Mimecast Logo
Richiedi un preventivo

    German Tax and Accident Insurance Institution Impersonation

    3rd June 2025

    By Mimecast Threat Research Team

    Key Points

    What you'll learn in this notification

    • Attackers exploit institutional trust through sophisticated German tax authority impersonation.
    • Emails appear to be generated by custom spam scripts with forged Thunderbird headers and high variability in subjects and sending email addresses
    • Predominately targeting organizations in Germany with a financial motive

    The Threat Research team has been monitoring fraud campaigns targeting German organizations since early May 2025. This campaign focuses on two notable entities: the German Central Tax Office (BZSt) and the German Social Accident Insurance Institution for Foodstuffs and Catering Industry (BGN). While these organizations are not official government public sector entities, they play significant roles in the administration of tax and social insurance matters in Germany.

    The lure focuses on two areas and includes an invoice attachment.

    1. Digital DGUV-Prevention Module Introduction:
      • Example subject: Introduction of Digital DGUV Prevention Module
      • Content: Mandates participation, outlines benefits, and specifies urgent compliance and payment deadlines.
    2. Payment Reminder for Tax Declaration 2023
      • Example subject: Zahlungserinnerung: Steuererklärung 2023 (Payment Reminder: Tax Declaration 2023)
      • Content: Notifies of a due fee for the tax declaration under x amount, instructs to open the attached PDF for details, and emphasizes the urgency of payment.

    Tax and Accident 1.png

    Key Campaign Characteristics

    Sophisticated German-Language Messages

    The fraud emails are written in formal, well-constructed German, mimicking the tone and style of official communications from authorities. This increases the credibility of the messages and makes them more convincing to end users.

    Spoofed Domains Mimicking Tax Authorities and BGN

    The threat actors use lookalike domains that closely resemble legitimate German tax-related operations and BGN communications. These domains are designed to deceive recipients into believing the emails originate from official sources. Examples of spoofed domains include:

    For BZSt:

    • bzst-abwicklung.de (processing)
    • bzst-forderung.de (demand/claim)
    • bzst-rechnungen.de (invoice)
    • bzst-einzahlung.de (deposit/payment)
    • bzst-zahlung.de (payment)

    For BGN:

    • bgn-abwicklung.de (processing)
    • bgn-bezahlung.de (payment)
    • bgn-einzahlung.de (deposit/payment)
    • bgn-forderung.de (demand/claim)
    • bgn-transfer.de (transfer)
    • bgn-zahlstelle.de (payment office)

    The naming conventions of these domains align with tax-related and social insurance terminology, further enhancing their legitimacy in the eyes of the recipients.

    Automated PDF Generation

    The emails all contain PDF invoices which has been created using software that is known for its ability to create dynamic, customized PDFs, which the attackers use to tailor documents for individual recipients. These PDFs often contain fraudulent payment instructions.

    Fraudulent Financial Details

    A significant indicator of fraudulent activity in these campaigns is the inclusion of Spanish banking details in the attachments. These details are inconsistent with legitimate German operations and serve as a red flag. Examples of the fraudulent financial information include:

    • IBAN: ES26 2100 1779 5102 0063 0566
    • BIC: CAIXESBBXXX (CaixaBank, Spain)

    Mimecast Protection

    We have identified several attributes in the recent campaigns that have been added to our detection capabilities. We continue to monitor for changes in techniques used by this threat operation.

    Targets:

    Predominantly German organizations across various industries

    IOCs

    Sending Domains
    bgn-abwicklung[.]de
    bgn-bezahlung[.]de
    bgn-einzahlung[.]de
    bgn-forderung[.]de
    bgn-transfer[.]de
    bgn-zahlstelle[.]de
    bgn-zahlungen[.]de
    bzst-abwicklung[.]de
    bzst-einzahlung[.]de
    bzst-forderung[.]de
    bzst-rechnungen[.]de
    bzst-zahlung[.]de

    Email Subjects
    Steuererklärung 2023 – Statusprüfung empfohlen
    Erinnerung an die Abgabe der Steuerunterlagen 2023
    Aktuelle Informationen zu Ihrer Steuererklärung
    Übersicht zur eingereichten Steuererklärung 2023
    Information zur Steuererklärung 2023
    Nachricht zur Bearbeitung Ihrer Steuererklärung
    Hinweis zur Fristüberschreitung bei der Steuererklärung
    Mitteilung zum Abgabestatus Ihrer Steuererklärung
    Abgabe Ihrer Steuerunterlagen – kurzer Überblick
    Steuerdokumente 2023 – ergänzende Hinweise

    Recommendations

    • User security awareness training
      • Educate users on the latest lures used in these campaigns
      • Conduct regular phishing simulations to include the latest threats
      • Train users to never open attachments from unknown or unverified senders
      • Implement a policy requiring verification of the sender via an alternative communication channel before opening unexpected attachments
    • Proactive threat hunting
    Back to Top