steal personal or financial data. AEAT has already issued fresh phishing and smishing alerts in April 2026, so this is a current risk.

If you need broader context, see the taxes pillar, the Spain tax draft guide, and the article on preventive Hacienda alerts.

Why scams increase at the start of tax season

Tax season is ideal for fraud attempts: people expect refunds, monitor messages more often, and are used to official-looking notifications.

AEAT's own 2026 security notices confirm that impersonation attempts are active during the campaign.

What fake Hacienda SMS and emails usually look like

Common patterns include:

a promise of immediate refund,
an urgent incident warning,
a link to “verify” data,
requests for bank account or card information,
pressure to act quickly.

AEAT explicitly states it does not request confidential, economic, or personal information via SMS or email, and does not request bank/card numbers through those channels.

The most important signal: Hacienda does not ask for these details by SMS or email

Key rules:

no confidential information request by SMS/email,
no bank account or card-number request by SMS/email,
no recommendation to trust links in suspicious messages,
when in doubt, access the official e-headquarters directly.

What to do if you receive a suspicious AEAT message

Use this checklist:

do not click the link,
do not download attachments,
do not share personal or banking data,
access the official AEAT site manually,
check whether a real notification exists,
delete/report the message where appropriate.

How to distinguish real vs fake communication

Practical clues:

real communication will not ask for banking data by SMS,
strange or shortened links are red flags,
extreme urgency is a typical scam hook,
unusual errors or unclear sender details are warning signs,
instant refund promises should trigger distrust.

AEAT also keeps a 2026 page with detected phishing examples so users can compare suspicious messages.

The most common hook: fake tax refund messages

Many scams exploit refund expectations. The message says your refund is ready or blocked, then pushes you to click and “confirm” data.

A practical memory rule: if it creates urgency, promises money, and asks for data, treat it as suspicious.

What if you already clicked?

Act quickly:

stop and do not provide more information,
change passwords if you submitted credentials,
contact your bank if financial data was shared,
monitor transactions and block cards if needed,
keep screenshots in case you need to report.

Final advice for these weeks

During tax season, the safest habit is to distrust urgent SMS/email requests and verify everything directly in AEAT's official electronic headquarters.

Quick answer

How do you know if a Hacienda SMS is fake?

If it asks for personal or banking data, includes a suspicious link, or pressures you to act urgently to collect a refund, distrust it. AEAT states it does not request confidential information by SMS or email.

FAQ

Can Hacienda ask for bank details by SMS or email?

No. AEAT states it does not request confidential personal/economic data, bank account numbers, or card numbers through SMS or email.

What is the most common tax-season scam hook?

A fake tax-refund message or urgent incident warning designed to make you click a link.

What should I do if I receive a suspicious Hacienda SMS?

Do not click, do not share data, and check your status by entering the official AEAT site manually.

Where can I see real examples of scams impersonating AEAT?

AEAT publishes detected examples in its 2026 anti-phishing section.

Can an email with Hacienda logo still be fake?

Yes. Branding is easy to copy, so always verify through the official site, not the received link.