Tax Season Phishing Campaigns Spread Malware and Drain Victim Funds - cyberpress.org

Tax Season Phishing Campaigns Spread Malware and Drain Victim Funds By Varshini April 6, 2026 Categories: Cyber Security NewsPhishing Cybercriminals are once again exploiting the stress and urgency of tax season. Combining monetary concerns with the expectation of important financial emails creates the perfect environment for cybercrime. In the first few months of 2026 alone, security researchers have tracked over a hundred email campaigns using tax themes to spread malware, steal credentials, and commit financial fraud.00 Legitimate Tools and New Threat Actors One of the biggest trends this year is the delivery of Remote Monitoring and Management (RMM) software. RMMs are legitimate tools used by IT departments, making them highly attractive to hackers. Because these programs are signed and trusted, they easily fly under the radar of traditional security defenses unless an organization strictly controls which RMMs are allowed. Attackers are deploying tools such as N-Able, Datto, RemotePC, and Zoho Assist to gain initial access to enterprise networks. For example, a campaign in early February 2026 impersonated the U.S. IRS. The email included a fake “Transcript Viewer” button that actually downloaded an executable file. Once clicked, it installed the N-able RMM. To make the scam look more believable, the attackers even included a real IRS phone number in the email. Breakdown of threat type delivered in tax-themed email campaigns (Source: proofpoint) Credential Theft and Employee Data Fraud Another major threat actor, TA2730, focuses on stealing login credentials for investment and financial institutions. Active since June 2025, this group casts a wide net, targeting users across Canada, Switzerland, Singapore, and Australia. Their favorite lure is the “W-8BEN” form, which is a U.S. tax document for non-U.S. taxpayers. TA2730 typically poses as a legitimate investment company and urgently asks the victim to update their W-8BEN information. The emails contain links to highly convincing, counterfeit login pages designed to harvest the user’s username and password. In February 2026, they successfully spoofed well-known financial firms like Swissquote and Questrade to take over victim accounts for direct financial gain. Phishing lure impersonating the IRS delivering N-able RMM (Source: proofpoint) According to Proofpoint research, beyond sophisticated malware and credential harvesting, Business Email Compromise (BEC) scams remain a massive threat. In these attacks, hackers spoof the email addresses of company executives or HR leaders. TA2730 geographic targets of all campaigns (Source: proofpoint) They send urgent messages to employees requesting copies of W-2 or W-9 tax forms. For instance, a March 2026 campaign featured fake executive emails asking for all 2025 employee W-2 records. Because these forms contain highly sensitive information like names, home addresses, and Social Security numbers, stolen files are quickly used for identity theft and banking fraud. As tax-related phishing campaigns grow more advanced, organizations must stay alert. Enterprises should educate their employees about the specific techniques attackers use during tax season. By understanding these threats and verifying urgent financial requests, both businesses and individuals can protect their sensitive data from falling into the wrong hands. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. Share Facebook Twitter Pinterest WhatsApp Varshini Recent Articles Critical Laravel Livewire RCE Flaw Exploited to Steal Credentials From 6,000+ Apps Cyber Security News June 24, 2026 Microsoft Teams Phishing Lures Push Victims Toward Remote Access Tool Installation Cyber Security News June 24, 2026 Grafana Confirms TanStack npm Supply Chain Ransom Incident Hit GitHub Environment Cyber Security News June 24, 2026 Woodgnat Uses ClickFix, FileFix, and CrashFix Lures to Deliver Remote Access Malware Cyber Security News June 24, 2026 Android Malware Disguised as Document Reader Reaches 100K Downloads on Google Play Android June 24, 2026 Related Stories Cyber Security News Critical Laravel Livewire RCE Flaw Exploited to Steal Credentials From 6,000+ Apps Lucas Martin - June 24, 2026 Cyber Security News Microsoft Teams Phishing Lures Push Victims Toward Remote Access Tool Installation Varshini - June 24, 2026 Cyber Security News Grafana Confirms TanStack npm Supply Chain Ransom Incident Hit GitHub Environment Lucas Martin - June 24, 2026 Cyber Security News Woodgnat Uses ClickFix, FileFix, and CrashFix Lures to Deliver Remote Access Malware Varshini - June 24, 2026 Android Android Malware Disguised as Document Reader Reaches 100K Downloads on Google Play Varshini - June 24, 2026 Cyber Security News Hackers Use Fake Outlook Update Portal to Deploy Edgecution Browser-Based Backdoor Varshini - June 24, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: