Tax season phishing delivers malware, remote access tools and fraud

Attackers are exploiting the urgency of tax deadlines to launch a broad mix of credential theft, business email compromise, and malware distribution campaigns targeting organizations globally.

What happened

Researchers have documented more than 100 tax-themed cyberattack campaigns in early 2026, spanning credential phishing, malware delivery, remote monitoring and management tool abuse, and financial fraud. According to Infosecurity Magazine, the findings were published in an advisory on March 30, 2026, which found attackers using a growing mix of social engineering techniques tied to the pressures and deadlines of filing season. Campaigns ranged from opportunistic phishing targeting individuals to coordinated operations directed at gaining long-term system access or stealing financial data from businesses. Some campaigns, particularly from a threat group tracked as TA2730, focused on organizations in Japan and other parts of Asia, while others targeted users in the United States, Canada, Australia, Singapore, and Switzerland.

Going deeper

Several distinct attack patterns were identified within the campaign. In some operations, attackers posed as investment firms requesting updates to tax forms such as W-8BEN, a form used by foreign individuals and entities to certify their country of residence for tax purposes, directing victims to fake login pages designed to capture credentials. Separately, business email compromise attacks attempted to collect W-2 and W-9 forms by impersonating company executives, exposing employee personal and financial information. Researchers also noted an increase in campaigns delivering legitimate remote monitoring and management tools as payloads, allowing attackers to establish persistent access to compromised systems while blending malicious activity with trusted IT software. Tax-related lures remain effective because they align with communications that recipients already expect during filing periods, and messages referencing penalties, missing documents, or compliance deadlines can prompt rapid responses before authenticity is verified.

What was said

Researchers wrote in the advisory cited by Infosecurity Magazine that "tax lures are commonly used by threat actors, especially around filing seasons, as people leverage various applications and services to collate and file important business and personal finance information." They added that "enterprises should educate users about the techniques and lures commonly abused by threat actors and be aware that cyber-criminals routinely gravitate towards timely and topical lure themes, with taxes being among their annual favorites." The advisory was published March 30, 2026.

In the know

Business email compromise campaigns that use tax forms as lures have been a documented and growing tactic well beyond this filing season. According to The Hacker News, Microsoft documented a multi-stage adversary-in-the-middle phishing and BEC campaign in January 2026 in which attackers abused SharePoint file-sharing services to deliver phishing payloads, created inbox rules to maintain persistence, and then used compromised accounts to launch further phishing against the victim's entire contact network. In that campaign, a single compromised inbox was used to send more than 600 phishing emails to internal and external contacts, demonstrating how quickly one successful credential theft incident can cascade across an organization and its partners.

The big picture

Tax season phishing campaigns exploit a structural vulnerability that exists year-round in healthcare and other regulated industries: employees routinely receive urgent, authority-bearing requests involving forms, financial data, and compliance deadlines, making it difficult to identify fraudulent versions of those communications without technical controls. According to Paubox's Top 3 Healthcare Email Attacks report, impersonation attacks succeed because "email still treats identity as trustworthy by default," and healthcare workflows amplify the risk because urgent requests and vendor or executive communications are routine. Microsoft's Digital Defense Report, cited in the same research, confirms that "attackers increasingly exploit trust in familiar identities, such as executives and vendors, rather than relying on malicious attachments or links." BEC campaigns requesting W-2 and W-9 forms are particularly dangerous in healthcare because those documents contain employee Social Security numbers, dates of birth, and financial account information, enough to enable identity theft well beyond the immediate incident.

FAQs

Why is tax season such an effective window for phishing campaigns?

Tax deadlines create genuine urgency, and recipients expect to receive form requests, penalty notices, and compliance reminders during filing periods. Attackers exploit that expectation by making fraudulent messages blend in with legitimate communications that would normally prompt a quick response.

What is a W-2 BEC attack, and why is employee tax data valuable?

In a W-2 BEC attack, an attacker impersonates a company executive and requests the payroll team send employee W-2 forms. Those forms contain Social Security numbers, addresses, and income data that can be used for tax fraud, identity theft, and account takeover, often causing harm to employees long after the original incident is discovered.

What is a W-8BEN form, and how was it used as a lure in these campaigns?

A W-8BEN is a form used by foreign individuals to certify their country of residence for U.S. tax purposes. Attackers posed as investment firms requesting updates to these forms and directed victims to credential-harvesting login pages, exploiting the form's association with legitimate financial compliance processes.

How can organizations reduce exposure to tax-themed phishing?

Training employees to recognize seasonal lure patterns, implementing multi-factor authentication, and using email security tools that detect executive impersonation and lookalike domains all reduce risk. Organizations should also establish out-of-band verification processes for any request involving sensitive financial documents, regardless of how legitimate the sender appears.

Why does the use of RMM tools in these campaigns make detection harder?

Remote monitoring and management tools are legitimate software used by IT departments, so security tools often treat their traffic as trusted. When attackers deploy them as payloads, the tools blend into normal IT activity, giving attackers persistent access that can be difficult to identify without actively auditing unauthorized installations.