How to verify a notification from the Tax Agency or Social Security
Learn to tell a genuine notification from the Spanish Tax Agency or Social Security apart from a scam, using only the official channels and Cl@ve.

You get a text message, an email or a phone call claiming to be from the Spanish Tax Agency (Hacienda) or Social Security (Seguridad Social): you have a pending notification, an overdue payment or a "refund" to claim. Before you click on anything or hand over a single piece of information, there is one rule that never fails: don't verify anything from the message you received. Verify it yourself, on your own, through the official channel. Here's how.
Scammers know two things. First, that almost everyone has some outstanding matter with the authorities: a tax return, a contribution, a half-finished procedure. Second, that the words "Hacienda" or "Social Security" command respect and urgency in equal measure. That combination —you have something pending and it needs sorting out right now— is exactly the lever they pull. This is why impersonating public bodies is one of the most persistent forms of vishing and smishing in Spain.
The good news is that verifying is easier than it sounds. Both authorities have clear official channels, a shared identification system (Cl@ve) and a public information line. Once you know how they work, telling the real from the fake stops being a matter of intuition and becomes a three-step procedure.
How do Hacienda or Social Security really get in touch?
The first step is understanding how genuine communications reach you. Once that's clear, any message that strays from this script raises suspicion all on its own.
The Spanish Tax Agency (AEAT) communicates officially through its Electronic Office (sede.agenciatributaria.gob.es). If you have a notification, you'll find it there, inside your personal area, once you've identified yourself. The AEAT may send you a courtesy alert by email or text message to tell you there's something new, but that alert never includes the confidential content or a link to "pay" or "enter your details". It's just a reminder for you to log in yourself, to the Electronic Office. The rule the Agency itself keeps repeating: it never asks for confidential data, account numbers or passwords by email or text message.
Social Security works in a similar way. Its procedures and communications are handled through its electronic offices and its official portal (seg-social.es), where it also keeps a cybersecurity section with alerts about fraudulent communications. Just like Hacienda, it won't ask you to download an attachment to "view your notification" or to enter your credentials on a website you reach via a link in a text message.
Here's the key idea: both bodies ask you to come to them, not the other way round. Fraud reverses that flow. It pushes you to click, to download, to call a number they give you. Legitimate communication leaves the initiative with you.
What signs give away a fake notification?
Once you know what normal looks like, the abnormal stands out. These are the signs that crop up again and again in campaigns impersonating Hacienda and Social Security.
- Urgency and threats. "Your account will be seized within 24 hours", "last chance before the penalty". The authorities have deadlines, but they don't rush you by text message or threaten you with immediate consequences in a message.
- A single link to sort it all out. If the message contains a link promising to take you straight to "view the notification", "pay the fine" or "claim the refund", be wary. Real verification happens by you logging in to the official office.
- A request for sensitive data. IBAN, card number, Cl@ve passwords, the code from your bank's text message, your full ID number. None of this is ever requested by email, text message or an incoming call.
- Odd payment methods. Cryptocurrency, urgent transfers to private accounts or gift cards. Hacienda doesn't take payment in bitcoin.
- An address or sender that almost passes. Domains that look like the official one but with a letter changed, extra hyphens or strange endings. A genuine
.gob.esis not swapped for a.comor a.info. - A call that wants you to act now. In vishing, a voice (sometimes pre-recorded, sometimes a very convincing person) tells you there's a problem and needs to confirm your details. The caller ID may even display an official number: caller ID spoofing makes faking that number trivial, so don't trust what you see on screen.
Bear in mind that the attacker can combine several techniques. Today it's common for a first text message or email to gather data and then for a "confirmation" call to follow and finish the deception. If you want to understand better how these signs chain together, our guide on how to read the risk signs of a number will help.
What are the official channels for verifying?
This is the practical part. Memorise these three channels and you won't need any of the links or numbers that arrive in a suspicious message.
| Channel | What it's for | How you access it |
|---|---|---|
AEAT Electronic Office (sede.agenciatributaria.gob.es) | View your genuine Hacienda notifications, check debts, refunds and procedures | You type the address into the browser yourself; you identify yourself with Cl@ve, certificate or electronic ID |
Social Security Portal (seg-social.es) | Check procedures, employment history, benefits and cybersecurity alerts | Same: you go in directly and identify yourself with Cl@ve or certificate |
| Cl@ve | Shared identification system for accessing both offices and most public services | Cl@ve PIN or Cl@ve Permanente; you only enter the passwords on the official website, never over the phone |
The golden rule from the table above: you type the address yourself. You don't copy it from a message, you don't open it from a link, you don't dictate it to an "agent" over the phone. If you type it yourself or use a bookmark you've already saved, you wipe out in one stroke the risk of ending up on a cloned website.
