article featured image


A new spearphishing campaign has been detected in the wild, specifically targeting Romanian businesses under the guise of ANAF, the Romanian counterpart of the IRS. Business owners are being informed via email that they have outstanding taxes and, therefore, are solicited to make the payment as soon as possible. Local Romanian authorities are advising business owners against responding to unprompted fiscal solicitations and to check with their zonal ANAF branch for any discrepancies in taxes. So far, no one has reported losses in the ANAF spearphishing campaign.

ANAF Spearphishing Campaign – Detailing the Incident

For the past couple of days, business owners from across Romania have received emails from ANAF informing them that they have outstanding fiscal debt. Enclosed in the email are several attachments, including a .xls document that, allegedly contains debt-related details. The spearphishing campaign comes only weeks after Lucian Heius, ANAF’s chairman, announced that the institution will be engaging in country-wide fiscal investigations in an attempt to counter tax evasion in natural persons and SMBs.

Given the statement’s online virality and the backlash it received from public opinion, it was only a matter of time before becoming turned into a phishing tool by threat actors.

As to the case at hand, many business owners have been met with these emails, being urged to pay their taxes as soon as possible. The email itself doesn’t have any elements that could potentially draw suspicion: no grammatical issues, out-of-place annotations, or any of the other distinguishing marks associated with phishing. In this user’s eyes, this would simply pass as an official notice from ANAF which would subsequently prompt him to open the .xls document. Some variations were discovered – pdf documents replacing .xls documents, tone changes, logos added or subtracted.

Translated from Romanian, the mail reads: “Good day, This email is to inform you that you have outstanding taxes, please visit your bank or any fiscal branch close to your location, bringing the attached invoice. Pay your taxes immediately. Please check the attached fiscal invoice for your tax details.”

However, regardless of the bait used, the outcome is unchanged – the victim becomes compromised. The malicious payload is delivered via VBS macro enablement or clicking on on-page items and being redirected to fake, fiscal-related websites for credential theft. In some instances, the attachment’s .xls extension would be swapped for a .exe attachment, thus enabling the agent to deploy various malicious tools on the victim’s machine (e.g., spyware, keyloggers, ransomware elements, etc.).

How to Protect against the ANAF Spearphishing Campaign

There are no indications that this new spearphishing campaign will end any time soon. Here are some steps you can take in order to protect your business assets against this type of attack.

  • Carefully inspect the email’s contents. When receiving this kind of email, teach yourself to comb it. Look for anything that might look suspicious: typos, grammatical inconsistencies, email addresses not associated with the entity or sender, body additions (e.g. alphanumerical symbols or combinations that make no sense). Also, as a rule of the thumb, do not click on hyperlinks or open attachments from sources outside your company’s network without doing a pre-check.
  • Contact ANAF. If in doubt about the information’s accuracy, contact your local ANAF branch. You can reach out via email, phone, or contact form. Consult the institution’s Contact page for additional information.
  • Going digital. The Romanian authorities have taken great strides in tax payment digitalization with many entities being now able to pay online. Using online platforms such as Ghiseul. ro for tax-handling services will significantly decrease the risk of cyber-attacks. Consult the platform’s FAQ page to see if your business qualifies for tax enrollment.
  • Contact the authorities. If you’re receiving this kind of email on a regular basis or opened any attachments, file a report with the local authorities as soon as possible. Don’t forget about clearing credential caches and changing your passwords.
  • Reinforce your Email Security. Consider upgrading your email security in order to counter these spearphishing attempts. Heimdal™ Security’s Email Security coupled with Email Fraud Prevention employ deep attachment analysis and granular rulesets to root out fraudulent emails.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Vladimir Unterfingher

Senior PR & Communications Officer

Experienced blogger with a strong focus on technology, currently advancing towards a career in IT Security Analysis. I possess a keen interest in exploring and understanding the intricacies of malware, Advanced Persistent Threats (APTs), and various cybersecurity challenges. My dedication to continuous learning fuels my passion for delving into the complexities of the cyber world.

Leave a Reply

Your email address will not be published. Required fields are marked *