IRS Tax Filing Lures - Cybercriminals Push Malware Campaigns
.webp&w=3840&q=75)
Basically, criminals are pretending to be the IRS to trick people into installing harmful software.
Cybercriminals are exploiting tax season with organized phishing attacks. They impersonate the IRS to install malware and steal credentials. Awareness and training are key to staying safe.
What Happened
Tax season is typically a busy time for cybercriminals, but in 2026, the stakes have escalated. Over a hundred organized phishing campaigns have emerged, using tax-related lures to deceive victims. Cybercriminals are impersonating the Internal Revenue Service (IRS), national tax authorities, and even company HR departments. Their goal? To trick individuals into installing malware or revealing sensitive login credentials.
The tactics employed in these campaigns are more sophisticated than in previous years. Attackers are sending emails about expired tax documents, IRS filing notices, and W-2 form requests from fake HR teams. These messages often contain malicious links or attachments that deliver malware and remote access tools. The variety of social engineering tactics is alarmingly broad, making it crucial for users to stay vigilant.
Who's Being Targeted
While these phishing campaigns primarily target users in the United States, they are also impacting individuals in Canada, Australia, Switzerland, and Japan. The scale of these attacks varies significantly, from a handful of targeted emails to tens of thousands sent in bulk. Researchers from Proofpoint have identified two specific threat actor groups, TA4922 and TA2730, both of which are running organized operations with clear financial motives.
TA4922, tracked since spring 2025, is known for its multi-step social engineering approach. This group aims to gain remote access to victim systems, either for fraud or data theft. On the other hand, TA2730 has been linked to credential phishing campaigns, impersonating investment firms to steal account details. Their tactics are evolving, making it essential for individuals and organizations to remain aware.
Signs of Infection
Recognizing the signs of infection is vital in defending against these attacks. Phishing emails often contain official-looking elements, such as real IRS phone numbers or links to seemingly legitimate websites. For example, a campaign in February 2026 sent emails with a fake “Transcript Viewer” button that linked to a malicious executable. Such deceptive tactics can lead to the silent installation of malware like N-able RMM, which is particularly dangerous due to its legitimate appearance.
Additionally, the use of remote monitoring and management (RMM) tools has become a common tactic among these cybercriminals. These tools are trusted by enterprise security systems, making it difficult for victims to detect malicious activity. Regular training on identifying phishing attempts and suspicious emails is crucial for all employees.
How to Protect Yourself
Organizations and individuals can take proactive steps to safeguard against these threats. Security teams should implement allow-listing policies to ensure that only approved RMM tools can operate on corporate networks. This reduces the risk of unauthorized software being installed unnoticed.
Moreover, employees must undergo regular training that focuses on tax-season phishing techniques. They should be encouraged to verify any unsolicited messages from supposed tax authorities or HR contacts through official channels. Always question emails requesting personal information or prompting action on tax filings. By staying informed and cautious, individuals can significantly reduce their risk of falling victim to these malicious campaigns.