Tax Season Phishing Surges 2026

Proofpoint nailed more than 100 tax scams in early 2026. Criminals aren't just phishing – they're deploying malware, stealing creds, and posing as execs for W-2s.

theAIcatchup 4 min read
Phishing email mimicking IRS tax form with malware link

Key Takeaways

  • Over 100 tax-themed attacks detected early 2026, using RMM tools and BEC.
  • New threat actor TA2730 targets Asia with fake investment form phishing.
  • Educate on timely lures; predict AI deepfakes next for voice scams.

Proofpoint counted over 100 tax-themed cyber ops in early 2026.

That’s not a typo. Early 2026.

Why Tax Season Still Equals Open Season for Hackers?

Look, it’s March 30, and Proofpoint drops this advisory like a bad audit notice. Cybercriminals love tax time – pressures mount, everyone’s frantic with forms, and bam, your guard drops. They’ve got malware droppers, remote access tools (RMMs, anyone?), fraud plays, and straight-up credential grabs. And get this: new crews on the block, mixing social engineering like a bartender gone rogue.

Short version? You’re screwed if you’re not paying attention. These aren’t your grandma’s Nigerian princes. They’re tailored lures hitting Japan, Canada, Australia – places where tax deadlines bite hard.

And here’s Proofpoint’s gem: > “Tax lures are commonly used by threat actors, especially around filing seasons, as people use various applications and services to collate and file important business and personal finance information.”

Spot on. But let’s call it what it is – lazy user habits meet clever crooks.

New Kids on the Block: TA2730 and Friends

Enter TA2730, Proofpoint’s shiny new threat tag. They’re hammering Asian orgs, especially Japan, with phishing that screams ‘update your W-8BEN now or else.’ Fake investment firm sites? Check. Credential harvesters? Double check.

Then you’ve got BEC crews impersonating bosses, begging for W-2s and W-9s. ‘Hey, send me that employee data quick’ – from a spoofed CEO email. Financial info spills like cheap wine at a bad party.

Opportunistic? Sure. But some aim for the long game: RMM tools for backdoor access. Once in, they’re lounging in your network, sipping data martinis.

It’s a buffet. And we’re the entrées.

But wait – RMM tools? Those are legit IT remote management apps. Crooks twist ‘em into trojans. Proofpoint says campaigns increasingly lean on these. Why? They’re sneaky, persistent, and admins use similar stuff daily. Blurs the line between normal and nasty.

Is Your Company Ready for This Nonsense?

Here’s my hot take, absent from Proofpoint’s polite report: this reeks of 2016’s W-2 BEC explosion. Remember? Crooks posed as HR, snagged wage data for refunds. Billions stolen. Fast-forward a decade, and we’re still nibbling the same bait – just with fancier hooks.

Unique twist? I predict AI deepfakes next season. Voice clones of your accountant calling: ‘Sign this IRS waiver verbally.’ It’ll make these phishing emails look quaint. Companies spinning ‘we’re aware’ PR? Bull. Educate users or bleed cash.

Proofpoint urges training on lures. Penalties. Missing docs. Yeah, do that. But also: multi-factor everywhere, email filters that aren’t brain-dead, and zero trust – because trust is for fools during tax week.

Targets span continents: Singapore suits sweating compliance, Swiss bankers eyeing forms, Aussies dodging ATO fines. Topical fear sells.

One para wonder: Criminals win because we rush.

The RMM Sneak Attack: Why It’s Brutal

Remote monitoring tools sound boring. They’re not. Hackers bundle ‘em in tax lures – click the ‘IRS update’ link, and poof, they’ve got admin rights on your box. Long-term access. Data exfil. Ransomware prep.

Proofpoint flags a ‘broader mix’ of techniques. Posing as execs? Old school. But chaining it with RMM? That’s chef’s kiss evil.

And evolving groups? TA2730’s just the start. More actors means more noise – harder for defenses to pattern-match.

Dry humor alert: If taxes weren’t painful enough, now they’ve got malware sidekicks.

Bold Call: This Gets Worse Before Better

History repeats – think 2010s IRS phone scams, netting millions from scared seniors. Now it’s digital, global, and techier. Prediction: 2027 sees AI-generated ‘tax authority’ chats in apps. Your Slack pings with a bot-CPA demanding forms.

Critique time: Proofpoint’s advisory is solid, but where’s the vendor blame? RMM makers – secure your damn tools better. Users click what looks legit.

Enterprises, don’t just nod. Drill users: ‘Penalty for late filing’? Verify sender. ‘Exec needs W-2’? Phone ‘em. It’s basic, but apparently revolutionary.

🧬 Related Insights

Frequently Asked Questions

What are the latest tax phishing tactics in 2026?

Crooks use RMM malware, fake W-8BEN sites, BEC for W-2s/W-9s. Targets: Asia, Canada, etc.

How do I spot tax season scams?

Unexpected form requests, penalty threats, dodgy links. Always verify via official channels – no clicks.

Are tax phishing attacks getting more sophisticated?

Yes – new groups, RMM tools, mixed lures. Train up or pay up.

James Kowalski
Written by
James Kowalski

Investigative tech reporter focused on AI ethics, regulation, and societal impact.

Frequently asked questions

What are the latest tax phishing tactics in 2026?
Crooks use RMM malware, fake W-8BEN sites, BEC for W-2s/W-9s. Targets: Asia, Canada, etc.
How do I spot tax season scams?
Unexpected form requests, penalty threats, dodgy links. Always verify via official channels – no clicks.
Are tax phishing attacks getting more sophisticated?
Yes – new groups, RMM tools, mixed lures. Train up or pay up.
#bec-scams #proofpoint #proofpoint-advisory #rmm-tools #credential-phishing #tax-phishing #tax-season-phishing

Worth sharing?

Get the best AI stories of the week in your inbox — no noise, no spam.

Originally reported by InfoSecurity Magazine

Related Stories

📬

Stay in the loop

The week's most important stories from theAIcatchup, delivered once a week.

No spam. Unsubscribe any time.