Tax Season 2026 Sparks Surge in Cyberattacks as Hackers Exploit Financial Anxiety and Trust in Authorities

CyberDefender 11 mins0

Tax season has always been a busy time—not just for individuals and businesses, but also for cybercriminals. When people are dealing with deadlines, financial stress, and official communications, attackers see an opportunity. They take advantage of confusion, urgency, and trust in institutions to launch well-crafted attacks.

In 2026, this trend has become even more noticeable. Threat actors are running large-scale campaigns using tax-related themes to distribute malware, steal credentials, and conduct fraud. What makes this year different is the increased use of legitimate tools like remote monitoring and management (RMM) software, along with the emergence of new threat groups and more creative social engineering techniques.

Phishing lure impersonating the IRS delivering N-able RMM.  Source : Proofpoint

Why Tax Season Is a Goldmine for Attackers

There’s a simple reason attackers love this period: people expect emails about taxes. Whether it’s from government agencies, employers, or financial institutions, communication volume increases naturally. This makes it easier for malicious emails to blend in.

Attackers use a variety of tactics, including:

  • Pretending to be tax authorities
  • Claiming missing or expired tax documents
  • Impersonating HR departments
  • Offering help with tax filing
  • Warning about penalties or violations

Campaign sizes vary widely. Some are small, targeted attacks, while others involve tens of thousands of emails. While most activity focuses on the United States, campaigns have also targeted regions like Canada, Australia, Japan, Switzerland, and several parts of Asia.

RMM Tools: A Silent Entry Point

One of the most noticeable trends in 2026 is the use of RMM tools. These are legitimate applications commonly used by IT teams to manage systems remotely. However, attackers are now abusing them for unauthorized access.

Tools such as Datto, N-Able, RemotePC, Zoho Assist, and ScreenConnect have been observed in these campaigns. Because these tools are trusted and often digitally signed, they can bypass traditional security checks if not properly controlled.

A typical attack might involve:

  1. Delivering an RMM tool through a phishing email
  2. Establishing remote access
  3. Deploying additional payloads or conducting further exploitation

In one observed campaign from February 2026, attackers impersonated a government tax authority and sent emails containing a link labeled as a “Transcript Viewer.” The link actually led to a malicious executable hosted on Bitbucket. Once downloaded and executed, it installed an RMM tool, giving attackers remote control of the system.

Interestingly, the attackers included a real phone number belonging to the tax authority, making the email appear more legitimate.

Emerging Threat Actor: TA4922

A newly tracked group, TA4922, has been particularly active. This financially motivated actor focuses on gaining remote access to systems for purposes such as fraud, data theft, and selling access to other criminals.

This group is believed to operate out of East Asia and has connections to known malware ecosystems like Winos4.0 (also called ValleyRAT).

Their approach often involves:

  • Sending emails impersonating tax authorities
  • Requesting the recipient’s phone number
  • Continuing communication outside email (e.g., messaging apps or calls)

Once trust is established, the attacker escalates the attack by impersonating company executives or finance personnel. They may then deliver malicious files or links.

In some campaigns, TA4922 used fake government emails claiming unresolved tax obligations. After engagement, victims were directed to download malicious executables that installed information-stealing malware.

This actor has targeted multiple countries, including Japan, India, Taiwan, Indonesia, Malaysia, and even Italy.

Credential Phishing Group: TA2730

Another active threat group, TA2730, focuses on stealing login credentials, especially from financial and investment platforms.

Unlike TA4922, this group operates more opportunistically. They send large volumes of phishing emails using domains they control and rely heavily on phishing kits.

A common tactic involves the W-8BEN tax form, which is used by non-U.S. taxpayers. Victims receive emails claiming they need to update or submit this form.

These emails typically:

  • Impersonate investment companies
  • Include links to fake login pages
  • Harvest credentials when users attempt to sign in

In some cases, attackers even include legitimate phone numbers of the impersonated companies to increase trust.

Their campaigns have targeted countries such as Canada, Australia, Singapore, Switzerland, and Japan.

Business Email Compromise (BEC) and Tax Forms

Tax-related fraud isn’t limited to malware and phishing. Business Email Compromise (BEC) attacks are also common during this time.

Attackers often impersonate:

  • Company executives
  • HR personnel
  • Vendors or suppliers

A common tactic involves requesting W-2 or W-9 forms. These documents contain highly sensitive information, including names, addresses, and Social Security numbers.

In one campaign observed in March 2026, attackers spoofed executive email addresses and requested employee W-2 forms for the previous year. The goal was to collect personal data for identity theft and financial fraud.

Why This Matters

The examples discussed here represent only a small portion of the broader threat landscape. Tax-related lures are effective because they create urgency and exploit trust in institutions.

Even outside tax season, financial themes remain powerful tools for attackers. However, during filing periods, the success rate of such campaigns increases significantly.

Organizations must recognize that attackers constantly adapt their strategies. Seasonal themes like taxes provide a reliable entry point for social engineering attacks year after year.

Threat Types Observed

  • Remote Monitoring and Management (RMM) abuse
  • Credential phishing
  • Information stealers
  • Business Email Compromise (BEC)
  • Fraud campaigns

Key Threat Actors

TA4922

  • Motivation: Financial gain
  • Techniques: Social engineering, RMM deployment, malware delivery
  • Notable behavior: Requests phone numbers for out-of-band communication
  • Malware: Winos4.0 / ValleyRAT ecosystem

TA2730

  • Motivation: Credential theft
  • Techniques: Phishing kits, fake login portals
  • Common lure: W-8BEN tax form

Attack Vectors

  • Phishing emails with malicious links
  • Executable payload downloads
  • Fake authentication portals
  • Social engineering via phone communication

Target Regions

  • United States
  • Canada
  • Australia
  • Japan
  • Switzerland
  • India and Southeast Asia

Our Opinion

From a defensive standpoint, this campaign landscape highlights a shift in attacker strategy rather than just an increase in volume. The use of legitimate RMM tools is particularly concerning because it blurs the line between normal administrative activity and malicious behavior. Traditional detection methods that rely on identifying malware signatures are becoming less effective in such scenarios.

Another important observation is the growing reliance on multi-channel social engineering. Threat actors are no longer limiting themselves to email; they are actively pushing victims toward phone or messaging platforms to avoid detection and build trust. This significantly increases the success rate of attacks.

Organizations should move toward behavior-based detection, enforce strict application allow-listing, and invest in user awareness programs that focus on real-world scenarios like tax season scams. Additionally, monitoring outbound connections and unusual remote access activity can help identify compromised systems early.

Overall, these campaigns demonstrate that cybercriminals are becoming more patient, adaptive, and strategic. Defenders must evolve at the same pace to reduce risk effectively.

CyberDefender