Cybersecurity and Tax Season Scams [An Overview]
Table of contents
Why are tax scammers so omnipresent this season? And what does it say about the state of online security?
As tax season draws to a close, fraudulent emails are flooding North American mailboxes. From phishing attempts, ransomwares and targeted attacks, tax themed cybersecurity scams are a high priority threat that can lead to risks from leaked credentials to identity theft to financial scams.
Tax season is a critical period marked by a surge in online activity as individuals and business rush to complete and submit their filings. The surge in exchange of personal data and sensitive information during this period attracts cybercriminals to take advantage of the high levels of confusion and anxiety that is associated with filing taxes.
What CybelAngel Analysts saw this tax season
Investigating and monitoring thousands of alerts daily, the cybersecurity analysts at CybelAngel have a granular view on the attack surface threats that are shaping this tax season.
Between January and April 2025, organizations in the American financial services sector experienced a notable rise in cyber threats compared to the previous quarter. Reports indicated a significant increase in phishing incidents, social engineering scams, and leaked credentials, underscoring the tangible impact of tax season on cybersecurity risks.
This increase was expected and predicted by the US Internal Revenue Service (IRS) which warned taxpayers and businesses to watch out for common schemes and scams that threaten the leak of their tax and financial data. To this end, the IRS has published a list of the dozen most relevant cyberattacks that taxpayers should be aware of in 2025. This list prioritises phishing emails, fake tax preparer companies, and social media fuelled scams. According to an FBI report, the Cybercrime Complaint Centre received over a thousand tax related identity theft complaints in 2024, a majority of these led from spear phishing attempts and social engineering using social media.
1. Phishing attacks and IRS impersonation scams
Since the beginning of this year, several types of phishing campaigns have been reported. Many of them including red flags such as impersonation of tax professionals, the IRS, and legal notices.
According to Carbonite Blog, one in three employees fall for phishing attacks by clicking on malicious links or attachments received via their corporate email accounts. This has lead to financial losses estimated at $4.9 million per successful attack. Overall these scams are estimated to have costed businesses over $55 million over the past decade, reveals an FBI study.
Impersonation of the IRS website is also a popular technique used by attackers during this period. These email frauds are often linked to domains with slight misspellings, additional characters, or unusual domain extensions such as “.xyz”, “.info”, or “.top”, which deviate ever so slightly from the official IRS domains. A hard to catch red flag.
Once clicked upon, they often redirect victims to fake IRS portals in in an attempt to deceive the individual into providing sensitive financial information, social security numbers, passwords among other sensitive data. According to cybersecurity researchers, in January 2025, at least 158 new and unique domains were created which followed the pattern of “irs.gov”, in an attempt to impersonate the legitimate internal revenue services. Further, almost 3,500 domains were reported as malicious or as used for phishing attacks during this period.
2. Tax season data leaks
Beyond website and IRS impersonation, there was also a spike in other forms of tax seasons scams such as smishing and vishing campaigns, wherein cybercriminals use SMSs and phone calls to to conduct phishing attacks, particularly useful for bypassing multi factor authentication.
These methods were also used to proliferate malwares and viruses that are designed to travel vertically and horizontally within a network of computers leading to further sensitive data leak.
In February 2025 Microsoft observed the Latrodectus malware campaign that targeted US tax payers using IRS themed phishing emails.
The Lactodectus malware campaign, first seen in 2023, is a malware that is distributed through an attached PDF in phishing emails. In Q1, according to a Microsoft publication, several thousands of American email addresses were targeted by the cybercriminal group Storm-0249. Storm-0249 is an access broker known to have been active since 2021, and is credited for several catastrophic malwares such as the Bumblebee and the BazaLoader malwares, which has lead to numerous ransomware attacks. The actor typically uses phishing to distribute their malware payloads, much like their campaign this tax season.
By targeting individuals with messages mentioning “tax return errors” and “required IRS audit”, the malicious actor plays on the fears and stress prevalent related to tax filings. These emails often lead to a fraudulant Docusign page, which when approved, launches the malware installation.
Additionally, several companies reported receiving scam emails with attached PDFs containing QR codes. These QR codes, once scanned, installs the malware software Racoon0365, a tool which imitates the Microsoft 365 login page to steal credentials and bypass Microsoft’s MFA authenticators.
Tax preparer and social media scams
The IRS 2025 list of most common cybersecurity scams during the tax season highlighted the fraudsters using social media and podcasts, using these platforms to initiate contact with victims. Social media networks are increasingly being exploited by cybercriminals posing as “influencers” or scammers who offer misleading financial advice, often promising taxpayers financial gains and additional tax refunds in exchange for following their instructions or payments.
Among the scams detected are fraudulent claims involving fuel tax credit on federal returns and investments in fake cryptocurrencies and platforms. Some scams involve fake tax preparers who pretend to be qualified CPAs (Certified Public Accountants) offering low-cost or free tax filing services. By gaining access to the victim’s personal and sensitive financial information, these fraudsters commit tax fraud by misfiling tax documents in your name to the IRS. Such attempts at identity theft leads to extremely high cost and high effort legal process. Further, these sensitive information can also be used to gain access to the tax payers’ bank accounts to commit further financial crimes.
Additionally, with the rise of artificial intelligence, tax frauds and linked cyber attacks are becoming increasingly sophisticated, specially though the use of deep fakes. Scammers and fraudsters use AI-generated deepfakes to impersonate tax preparers or IRS officers through phone calls or video calls. AI is also being used to create convincing fake login pages and phishing emails, making it even harder for victims to detect suspicious activity.
Keep you and your employees safe from tax season scams
Interested in staying secure?
Follow these 3 integral steps.
- Use secure tax software only: the IRS advices to download tax software only from official sources. Using anti-phishing solutions such as ad blockers, anti-spam filters, anti-spyware to mitigate the spread of malware installation.
- Standardise MFA and awareness of unusual activity: Standarising the user of MFA in addition to complex and unique passwords is of utmost importance. Further, training your employees to identify phishing attempts and suspicious activities in emails, SMS and phone calls will go a long way in preventing stress and anxiety induced human errors during the tax season.
- Keep an eye out for unverified tax preparers and CPAs: Spread awareness about the importance of taking only verified and reputable tax advice. When someone who claims to be an official CPA initiate contact, it is entirely within your rights to verify their license number through CPA verification platform. Further, tax preparers must also be legitimised by a Preparer Tax Identification Number (PTIN) issued by the IRS after verification. Additionally, depending on your state, tax preparers may also have obtain licences, or an electronic tax filing identification number, that can be used to verify their credibility.
Ready to get started?
