Cisometric Cybersecurity Firm

Recently, another alarming cyber scamming trend is on the rise, impersonating the Direktorat Jenderal Pajak (DJP)—our official tax authority. By exploiting the authority and credibility of DJP, fraudsters now target taxpayers through deceptive communications that appear authentic, such as fake tax billing emails, overdue payment warnings, refund notifications, or intimidating penalty alerts.

At the heart of these attacks lies a technique called spoofing. Spoofing is a form of digital fraud where scammers falsify elements of communication—such as email headers, website URLs, or phone numbers—to make it appear as though the message is coming from a trusted source. In the context of DJP scams, scammers use email spoofing to mimic DJP's official email (@pajak.go.id) and send fake communications that appear credible at first glance.

How Does Spoofing Fit into Phishing?

Spoofing is often used as a supporting tactic in phishing attacks. Phishing refers to the broader scam where attackers manipulate victims into revealing sensitive information or clicking malicious links. Spoofing adds credibility to phishing attacks by creating a convincing disguise.

For example:

A phishing email may warn you about unpaid taxes, penalties, or refunds
Spoofing ensures the email appears to come from [email protected] or other trusted addresses, leading victims to click dangerous links without suspicion

In short, while phishing manipulates the victim, spoofing enables the disguise that makes the scam more believable. Together, these tactics increase the chances of success for the scam.

The consequences of these attacks can be severe, ranging from identity theft to financial losses and compromised personal information. Fraudulent schemes like these not only harm taxpayers but also damage the trust and reputation of government institutions such as DJP.

This article will help you understand the flow of these scams and the steps you can take to identify, prevent, and respond to them effectively. By staying informed and vigilant, you can protect yourself and your data from falling victim to these attacks.

Also read: Think Before You Click! How to Spot Phishing Scams and Protect Your Data

Common Scams Targeting Taxpayers

Before discussing email spoofing, it’s important to recognize other common scams that involve Direktorat Jenderal Pajak (DJP):

Fake Tax Billing Notices

Scammers will make contact via phone, email, or WhatsApp, claiming unpaid taxes or penalties. Victims are instructed to transfer payments to personal bank accounts or fake Virtual Accounts (VA). For example: “Segera lakukan pembayaran tagihan pajak Anda melalui rekening berikut untuk menghindari denda tambahan” / "Immediately make your tax bill payment through the following account to avoid additional penalties"

Fake Tax Refund or Restitution Offers

Victims are told they are eligible for a tax refund (kelebihan pembayaran pajak). To “process” the refund, the scammers request:

Bank account numbers
Mother's maiden name
Other sensitive details like PINs or OTPs

This tactic is designed to steal banking credentials and drain accounts. For example: “Anda berhak atas pengembalian kelebihan pembayaran pajak sebesar Rp 5.000.000,- Silakan verifikasi rekening Anda dengan mengklik tautan ini” / "You are entitled to a tax refund of IDR 5,000,000,- Please verify your bank account by clicking this link"

Impersonation of DJP Officials

Scammers pretend to be DJP staff and contact victims with false claims of:

Tax audits or reviews
Data verification processes

Victims are directed to provide their sensitive data or are sent links to malicious websites disguised as official platforms. These fake websites aim to harvest data like NPWP, NIK, and even passwords. Sign: Legitimate DJP staff will always carry official identification and a Surat Tugas (assignment letter).

Malicious APK Attachments

Scammers send fake “tax documents” via email or WhatsApp with attachments ending in .APK.

These APK files, when downloaded and installed, automatically deploy malware on the victim's device
The malware can steal personal data, monitor activity, or gain unauthorized access to banking apps

For example: “Buka berkas ini untuk rincian tagihan pajak Anda: tagihanpajak.apk” / "Open this file for details of your tax bill: tagihanpajak.apk"

Also read: Understanding Malware Threats

The Dangerous Email Spoofing Scheme

This is one of the most dangerous and frequent tactics today. Scammers create dummy websites that look identical to DJP's official platform (pajak.go.id). Here’s how it works:

Victims receive spoofed emails that appear to come from @pajak.go.id, warning them of unpaid tax invoices (tagihan pajak), overdue tax penalties (denda pajak), or tax refunds (kelebihan pembayaran pajak). These emails contain links redirecting users to fake websites designed to look real but only serve one purpose: to steal data.
The emails contain links with alarming calls to action, such as:

“Jika Anda sudah membayar pajak, silakan klik link ini.” / "If you have already paid your taxes, please click this link."
“Jika Anda merasa tidak memiliki tagihan, klik link ini untuk konfirmasi.” / "If you believe you do not have any outstanding bills, click this link to confirm."

The scam website will often prompt the user to input sensitive personal data like:

NPWP and NIK (since NPWP is now integrated with NIK, sharing these details can compromise all personal data linked to a person’s national identity)
Bank account information
Login credentials (email and password)

Example Scenario

Step 1: You receive an email warning about overdue tax penalties, sent from what looks like [email protected].

Step 2: The email contains a link saying: “Jika Anda merasa tidak memiliki tagihan, klik link ini untuk konfirmasi.” / "If you believe you do not have any outstanding bills, click this link to confirm."

Step 3: Clicking the link redirects you to a fake website designed to look like DJP’s official page.

Step 4: The site prompts you to enter your NPWP or NIK for “verification.”

Step 5: Once entered, scammers gain access to your data, which can be misused for identity theft, financial fraud, or even accessing services linked to your NIK.

How to Spot The Red Flags of Email Spoofing and Fake Websites

Unusual Email Sender

Genuine DJP emails are sent only from @pajak.go.id
Spoofed emails may look similar but have slight variations like @pajak-g0.id or @pajak.co.id

Suspicious Links

Hover over the links to verify the actual URL (the URL will pop up when you hover over any of the buttons or links available in the email). Fake links often have misspellings or extra characters

Dummy Website Design

Limited functionality: Only the form fields work (to fill in the victim's sensitive data); other features like the menu bar, banners, or buttons are inactive (not clickable)

Urgent or Threatening Tone

The email uses fear-based language to pressure victims into immediate action
Example: “Bayar sekarang atau Anda akan dikenakan denda pajak tambahan!” / "Pay now or you will be subject to additional tax penalties!"

Conclusion

Tax-related scams that impersonate our official tax authority are becoming increasingly advanced and common, exploiting fear, urgency, and trust to steal personal information. By understanding their methods, spotting the red flags in their communications, and taking preventive actions, you can safeguard yourself and your personal data.

Always verify any tax-related message through the official Direktorat Jenderal Pajak channels, and report suspicious activities promptly. Stay alert, stay informed, and don’t let the scammers get a hold of your personal data.

For official updates, visit www.pajak.go.id.

For more cybersecurity insights and tips to protect yourself online, follow our social media:

Instagram

References:

Penipuan Mengatasnamakan Pajak, Waspadai Modus Ini

Marak Penipuan Mengatasnamakan DJP, Kenali Ciri dan Langkah Penanganannya

What is Spoofing – Definition and Explanation