Cybercriminals are once again exploiting global tax seasons, abusing IRS and tax filing lures to deliver malware, remote monitoring and management (RMM) tools, and credential phishing in a wave of new 2026 campaigns.
Security researchers have already tracked more than a hundred tax-themed operations worldwide, with a noticeable increase in the use of legitimate RMM software as a stealthy access vector.
Threat actors are capitalizing on the stress and urgency around tax filings, knowing that users expect emails from tax agencies, HR departments, banks, payroll providers, and tax platforms.
Common lures include fake IRS notifications, expiry warnings for tax documents, alleged tax violations, and requests for support with filings or refunds.
While many campaigns focus on U.S. taxpayers via IRS‑branded emails, recent activity also targets users in Canada, Australia, Switzerland, Japan, and other regions with localized tax brands and languages.
Proofpoint has observed tax-themed campaigns deliver RMMs including Datto, N-Able, RemotePC, Zoho Assist, and ScreenConnect, among others.
The payloads span commodity malware, RMM agents, information stealers, and pure credential harvesting pages tied to financial and investment services.
Email volumes range from highly targeted spear‑phishing waves to bulk mailshots of tens of thousands of messages, depending on the actor’s goals.
Because these tools are signed, widely used in enterprises, and often allowed through security controls, malicious deployments can blend in with normal IT activity if allow‑listing and monitoring are weak.
In a February 2026 example, attackers impersonated the U.S. Internal Revenue Service. They sent emails about “recent IRS filings” that contained a “Transcript Viewer” button.
The link redirected to a hosting service where victims could download an executable that silently installed an RMM agent, handing the adversary persistent remote access.
To improve credibility, the phishers even inserted a real IRS phone number into the message, a tactic increasingly seen across campaigns abusing trusted brands.
Newer financially motivated actor TA4922 has been linked to tax‑themed campaigns primarily aimed at Japan and other East Asian countries.
The group’s goal is to secure remote access for follow‑on fraud, data theft, or access brokering, often using malware from the Winos 4.0 (ValleyRAT) ecosystem associated with the Chinese‑speaking Silver Fox (aka Void Arachne) cluster.
Once trust is established, the actor escalates to sending malicious links or executables that drop stealers and loaders still under active analysis, sometimes posing as “Inland Revenue” departments in Japan and other countries, including India, Taiwan, Indonesia, Malaysia, and Italy.
TA4922 frequently impersonates national tax authorities and initiates contact with short emails requesting a mobile phone number, attempting to move victims into out‑of‑band channels like SMS or messaging apps.
Credential phishing actor TA2730 continues to weaponize the U.S. W‑8BEN tax form as a lure against customers of investment platforms in multiple regions.
The group sends emails that masquerade as messages from investment firms, urging recipients to update their W‑8BEN details to maintain account compliance.
Embedded URLs lead to highly convincing counterfeit login portals for brands such as Swissquote and Questrade, where victims unknowingly submit credentials directly to the attacker.
Campaigns observed in early 2026 hit users in Switzerland and Canada, and in some cases the emails even contained legitimate customer‑service phone numbers of the impersonated companies to boost trust.
W‑2 and HR‑themed BEC fraud
Business email compromise (BEC) actors are also exploiting tax forms such as W‑2 and W‑9 in social engineering that targets corporate HR and finance staff.
In a typical scenario, the attacker spoofs an executive’s display name and urgently requests all employee W‑2 forms for the previous tax year, claiming audit or payroll deadlines.
These forms contain names, addresses, Social Security numbers, and income data that can be resold or reused for identity theft and banking fraud.
BEC operations often rely purely on social engineering and data theft, leaving fewer technical indicators for traditional security tools to detect.
Tax and financial lures remain effective year‑round, but activity spikes around filing deadlines as users juggle multiple financial services and official portals.
Security teams should tighten controls on RMM tooling, implement strict allow‑listing and behavioral monitoring for remote access agents, and verify that any new deployment of ScreenConnect‑like tools is expected and approved.
Organizations should also run focused awareness campaigns ahead of tax season, teaching staff to treat unsolicited tax emails, unexpected form requests, and external data demands with caution and to verify requests via known‑good channels.
Finally, layered defenses that combine email security, web filtering, MFA for financial and investment accounts, and strong detection for anomalous RMM usage can significantly reduce the risk from these evolving campaigns.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Click Here For The Original Source.
