Security brief: tax scams aim to steal funds from taxpayers - Proofpoint

Blog Threat Insight Security brief: tax scams aim to steal funds from taxpayers SHARE WITH YOUR NETWORK! MARCH 30, 2026 THE PROOFPOINT THREAT RESEARCH TEAM What happened  Threat actors love to take advantage of tax season. It’s peak social engineering time: combine monetary concerns with often stressful responsibilities, sprinkle in the expectation of emails about taxes from multiple organizations and you’ve got a recipe for cybercrime.   So far in 2026 we’ve seen over a hundred campaigns leverage tax themes leading to  malware, remote monitoring and management (RMM) payloads, fraud, and credential phishing. Tax-themed campaigns are expected annually, but this year we’re seeing more RMM payloads, activity from newly identified threat actors, and a broader variety of social engineering lures.   Figure1. Breakdown of threat type delivered in tax-themed email campaigns. (Analyst note: Proofpoint manually contextualizes fewer BEC/Imposter threats overall, so they appear less in campaign data.) Threat actors are using tax themes in many ways, including posing as tax agencies or government entities like the Internal Revenue Service (IRS); claiming the recipient has expired tax documents; impersonating company human resources; requesting for tax filing support; claiming tax violations; and more.   Email volumes vary from a handful of messages to tens of thousands, depending on the campaign and the actors’ objectives. While most campaigns target the United States, Proofpoint has also seen recent tax-themed campaigns target other countries including Canada, Australia, Switzerland, and Japan, among others.   The following is an example of some notable tax-themed campaigns observed in 2026 so far.   Campaign examples  RMM  The most common payloads delivered via tax themes are RMMs. These tools are legitimate software commonly used within the enterprise but abused by cybercriminals. RMMs are used by many threat actors, and the cybercrime ecosystem leveraging legitimate software in malicious campaigns is thriving. Threat actors like using RMMs because they often fly under the radar in enterprise environments since they’re legitimate, often authoritatively signed, pieces of software. If organizations do not implement allow-listing for trusted RMMs, malicious ones may not get flagged by security tools.   Proofpoint has observed tax-themed campaigns deliver RMMs including Datto, N-Able, RemotePC, Zoho Assist, and ScreenConnect, among others. In some cases, threat actors will use one RMM for initial access and then drop another as a follow-on payload once the host is infected.   As an example, on 05 February 2026, Proofpoint observed a campaign impersonating the U.S. IRS. The lure purported to relate to the target’s recent IRS filing.   Figure 2. Phishing lure impersonating the IRS delivering N-able RMM.   Messages contained a hyperlinked button purporting to be a “Transcript Viewer” that was actually a Bitbucket URL leading to an executable file which, if executed, installed N-able RMM. Notably, the actor included a real phone number belonging to the IRS to further the social engineering and believability of the email.  IRS is a common lure theme used by multiple threat actors, as impersonating government agencies can be a compelling social engineering technique. Since January 2026, Proofpoint observed over a dozen RMM campaigns that have impersonated the IRS.   TA4922   TA4922 is a newly designated financially motivated threat actor regularly tracked by Proofpoint since spring 2025. The actor’s primary objective is to obtain remote access likely for monetization, like fraud, data theft, access brokering, or persistence. This actor delivers malware from the Winos4.0 ecosystem, which is also referred to in some reporting as ValleyRAT, and uses a variety of loaders and stealers. TA4922 also conducts fraud campaigns. The actor is likely based in East Asia and probably is Chinese speaking. TA4922 demonstrates overlaps with the Silver Fox and Void Arachne ecosystem as reported by third-party researchers.   This actor typically targets Japan with some additional East Asian targeting and commonly uses tax themes in its campaigns. One notable technique from TA4922 is its frequent use of impostor emails pretending to be someone in a position of authority. The attacker sends an initial email that requests the recipient’s phone number to establish communications outside of email.   For example, in early February 2026, Proofpoint observed a TA4922 campaign targeting organizations in Japan. Emails impersonated national tax authorities and claimed the recipient had unresolved tax obligations. The actor requested the recipient’s mobile phone number to establish out-of-band communications.   