What happened?
At the start of tax season 2026, smishing and phishing campaigns impersonating the Swiss Federal Tax Administration (ESTV) are circulating. The messages ask recipients to complete a supposed "review of the 2025 tax assessment". Embedded links lead to convincingly designed phishing pages where login credentials, credit card details, or mTAN codes are harvested. Some variants contain attachments with malware.
Modern phishing kits use real-time relay infrastructure that forwards entered mTAN codes instantly — effectively bypassing two-factor authentication in real time. The campaign is precisely timed to match recipients' expectations: anyone anticipating a tax notification is more likely to click.
Who is affected?
- ▸Swiss companies and their employees
- ▸Companies in Liechtenstein (FL) with business ties or VAT obligations in Switzerland
- ▸Cross-border workers with tax obligations in Switzerland or FL
- ▸Trustees and accounting firms managing tax files
What should you do?
- 1.Educate employees: The ESTV communicates exclusively by post. It never requests password entry or the opening of attachments via email or SMS.
- 2.Report suspicious messages: Forward to the BACS (formerly NCSC) via [antiphishing.ch](https://www.antiphishing.ch).
- 3.Do not click links: When in doubt, navigate directly to [estv.admin.ch](https://www.estv.admin.ch) — never via links in SMS or email.
- 4.Inform IT: Collect incoming reports internally to assess the scale of the campaign.
- 5.Harden MFA: Secure all access to financial and tax tools with two-factor authentication — and where possible, switch from SMS codes to authenticator apps.
This advisory is for informational purposes. Contact us for support with your awareness strategy.