Tax Season Sparks Surge in Sophisticated Phishing Attacks Targeting Financial Data and Professionals in 2026

CyberDefender 10 mins0

Every year around tax filing deadlines, cybercriminal activity spikes in a very predictable way. Attackers take advantage of the pressure people feel during tax season—tight deadlines, financial concerns, and frequent communication with accountants or institutions. Emails about refunds, payroll documents, or filing reminders look routine, which makes them highly effective as attack vectors.

In 2026, this pattern continues. As April 15 approaches in the United States, multiple phishing and malware campaigns have been observed. These attacks are not random; they are carefully designed to blend into normal tax-related communication and exploit user trust.

Recent observations from threat intelligence sources show a mix of credential harvesting campaigns and malware delivery operations. These campaigns target both individuals and professionals such as accountants, who regularly handle sensitive financial data and are therefore high-value targets.

Threat Landscape Overview

The current threat landscape shows a heavy reliance on Phishing-as-a-Service (PhaaS) platforms. These services allow attackers to launch sophisticated phishing campaigns without needing deep technical expertise.

Attackers are increasingly combining:

  • Social engineering (tax-related themes)
  • Multi-step infection chains
  • Legitimate infrastructure (e.g., cloud storage platforms)
  • MFA bypass techniques

Another noticeable trend is the misuse of Remote Monitoring and Management (RMM) tools. These are legitimate enterprise tools, but when abused, they effectively act as remote access trojans, giving attackers long-term control over compromised systems.

Observed Campaign Patterns

1. CPA-Themed Phishing Using Energy365 Kit

In early February 2026, a targeted campaign used highly customized CPA-related emails. Unlike generic phishing attempts, this one used real accountant names and branding to increase credibility.

The attack flow was multi-layered:

  • Email with Excel attachment named after a real CPA
  • Embedded button linking to a OneNote file hosted on OneDrive
  • Final redirection to a phishing page

The phishing page, powered by the Energy365 kit, was designed to capture login credentials. The use of multiple file formats and trusted platforms made detection more difficult.

2. QR Code-Based W-2 Phishing (SneakyLog Kit)

Another campaign used a slightly different tactic—QR codes embedded inside documents.

Targets received emails with a Word document labeled as a W-2 form. Inside the file:

  • Tax-related language was used to appear legitimate
  • A QR code redirected users to a phishing page

Each document was uniquely generated for the recipient, including personalized details. The phishing site imitated a Microsoft 365 login page and was capable of stealing both credentials and multi-factor authentication tokens.

3. Form 1099 Malware Delivery via ScreenConnect

During January and February, multiple suspicious domains related to tax filings were registered. These domains were later used in phishing campaigns.

Users received emails prompting them to view tax documents. Clicking the link triggered:

  • Redirection through multiple domains
  • Download of an executable file

The payload was ScreenConnect, a legitimate RMM tool. Once executed, it allowed attackers to remotely access the victim’s system.

4. IRS + Cryptocurrency Hybrid Campaign (SimpleHelp Abuse)

This campaign combined two trending themes: IRS communication and cryptocurrency taxation.

Instead of clickable links, users were instructed to manually copy and paste URLs—an attempt to bypass automated detection systems.

The downloaded file installed either:

  • ScreenConnect
  • SimpleHelp (another RMM tool increasingly used by attackers)

This approach shows how attackers are adapting quickly when certain tools become more closely monitored.

5. Targeted CPA Campaign Delivering Datto

In March 2026, a campaign specifically targeted accountants using a more conversational approach.

The email content included:

  • A detailed personal backstory
  • Requests for tax filing assistance
  • Pricing inquiries

Unlike older methods, the malicious link was included in the initial email. The infection chain used:

  • Website builders
  • URL shorteners
  • Redirect chains

The final payload delivered Datto RMM, another legitimate tool repurposed for malicious control.

6. Large-Scale IRS Impersonation Campaign

One of the most significant campaigns observed involved over 29,000 users across thousands of organizations.

Key characteristics:

  • Emails impersonating IRS departments
  • Claims of irregular tax filings
  • Instructions to download a “Transcript Viewer” tool

The attack infrastructure included:

  • Amazon SES for email delivery
  • Click-tracking links
  • Fake domains mimicking trusted services

The malware payload again used ScreenConnect. Advanced evasion techniques, such as bot detection via Cloudflare, ensured that only real users—not automated scanners—received the malicious file.

Technical Observations

Across all campaigns, several common tactics were identified:

  • Use of legitimate platforms (OneDrive, Eventbrite, AWS SES)
  • Multi-step redirection chains
  • Payload delivery via trusted software tools
  • Personalized phishing content
  • MFA bypass capabilities

These elements significantly increase success rates while reducing detection.

Mitigation and Defensive Measures

Organizations can reduce risk by implementing layered defenses.

Key strategies include:

  • Enforcing strict multi-factor authentication across all accounts
  • Deploying advanced email filtering and phishing detection systems
  • Enabling real-time link scanning and sandboxing
  • Using browser-based protections against malicious sites
  • Monitoring network traffic for suspicious outbound connections
  • Applying zero-trust access policies

User awareness also plays a major role. Employees should be trained to recognize unusual tax-related emails, especially those involving attachments, QR codes, or urgent actions.

CyberP1 Opinion

This case highlights how cybercriminals are evolving from simple phishing emails to highly structured and professional attack campaigns. What stands out is not just the technical sophistication, but the psychological precision behind these attacks.

The use of tax season as a theme is not new, but attackers are refining their methods each year. The combination of personalization, legitimate tools, and multi-stage infection chains suggests a shift toward more enterprise-grade attack strategies.

The growing abuse of RMM tools is particularly concerning. These tools are trusted by organizations, which makes them ideal for stealthy persistence. Traditional security solutions may not flag them as malicious, allowing attackers to operate undetected for longer periods.

Another important observation is the increasing use of evasion techniques, such as QR codes and manual URL entry. These tactics are specifically designed to bypass automated security systems, indicating that attackers are actively studying defensive technologies and adapting accordingly.

In our view, this trend will continue to grow. Future campaigns are likely to become even more targeted, more personalized, and harder to detect. Organizations that rely only on traditional defenses will struggle to keep up.

A proactive, intelligence-driven security approach—combined with user awareness and strong identity protection—will be essential in defending against these evolving threats.

CyberDefender