Figure 3. Japanese language National Tax Authority impersonation email.   Once engagement is established, the actor will likely escalate social engineering by impersonating the target organization’s finance leadership and may deliver malicious links or files via out-of-band channels.  In another campaign in early March, emails targeted Japan and purported to be from the "Inland Revenue Department." Messages included a URL which downloaded an executable, which, if executed, installed an information stealer still under investigation by Proofpoint researchers.   Figure 4. Inland Revenue Department impersonation.   Proofpoint has also observed this actor impersonate revenue agencies of other countries and target users in those regions, including India, Taiwan, Indonesia, Malaysia, and, unusually, Italy.   TA2730   Proofpoint has tracked TA2730, a prominent credential phishing threat actor, since June 2025. The actor focuses on obtaining credentials for various financial institutions, typically those focused on investments.  TA2730 campaigns appear opportunistic rather than targeted. The messages are sent from malicious domains most likely registered by the actor. The threat actor uses multiple phishing kits, including one they likely developed and use most frequently. The actor targets many countries, with its most frequent geographies of interest being Canada, Australia, Singapore, Switzerland and Japan.  Figure 5. TA2730 geographic targets of all campaigns.  One of the most popular lure themes this actor uses relates to a "W-8BEN" form, a U.S. tax form for non-U.S. taxpayers. This lure has been used in dozens of campaigns since we began tracking the actor.   Typically, the actor will pose as an investment company, telling the recipient they need to update or provide information for their W-8BEN form. Emails contain URLs leading to counterfeit investment account authentication pages designed to harvest user credentials. The following are two examples of recent campaigns observed in Proofpoint telemetry. Both these campaigns occurred in February, targeting Switzerland and Canada. In some cases, the actor includes the legitimate phone number for the impersonated entity to further the believability of the lure.  Figure 6. TA2730 email impersonating Swissquote (left) and malicious phishing landing page impersonating the company (right). This campaign targeted Switzerland.  Figure 7. TA2730 email impersonating Questrade (left) and malicious phishing landing page impersonating the company (right). This campaign targeted Canada.  The objective of these campaigns is to take over investment accounts for financial gain.   W-2 fraud  Business email compromise (BEC) threat actors also regularly use tax form lures including W-2 Form (Wage and Tax Statement) and W-9 (Request for Taxpayer Identification Number and Certification) themes. Typically, these campaigns will impersonate company executives, human resources, or vendor/supplier contacts in attempts to steal financial and personal data, likely with a goal of leveraging it for follow-on fraud.   For example, in one campaign observed in March, email sender names were spoofed to appear as if they came from an executive at the targeted organization, requesting all employee W-2 forms for 2025.   Figure 8. BEC W-2 fraud email example.   Such forms contain sensitive information like names, addresses, and Social Security numbers. This data can be used for identity theft and banking fraud.   Why it matters  The examples represented in this blog are just a small portion of the overall landscape, and while tax season is a popular time for these types of lures, taxes and financial information can be an effective lure, no matter the time of year.   Tax lures are commonly used by threat actors, especially around filing seasons, as people leverage various applications and services to collate and file important business and personal finance information. Such lures can be convincing to recipients who are either expecting communications from organizations related to financial or government institutions or would be concerned and worried by receiving an email suggesting they will have fines or fees for incorrectly submitting information.   In general, enterprises should educate users about the techniques and lures commonly abused by threat actors and be aware that cybercriminals routinely gravitate towards timely and topical lure themes, with taxes being among their annual favorites.   