A wave of tax-themed cyber campaigns delivering malware, remote access tools, fraud schemes and credential phishing has been detected in early 2026.
Proofpoint researchers identified more than a hundred such operations, highlighting how attackers continue to exploit the pressures and expectations tied to tax season.
A new advisory published on March 30 by the cybersecurity vendor found that malicious campaigns are increasingly using remote monitoring and management (RMM) tools. The firm also observed activity from newly identified threat actors and a broader mix of social engineering techniques.
Source: Proofpoint
Evolving Threat Groups
Proofpoint also highlighted the role of newer and evolving threat groups. Some campaigns, particularly from TA2730, focused on organizations in Japan and other parts of Asia, while others targeted users in Canada, Australia, Singapore and Switzerland.
Credit: Proofpoint.
These operations range from opportunistic phishing to more coordinated efforts aimed at gaining long-term system access or stealing financial data.
Read more on tax-related phishing attacks: HMRC Warns of Over 135,000 Scam Reports
In several cases, attackers posed as investment firms requesting updates to tax forms such as W-8BEN, directing victims to fake login pages designed to capture credentials.
Elsewhere, business email compromise campaigns attempted to collect W-2 and W-9 forms by impersonating company executives, exposing sensitive personal and financial information.
Tax-related lures remain effective because they align with expected communications during filing periods. Messages referencing penalties, missing documents or compliance issues can prompt quick reactions, often before authenticity is verified.
"Tax lures are commonly used by threat actors, especially around filing seasons, as people leverage various applications and services to collate and file important business and personal finance information," Proofpoint wrote.
"Enterprises should educate users about the techniques and lures commonly abused by threat actors and be aware that cyber-criminals routinely gravitate towards timely and topical lure themes, with taxes being among their annual favorites."