Security of digital services

(Beta version)

The Independent Authority for Public Revenue:

  • Constantly ensures the protection of citizens from digital threats.
  • Seeks and implements modern methods for the security of its digital services and transactions.
  • Follows the best information practices so citizens know how to protect themselves and what to watch out for.

Select the sections below for useful information.

 

Attempts to intercept data through Phishing Messages
What does phishing mean?
The term phishing is defined as the attempt to intercept personal information, such as name, TIN, date of birth, bank accounts or passwords of citizens through misleading e-mails or messages on the mobile phone from supposedly trusted entities. These fake messages usually contain a link to a misleading website.
Recognizing phishing messages
Lately, the malicious actions of misleading e-mails in which the IAPR appears as the sender, with the aim of intercepting citizens’ personal information, have intensified.

The most effective way of protection is to be informed so that you are able to recognize possible forms of phishing messages.

Their main characteristics:
-  Sender:  These messages appear to be sent by the IAPR, while the real sender is an unknown or spoofed email address that resembles real service addresses (especially with characters changed or added). Also, often the sender’s name hides another address, unrelated to the service from which the message appears to be sent.
-  Language: Characteristics of the attempted fraud are the variation of the messages with obvious errors in the use of the Greek language and the prompting to reveal your personal information, as can be seen in the images below:




- Suspicious links or attached files:  Scam messages usually contain a link that urges you to reveal your personal information or to open an attached file (usually ending in .exe or .rar)

 

ADVICE

To determine if an email is genuine, consider the following.

The Independent Authority for Public Revenue:

1. Will not ask you, via e-mail, in any way and for any reason to disclose your personal information, such as name, TIN, date of birth, bank accounts or access codes (Username or Password). Immediately delete any message that claims to be from the IAPR or the Tax Authorities and asks you to disclose any of the above, as it is fake and may contain malicious content.

2. Will never send you an email with your personal tax data (e.g., amounts owed or refunds). This data is posted only in the e-Notifications box of the myAADE digital portal (www.myaade.gov.gr), where you can log in with your personal access codes, by going to: myAADE > Register & Contact > e-Notifications.

If you receive a suspicious email

1. Never click on a link if you are not absolutely sure of the message’s sender.
2. Never click on links that invite you to enter your access codes or other personal information.
3. Carefully check the e-mail address of the message’s sender. Phishing messages are often sent from unknown or spoofed email addresses that look like real service addresses (especially by changing or adding characters). Also, the sender’s name often hides another address, unrelated to the service from which the message appears to be sent.
4. Log in to the myAADE digital portal only from the address www.myaade.gov.gr or through the official website of the Independent Authority for Public Revenue www.aade.gr.

 

Transaction and Data Security

The IAPR constantly takes care to ensure the maximum possible security during citizens’ transactions with its digital services.
For this purpose:

  • The use of personal security codes, i.e., the username and password are always required to access the IAPR’s digital services.
  • Special mechanisms are used for controlled access of citizens to the confidential data managed by the IAPR and to its digital services.
  • Encryption is applied to every transaction of citizens with its digital services.
  •  A variety of techniques are applied to further secure transactions.

Examples include:
- User Account Locking: In the event that six (6) consecutive failed attempts to connect to the service are made, the user’s account is automatically “locked” for ten minutes.
- Automatic Logout: An upper limit has been set for the completion of transactions (“Session Timeout”) after which the system automatically ends the connection. Similarly, if no transaction is performed within a few minutes during the use of the system, then the system automatically logs off the user (“Idle Timeout”).
 

 

Navigation Safety
Authenticity of the IAPR Websites

To be sure that you are connected to the official IAPR website, we recommend that you follow the rules below:
-  Connect to the official IAPR website by directly typing the address www.myaade.gov.gr or www.aade.gr into your browser, and not through links that may have been sent to you electronically or published on third-party websites.
-   When you log in to the website of an IAPR digital service where you are asked to fill in your username and password, check if the address starts with https (as opposed to http) and that there is a padlock icon. By double-clicking the padlock, information will be displayed to help you confirm that the website is authentic.
-   After completing your actions, log out of the page (by selecting “Logout”) before leaving.

Access Code Management

The password is very important for the security of your transactions with the IAPR. For this reason, we recommend that you choose strong passwords and make sure to change them at regular intervals. For the safe use of the password, it is advisable to keep the following in mind

-  Your password is personal, and you should not share it with third parties, including IAPR employees. In case you suspect that your password has been leaked in any way, inform the IAPR immediately or, if possible, change it immediately.

-  Do not under any circumstances save or take notes of your passwords.

-  Choose different passwords for your important accounts.

 When choosing a password:

-  Choose a combination of letters, numbers and symbols in your password and avoid using simple words. Additionally, avoid using series of the same characters (e.g., g177777) or characters with some logical continuation (e.g., 123456, ABCDE).

- Choose a phrase that only you know and avoid creating passwords with information that identifies you, such as your name, date of birth, ID card number or TIN.

- Use passwords with at least 8 characters.

Computer protection during your transactions

For the maximum protection of your transactions, before connecting to the IAPR’s digital services, you should take care of the following:
- Update the operating system of your electronic devices and all the programs you use for your access, with the latest security updates published by their manufacturers.

- Use a well-known web browser, which is either pre-installed on your personal electronic devices or comes from a reputable manufacturer.

- Protect your electronic devices with firewall, antivirus and antispyware programs and ensure that they are frequently updated with the latest versions.


- Get periodic and regular backups. This way, should your system get infected with a virus or experience any software or hardware failures, you will be able to rescue your files and restore it to its previous state.

Use of shared electronic devices

When using the IAPR’s digital services from electronic devices that do not belong to you or are shared, we recommend that you:
- Choose to use incognito browsing if possible.
- Do not choose to save your personal passwords when asked by the browser.
- Make sure you are not being watched when you fill in your username and password.
- After the end of use, delete all temporarily stored Internet files, such as cookies, passwords, browsing history, etc.

Connection via a Wi-Fi network

- In the case of a home network, take care to activate the security parameters of your router. However, even when security parameters are enabled on a network, prefer wired access over wireless.
- In the event that the wireless network is not controlled by you or is public, then do not use it to transmit your personal and confidential information or enter your passwords, as the security of these networks is low, and it is possible to intercept the data fed into them.

Protection Tips

-  Do not open electronic messages (e-mails, SMS) from unknown senders.
- Links to fake websites: Always check where the link takes you before clicking on it. Place the cursor on the URL and check if the address is the same as the one that will appear at the bottom of the browser.
- Do not trust e-mails that ask for your personal information or refer you to websites to fill in your username, password or any other personal information (name, TIN, date of birth, etc.). The IAPR will never send you such e-mails.
-  Be careful with the wording. Scam emails often use incorrect Greek, both in terms of spelling and syntax. They give the impression that they were written by someone who does not know the Greek language well.
- Avoid downloading files (games, music, videos, freeware, etc.) from websites you don’t trust.
-  If you notice “strange” behavior on your computer, which may be caused by the installation of malicious programs, use your computer's security program or talk to an expert.
-  Limit the information you share on social media (Facebook, Instagram, X, etc.).
- You must be very careful with phone calls you receive from strangers who pretend to be accountants or IAPR representatives and ask you for your personal information (name, TIN, username, password, etc.) under the pretext of a tax refund or state subsidy approval (Power Pass, Fuel Pass, Tourism for all, etc.).

FAQs on the Security of Digital Services
1. How can I securely connect to the IAPR’s digital services?

Log in to the myAADE digital portal by typing the address www.myaade.gov.gr or from the official IAPR website by typing www.aade.gr and not through links that may have been sent to you electronically or published on third-party websites or search engines.

2. How do I know at any time that I am connected to an authentic digital service page?

Connect to the login page where you are asked to fill in your username and password. Before entering your details, check that the address starts with https (as opposed to http) and that it has a padlock icon. By double-clicking on the padlock, information will be displayed to help you confirm that the website is the authentic IAPR website.

3. What should I pay attention to before connecting to the IAPR’s digital services?

For the maximum protection of your transactions, before connecting to the IAPR’s digital services, you should take care of the following:
- Use a well-known internet browser, which is either pre-installed on your personal computer or comes from a reliable manufacturer (e.g., Microsoft Edge, Mozilla Firefox, Google Chrome, Opera).
- Check regularly that you are using the latest updated version of the browser.
- Install antivirus software from a well-known manufacturer and regularly check that it is up-to-date.
- Regularly check that your electronic devices continue to receive the latest operating system updates from the manufacturer.
 

4. What is the correct way to disconnect from the IAPR’s digital services?

If you have connected to the authentic page of the IAPR digital service and wish to exit from it, you should always select “Log out.”
The following exit options should be avoided:
- Closing the browser with the close-window icon “X,”
- Entering another address in the address bar (URL),
- Clicking on the “back” icon to display the page of another address.
 

5. I have received a message from the IAPR. How do I know if it’s genuine?

Regarding electronic messages sent via email, we inform you that the IAPR:

1. Will not ask you, via e-mail, in any way and for any reason to disclose your personal information, such as name, TIN, date of birth, bank accounts or access codes (Username or Password). Immediately delete any message that claims to be from the IAPR or the Tax Authorities and asks you to disclose any of the above, as it is fake and may contain malicious content.

2. Will never send you an email with your personal tax data (e.g., amounts owed or refunds). This data is posted only in the e-Notifications box of the myAADE digital portal (www.myaade.gov.gr), where you can log in with your personal access codes, by going to: myAADE > Register & Contact > e-Notifications.
 

 

6. I received an email from the IAPR that looks suspicious. What should I do?

For your best possible protection:
1. Never click on a link in an email if you are not absolutely sure of the message’s sender.

2. Never click on links that invite you to enter your access codes or other personal information.

3. Carefully check the e-mail address of the message’s sender. Phishing messages are often sent from unknown or spoofed email addresses that look like real service addresses (especially by changing or adding characters). Also, the sender’s name often hides another address, unrelated to the service from which the message appears to be sent.

4. Log in to the myAADE digital portal only from the address www.myaade.gov.gr or through the official website of the Independent Authority for Public Revenue www.aade.gr.

7. What basic rules should I follow to securely use the IAPR’s digital services?

For example:
- Do not share your personal security passwords in any way.
- Do not write down your passwords, but make sure you memorize them.
- Do not use passwords that can easily be guessed, such as dates of birth, names, telephone numbers, etc. It is recommended to create alphanumeric codes (combination of letters and numbers).
- Change your passwords often. If you suspect someone knows them, you must change them immediately.
- Do not save your passwords on your electronic devices, but type them every time you wish to access a service.
- Be careful which websites you sign up for. When registering on other websites than the IAPR one, it is recommended to use a different e-mail address from the one you have indicated to the IAPR.
- Do not install on your electronic devices programs whose identity you are not sure you know.