And if you want to confirm something and don't know where to start? You have two supports:
- 060 is the general information line for the Spanish central government. It's there to guide you on procedures and to confirm whether a communication you've received matches something real. Remember: you call 060, 060 doesn't call you to ask for your details.
- INCIBE 017 (also
900 116 117and WhatsApp@INCIBE017) is the cybersecurity helpline. If you're unsure whether a text message, email or call is phishing, they help you identify it and tell you how to report it. It's free and available every day with extended hours.
The three steps to verify any alert
Whenever you receive something claiming to be from Hacienda or Social Security, always apply the same sequence. Don't improvise.
- Stop. Don't click, don't download attachments, don't return the call to the number you were given. The hurry belongs to the scammer, not you.
- Log in on your own. Open the browser and type the address of the AEAT Electronic Office or the Social Security portal yourself. Identify yourself with Cl@ve or certificate. If the notification is real, it'll be there. If nothing shows up, the message was fake.
- Confirm or report. If you still have doubts after step 2, call 060 for administrative matters or INCIBE's 017 for cybersecurity queries. And if it was fraud, report it to protect others.
This procedure works just as well whether the alert reached you by text message, by email or by a call. The way in changes; the verification is always the same.
And what if the "notification" comes by phone?
Calls deserve a section of their own because they add emotional pressure in real time. A person on the other end, speaking on behalf of "the Tax Agency" or "Social Security", is far more intimidating than a text message.
The technique has a name: vishing, voice impersonation to extract your data or money. It works because it combines a believable story (you have a debt, an error in your contributions, a refund to claim) with artificial urgency and, sometimes, a number on screen that looks official thanks to spoofing.
What to do if you receive one of these calls:
- Don't confirm or give any data. Not your ID number, not your IBAN, not codes that arrive by text message while you're talking. A one-time code dictated to you by the "agent" is the biggest red flag of all: that's how they hijack your accounts.
- Hang up and verify yourself. Don't use the number they called from or one they give you. Go to the official office or call 060.
- Don't let yourself be rushed. No real debt with the authorities absolutely has to be settled in the next five minutes over the phone with an immediate payment.
A particularly dangerous variant uses AI-cloned voice to imitate a relative or a supposed official. If the voice sounds odd, if the situation doesn't add up or if they urgently ask you for money, cut the call and verify through a channel you already know. We go into this in our guide on AI-cloned voice in phone scams.
If you want to dig deeper into how these calls operate step by step, we also recommend how to verify whether a call or text message from your bank is real: the bank is another favourite target and the verification method is identical.
What do I do if I've already taken the bait or have serious doubts?
If you've come this far because you already clicked, gave out a piece of data or paid, don't freeze. Acting fast greatly reduces the damage.
- If you gave out banking details or paid: contact your bank immediately through its official channel to block cards or try to stop the transaction.
- If you entered your Cl@ve passwords or those of some service: change them as soon as possible from the official website and check that no one has logged in as you.
- Report the fraud. Call INCIBE 017 so they can guide you on the next steps and, if appropriate, report it to the National Police or the Civil Guard.
- Keep the evidence. Screenshots of the text message or email, the number that called, the time. It all adds up for the report and for alerting the community.
And here's where something within your power comes in: reporting the number. When you share the phone number they tried to deceive you from, you help the next person who receives that call see straight away that it's suspicious.
Collective defence: check and report
Verifying your notification is individual defence. Reporting the number that used it is collective defence. Both count.
At NoCall we maintain a public directory fed by the community. Before returning a suspicious call, you can check the number in our spam number directory and see whether other people have already flagged it as fraud. If you want to understand better how these threats are distributed, take a look at phone spam trends or our collection of practical guides to protect yourself day to day.
In short, take this away with you: Hacienda and Social Security do alert you, but they leave the initiative to you to log in to their office; they never ask you for passwords or IBAN by text message, email or call; and whenever in doubt, verification goes through the AEAT Electronic Office, the Social Security portal, 060 or INCIBE's 017. You type the address yourself. That simple habit defuses the vast majority of these frauds.
If you've received a message or a call posing as Hacienda or Social Security, report it on NoCall. Your alert helps keep the whole community one step ahead.
Received a suspicious call?
Look up the number in NoCall before sharing data, calling back, or clicking any link.
Search a phone number or a company name (GTBank, MTN and Airtel...) to check if it has been reported as spam.
