Tax-related phishing campaigns are increasing globally in 2026, with cybercriminals using tax season to distribute malware, steal credentials and gain remote access to victims' systems, according to research from Proofpoint.
The security company said it has observed more than 100 tax-themed campaigns this year involving malware, remote monitoring and management (RMM) tools, fraud schemes and credential phishing attacks. Researchers reported an increase in campaigns using legitimate remote access software, activity linked to newly identified threat actors and a wider range of social engineering techniques.
Australia is among the countries being targeted. Proofpoint researchers have identified campaigns impersonating government services including myGov and the Australian Taxation Office (ATO), alongside human resources departments and investment firms. One recent example involved phishing emails claiming to be from myGov and directing users to counterfeit login pages designed to steal credentials, two-factor authentication information and session cookies.
Tax lures
According to Proofpoint, threat actors continue to exploit tax season because individuals and organisations expect communications from tax authorities, financial institutions and employers during filing periods. Campaigns commonly impersonate government agencies, claim recipients have unresolved tax obligations, request assistance with tax filings or warn of alleged tax violations.
Email volumes vary significantly between campaigns. Some consist of only a small number of messages, while others involve tens of thousands of emails. While most campaigns target organisations and individuals in the United States, researchers have also observed activity directed at Australia, Canada, Switzerland and Japan.
Remote access
Proofpoint said RMM software remains one of the most common payloads delivered through tax-themed attacks. These tools are legitimate applications widely used by enterprises for remote administration but are increasingly being abused by cybercriminals.
The company has observed campaigns delivering software including Datto, N-able, RemotePC, Zoho Assist and ScreenConnect. Attackers favour these tools because they often appear legitimate within enterprise environments and may evade detection if organisations have not restricted authorised remote access software.
One campaign observed in February impersonated the US Internal Revenue Service and claimed to relate to a recipient's recent tax filing. The email contained a button labelled "Transcript Viewer" that linked to an executable file hosted on Bitbucket. When opened, the file installed N-able RMM software on the victim's system. Researchers noted that the email included a legitimate IRS phone number to increase credibility.
Threat groups
Proofpoint highlighted activity from TA4922, a financially motivated threat actor it has tracked since 2025. The group primarily targets organisations in Japan and East Asia, using tax-related themes to obtain remote access for fraud, data theft and other criminal activity. The actor has also impersonated tax agencies in India, Taiwan, Indonesia, Malaysia and Italy.
The company also reported ongoing activity from TA2730, a credential-phishing group focused on financial institutions and investment-related organisations. The actor frequently uses lures involving the W-8BEN tax form and targets users in countries including Australia, Canada, Singapore, Switzerland and Japan. Victims are directed to counterfeit investment account login pages designed to harvest credentials.
Employee data
Business email compromise actors are also using tax-related forms to steal sensitive employee information. Proofpoint observed campaigns impersonating company executives and requesting employee W-2 forms. These documents contain personal information including names, addresses and government identification details that can be used for identity theft and financial fraud.
The company said tax-related themes remain effective because they exploit routine interactions between organisations, financial institutions and government agencies, making fraudulent communications appear legitimate to recipients expecting genuine correspondence.