finAPI Advisory: Beware of Fraudulent Payment Requests
In recent days, there has been an increase in phishing emails containing fake tax notifications – allegedly sent on behalf of the German Federal Central Tax Office (BZSt). These messages urge recipients to settle an “outstanding tax payment”. The included link leads to a fake website featuring a deceptively authentic-looking finAPI payment form.
The scammers’ exact goals vary depending on the case – either it’s classic phishing (stealing online banking credentials) or scamming, where payments are redirected directly to fraudsters’ accounts.
To help you avoid falling victim to such fraud attempts, we explain what to look out for and how to identify suspicious pages.
What is the finAPI Webform?
The finAPI Webform is a secure online form that allows users to:
- Connect bank accounts with a software application
- Initiate payments directly from online banking to a recipient
The Webform is used by partner companies, for example, in finance apps, accounting or tax software, and online shops for payment processing. It can be integrated either directly by finAPI (under finapi.io) or by a finAPI customer on their own website.
In the current scam, third parties are trying to mimic the design and trusted appearance of our Webform in order to deceive users.
How to spot a fake Webform
Here are some simple but effective checks to help you distinguish real from fake pages:
1. Check the URL
Look closely – fraudsters often use deceptively similar domains.
- Legitimate: bzst.de
- Fake: bzst-steuern.de
2. Inspect sender and language
Fake emails or websites often contain:
- Spelling mistakes or unusual wording
- Design flaws or missing logos
- Lack of personal salutation
- Unprofessional-looking sender addresses
Scammers are increasingly using AI-based tools to improve their attacks – yet these clues still offer valuable indicators of suspicious content.
3. Question the plausibility
- Does the message even make sense?
- Do you actually have an outstanding claim with the BZSt?
- Are tax payments typically handled via web forms?
- Normally, tax communication is conducted via ELSTER – not via email links to payment pages.
4. Open links independently
Do not click directly on links in emails when sensitive data or payments are involved.
If a message involves personal or security-sensitive information, always access the website directly –never through a provided link.
Special Security Tips for the finAPI Webform
finAPI is a regulated payment initiation service provider, supervised by the German Federal Financial Supervisory Authority (BaFin). As such, we are required to provide regulatory information – details that are typically missing from fake websites.
- Imprint: The finAPI Webform always includes a link to an imprint. Compare it to the official imprint on finapi.io.
- Privacy and Terms of Use: These must be accepted before using the Webform – this step is often missing on fake pages.
Stay vigilant
All our products are built with the highest security standards. However, it’s equally important that you stay alert when dealing with sensitive data.
Suspect Phishing or Scamming?
If you have doubts about the authenticity of a page or suspect phishing or scamming, don’t hesitate to contact us.
Please forward the suspicious email to contact@finapi.io or report it via our anonymous whistleblower system.
Stay safe – and as always:
Never enter your login credentials or TANs on unknown websites.
Contact us
finAPI GmbH
Adams-Lehmann-Str. 44
80797 München
BaFin
Officially licensed and supervised by the German Federal Financial Supervisory Authority (BaFin).
Social Media