LKA Lower Saxony warns of fake "eister.de" tax refund emails
The LKA Lower Saxony warns that fraudulent e-mails regarding alleged tax refunds are once again circulating.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Once again, phishing emails are landing in the inboxes of internet users, luring victims with a supposed tax refund. What is striking about the current scam is that the sender domain uses a “typo” with “i” instead of “l”, i.e., “eister.der” as the sender domain.
(Image:Â polizei-praevention.de)
The LKA Lower Saxony explains in the warning that such letter twisters have been used for some time and exploit the fact that recipients do not recognize them on a cursory reading. The specific email shown ended up “with an employee of the Lower Saxony State Tax Office, who of course recognized the forgery immediately”. One of the striking features is the deadline, which runs until 01.02.2024 – Recipients might take note here, as we are now in the year 2025.
Fraudulent mail: Different link destinations
Although the email shows “Elster-Steuerinspektion@eister.de” as the sender, it would also have been possible to use “@elster.de” with mail spoofing – This is presumably intended to make it easier to bypass spam filters, for example. The email contains a link behind a green “To tax access” button. It is not easy to read, but does not refer to the original portal of the tax authorities, elster.de.
Videos by heise
Apparently, the perpetrators use so-called browser switches to direct those who click on the link to different pages depending on the browser and operating system used. The LKA Lower Saxony reports that the links included paid redirects, specifically affiliate links to online stores for pet supplies or fashion items, for example. Fake news sites about cryptocurrency investments also popped up on some systems. On a Mac system, the page behind the link showed a warning that the computer was affected by malware and that Apple support should be contacted immediately – which then concealed the scam with fake support. A similar warning appeared on iPhones.
Law enforcement officials advise checking whether such an email is plausible before reacting: Have recipients previously initiated something themselves, such as recently using Elster and submitting a tax return? If you are unsure, you should not click on links in such emails, but go to the official portal at elster.de or use the regular app called “MeinElster+”, which can also be used to check the inbox. The Lower Saxony State Tax Office has also pointed out that Elster confirmation emails do contain links, but these refer to the elster.de portal or the Elster FAQs.
At the end of October, the NRW consumer advice center warned of a scam involving phishing emails intended to trick recipients into installing a fraudulent Elster app. The subject line was “Your digital certificate - action required” and the email text urged recipients to install the “ElsterSecure+” app. However, the real app used by the federal authorities for authentication is called “ElsterSecure”, without a plus sign. The NRW consumer advice center assumed that the app is malicious and accesses the phone book to steal contact data, for example, or monitors the screen and thus taps into log-in data.
(dmk)
