Tax Authority Phishing: How Attackers Exploit Institutional Change

Argentina’s national tax authority was rebranded in 2024 — AFIP became ARCA (Agencia de Recaudación y Control Aduanero). But attackers kept using the old name in phishing campaigns, precisely because it generates more urgency and recognition than a recently renamed agency. The strategy didn’t change; only the context they’re exploiting changed.

How this scam works

The attack vector is email. The recipient receives a message simulating an official notification from AFIP or ARCA, stating that there is a pending tax debt or that they need to regularize their fiscal status. The email includes a link or attachment to “make the payment” or “download the notice.”

The pressure mechanism is the same as in all effective social engineering: urgency + simulated legitimacy + negative consequence. The message communicates that if no action is taken within 48 or 72 hours, there will be a penalty, asset seizure, or account suspension.

In practice, the link leads to a fake page that steals fiscal credentials, or the attachment executes malware when opened.

Warning signs to identify it

• Suspicious sender: the email domain is not @arca.gob.ar or @afip.gob.ar. It usually has variations like @afip-ar.com, @arca-notificaciones.net, or other similar combinations.
• Artificial urgency: the subject line and body pressure the recipient to act immediately, with short deadlines and exaggerated consequences.
• Mixed agency names: the content mentions both AFIP and ARCA inconsistently — a sign that the text was generated or adapted carelessly.
• Institutional format with errors: disproportionate logos, different fonts, spelling or spacing errors in documents that are supposedly official.
• Exact amount: the fine or debt shows a specific number (e.g., $47,320) to create a sense of legitimacy. Tax agencies do not notify debts by email with exact amounts.

What not to do

• Do not click any link in the email, even if it looks legitimate.
• Do not download any attachment.
• Do not enter credentials (tax ID, passwords, banking data) on pages reached via an email link.
• Do not call phone numbers listed in the email — they may be part of the scam.

What to do if you receive a suspicious email

• Verify directly: access the official ARCA website (www.arca.gob.ar) from your browser — without using any link in the email — and log in with your fiscal credentials to verify whether any debt or notification actually exists.
• Remember the official channel: the only valid tax notifications are delivered through the Electronic Tax Domicile system, accessible with personal credentials on the ARCA portal.
• Report the email: mark it as phishing in your email client and, if possible, report it to your organization’s IT or security department.

Remember: ARCA never sends debt notifications via external email with links to make payments. All legitimate transactions are conducted from the official portal using your fiscal credentials.