Indicator  Description   First Seen  Aubrey162243her@hotmail[.]com  TA4922 Sender Email  06 March 2026  Baerg536714qrr@hotmail[.]com  TA4922 Sender Email  06 March 2026  Belinda319932ywa@hotmail[.]com  TA4922 Sender Email  06 March 2026  Brenda26111993bbs@hotmail[.]com  TA4922 Sender Email  06 March 2026  Brett77124cnd@hotmail[.]com  TA4922 Sender Email  06 March 2026  Clint15032004ye@hotmail[.]com  TA4922 Sender Email  06 March 2026  Dan0600ups@hotmail[.]com  TA4922 Sender Email  06 March 2026  Darryl658773qfs@hotmail[.]com  TA4922 Sender Email  06 March 2026  Elmer445637xqd@hotmail[.]com  TA4922 Sender Email  06 March 2026  Genet868615mfd@hotmail[.]com  TA4922 Sender Email  06 March 2026  Gilana406avh@hotmail[.]com  TA4922 Sender Email  06 March 2026  Gilbert6704ysw@hotmail[.]com  TA4922 Sender Email  06 March 2026  Glenn0045bnk@hotmail[.]com  TA4922 Sender Email  06 March 2026  Greg2505880dbq@hotmail[.]com  TA4922 Sender Email  06 March 2026  Hilda2441790ajg@hotmail[.]com  TA4922 Sender Email  06 March 2026  Kaitlyn135452qyw@hotmail[.]com  TA4922 Sender Email  06 March 2026  Kayla383537cau@hotmail[.]com  TA4922 Sender Email  06 March 2026  Kelly5906byn@hotmail[.]com  TA4922 Sender Email  06 March 2026  Mattie9227fdx@hotmail[.]com  TA4922 Sender Email  06 March 2026  Quirita42462vpp@hotmail[.]com  TA4922 Sender Email  06 March 2026  Rafael0746881jxk@hotmail[.]com  TA4922 Sender Email  06 March 2026  Sabah30035vrj@hotmail[.]com  TA4922 Sender Email  06 March 2026  Tanisha535486nyg@hotmail[.]com  TA4922 Sender Email  06 March 2026  Violet82113vbv@hotmail[.]com  TA4922 Sender Email  06 March 2026  Violet900048ege@hotmail[.]com  TA4922 Sender Email  06 March 2026  Yvette20071993pgc@hotmail[.]com  TA4922 Sender Email  06 March 2026  Yvonne8544809axa@hotmail[.]com  TA4922 Sender Email  06 March 2026  YObutler.jonasd8nC29@yahoo[.]com  TA4922 Reply-to Email  09 February 2026  hxxps://www[.]upsystems[.]one/Alex[.]exe  TA4922 Payload URL  06 March 2026  d338a7f85737cac1a7b4b5a1cca94e33d0aa8260548667c6733225d4c20cb848  TA4922 Information Stealer SHA256  06 March 2026  121[.]127[.]232[.]253:8443  TA4922 Information Stealer C2  06 March 2026  Bella1987Jenny8927@outlook[.]com  TA4922 Sender Email  02 February 2026  Cedric1985Mattie70601@outlook[.]com  TA4922 Sender Email  02 February 2026  Chappel1994Sunkel79549@outlook[.]com  TA4922 Sender Email  02 February 2026  Chris1987Juanita79531@hotmail[.]com  TA4922 Sender Email  02 February 2026  Elisa1966Tamara82159@hotmail[.]com  TA4922 Sender Email  02 February 2026  Ellis1986Akihito92@hotmail[.]com  TA4922 Sender Email  02 February 2026  Garrett2003Jaime3246@outlook[.]com  TA4922 Sender Email  02 February 2026  GhaemmaghamiBorg2909@outlook[.]com  TA4922 Sender Email  02 February 2026  Iris2003Francis43001@hotmail[.]com  TA4922 Sender Email  02 February 2026  Jo1990Nelson506@hotmail[.]com  TA4922 Sender Email  02 February 2026  Kamiisa1962Eunice52@outlook[.]com  TA4922 Sender Email  02 February 2026  KatsaounisSetlak6267@outlook[.]com  TA4922 Sender Email  02 February 2026  Lathrop1966Alice63@hotmail[.]com  TA4922 Sender Email  02 February 2026  Lucia1968Sheryl4254@outlook[.]com  TA4922 Sender Email  02 February 2026  LucinaMcnear6104@outlook[.]com  TA4922 Sender Email  02 February 2026  Morris1965Cruz7189@hotmail[.]com  TA4922 Sender Email  02 February 2026  Nabila2004Eunice770@hotmail[.]com  TA4922 Sender Email  02 February 2026  NicholWollan4783@outlook[.]com  TA4922 Sender Email  02 February 2026  Peony1982Jamila936@outlook[.]com  TA4922 Sender Email  02 February 2026  Quirita1980Laraine303@hotmail[.]com  TA4922 Sender Email  02 February 2026  SablanLoretz4374@outlook[.]com  TA4922 Sender Email  02 February 2026  Sheryl1993Sabah3812@outlook[.]com  TA4922 Sender Email  02 February 2026  SteadfastSeefried8443@outlook[.]com  TA4922 Sender Email  02 February 2026  Terrell1980Dawn020@hotmail[.]com  TA4922 Sender Email  02 February 2026  Vanessa1991Gretel73372@outlook[.]com  TA4922 Sender Email  02 February 2026  WaffleMehta9842@outlook[.]com  TA4922 Sender Email  02 February 2026  Wendell1988Lovice46@hotmail[.]com  TA4922 Sender Email  02 February 2026  844202972ff19afa760447fc87963de0fbbc0ebc69d50164f03ecf5d4e67952f  N-Able RMM Payload, Fake IRS Campaign  05 February 2026  hxxps[:]//bitbucket[.]org/pmlasobjekightailsians/rgww/downloads/amzn-s3-EfinTranscriptViewer.cm10_14_4_.EXE  Payload URL Fake IRS Campaign  05 February 2026  bksgcefzqyb[.]com  TA2730 Phishing Landing Domain  25 February 2026  whghfpytehu[.]com  TA2730 Phishing Landing Domain  25 February 2026  akcjdrya[.]com  TA2730 Phishing Landing Domain  27 January 2026  buwxkiy[.]com  TA2730 Phishing Landing Domain  27 January 2026  eodrggi[.]com  TA2730 Phishing Landing Domain  27 January 2026  gyglowcq[.]com  TA2730 Phishing Landing Domain  27 January 2026  iuzndfqr[.]com  TA2730 Phishing Landing Domain  27 January 2026  nirbsff[.]com  TA2730 Phishing Landing Domain  27 January 2026  rmwztbrr[.]com  TA2730 Phishing Landing Domain  27 January 2026  wijgzsfh[.]com  TA2730 Phishing Landing Domain  27 January 2026      Previous Blog Post Next Blog Post Subscribe to the Proofpoint Blog