Security brief: tax scams aim to steal funds from taxpayers

What happened 

Threat actors love to take advantage of tax season. It’s peak social engineering time: combine monetary concerns with often stressful responsibilities, sprinkle in the expectation of emails about taxes from multiple organizations and you’ve got a recipe for cybercrime.  

So far in 2026 we’ve seen over a hundred campaigns leverage tax themes leading to  malware, remote monitoring and management (RMM) payloads, fraud, and credential phishing. Tax-themed campaigns are expected annually, but this year we’re seeing more RMM payloads, activity from newly identified threat actors, and a broader variety of social engineering lures.  

Figure1. Breakdown of threat type delivered in tax-themed email campaigns. (Analyst note: Proofpoint manually contextualizes fewer BEC/Imposter threats overall, so they appear less in campaign data.)

Threat actors are using tax themes in many ways, including posing as tax agencies or government entities like the Internal Revenue Service (IRS); claiming the recipient has expired tax documents; impersonating company human resources; requesting for tax filing support; claiming tax violations; and more.  

Email volumes vary from a handful of messages to tens of thousands, depending on the campaign and the actors’ objectives. While most campaigns target the United States, Proofpoint has also seen recent tax-themed campaigns target other countries including Canada, Australia, Switzerland, and Japan, among others.  

The following is an example of some notable tax-themed campaigns observed in 2026 so far.  

Campaign examples 

RMM 

The most common payloads delivered via tax themes are RMMs. These tools are legitimate software commonly used within the enterprise but abused by cybercriminals. RMMs are used by many threat actors, and the cybercrime ecosystem leveraging legitimate software in malicious campaigns is thriving. Threat actors like using RMMs because they often fly under the radar in enterprise environments since they’re legitimate, often authoritatively signed, pieces of software. If organizations do not implement allow-listing for trusted RMMs, malicious ones may not get flagged by security tools.  

Proofpoint has observed tax-themed campaigns deliver RMMs including Datto, N-Able, RemotePC, Zoho Assist, and ScreenConnect, among others. In some cases, threat actors will use one RMM for initial access and then drop another as a follow-on payload once the host is infected.  

As an example, on 05 February 2026, Proofpoint observed a campaign impersonating the U.S. IRS. The lure purported to relate to the target’s recent IRS filing.  

Figure 2. Phishing lure impersonating the IRS delivering N-able RMM.  

Messages contained a hyperlinked button purporting to be a “Transcript Viewer” that was actually a Bitbucket URL leading to an executable file which, if executed, installed N-able RMM. Notably, the actor included a real phone number belonging to the IRS to further the social engineering and believability of the email. 

IRS is a common lure theme used by multiple threat actors, as impersonating government agencies can be a compelling social engineering technique. Since January 2026, Proofpoint observed over a dozen RMM campaigns that have impersonated the IRS.  

TA4922  

TA4922 is a newly designated financially motivated threat actor regularly tracked by Proofpoint since spring 2025. The actor’s primary objective is to obtain remote access likely for monetization, like fraud, data theft, access brokering, or persistence. This actor delivers malware from the Winos4.0 ecosystem, which is also referred to in some reporting as ValleyRAT, and uses a variety of loaders and stealers. TA4922 also conducts fraud campaigns. The actor is likely based in East Asia and probably is Chinese speaking. TA4922 demonstrates overlaps with the Silver Fox and Void Arachne ecosystem as reported by third-party researchers.  

This actor typically targets Japan with some additional East Asian targeting and commonly uses tax themes in its campaigns. One notable technique from TA4922 is its frequent use of impostor emails pretending to be someone in a position of authority. The attacker sends an initial email that requests the recipient’s phone number to establish communications outside of email.  

For example, in early February 2026, Proofpoint observed a TA4922 campaign targeting organizations in Japan. Emails impersonated national tax authorities and claimed the recipient had unresolved tax obligations. The actor requested the recipient’s mobile phone number to establish out-of-band communications.  

Figure 3. Japanese language National Tax Authority impersonation email.  

Once engagement is established, the actor will likely escalate social engineering by impersonating the target organization’s finance leadership and may deliver malicious links or files via out-of-band channels. 

In another campaign in early March, emails targeted Japan and purported to be from the "Inland Revenue Department." Messages included a URL which downloaded an executable, which, if executed, installed an information stealer still under investigation by Proofpoint researchers.  

Figure 4. Inland Revenue Department impersonation.  

Proofpoint has also observed this actor impersonate revenue agencies of other countries and target users in those regions, including India, Taiwan, Indonesia, Malaysia, and, unusually, Italy.  

TA2730  

Proofpoint has tracked TA2730, a prominent credential phishing threat actor, since June 2025. The actor focuses on obtaining credentials for various financial institutions, typically those focused on investments. 

TA2730 campaigns appear opportunistic rather than targeted. The messages are sent from malicious domains most likely registered by the actor. The threat actor uses multiple phishing kits, including one they likely developed and use most frequently. The actor targets many countries, with its most frequent geographies of interest being Canada, Australia, Singapore, Switzerland and Japan. 

Figure 5. TA2730 geographic targets of all campaigns. 

One of the most popular lure themes this actor uses relates to a "W-8BEN" form, a U.S. tax form for non-U.S. taxpayers. This lure has been used in dozens of campaigns since we began tracking the actor.  

Typically, the actor will pose as an investment company, telling the recipient they need to update or provide information for their W-8BEN form. Emails contain URLs leading to counterfeit investment account authentication pages designed to harvest user credentials. The following are two examples of recent campaigns observed in Proofpoint telemetry. Both these campaigns occurred in February, targeting Switzerland and Canada. In some cases, the actor includes the legitimate phone number for the impersonated entity to further the believability of the lure. 

Figure 6. TA2730 email impersonating Swissquote (left) and malicious phishing landing page impersonating the company (right). This campaign targeted Switzerland. 

Figure 7. TA2730 email impersonating Questrade (left) and malicious phishing landing page impersonating the company (right). This campaign targeted Canada. 

The objective of these campaigns is to take over investment accounts for financial gain.  

W-2 fraud 

Business email compromise (BEC) threat actors also regularly use tax form lures including W-2 Form (Wage and Tax Statement) and W-9 (Request for Taxpayer Identification Number and Certification) themes. Typically, these campaigns will impersonate company executives, human resources, or vendor/supplier contacts in attempts to steal financial and personal data, likely with a goal of leveraging it for follow-on fraud.  

For example, in one campaign observed in March, email sender names were spoofed to appear as if they came from an executive at the targeted organization, requesting all employee W-2 forms for 2025.  

Figure 8. BEC W-2 fraud email example.  

Such forms contain sensitive information like names, addresses, and Social Security numbers. This data can be used for identity theft and banking fraud.  

Why it matters 

The examples represented in this blog are just a small portion of the overall landscape, and while tax season is a popular time for these types of lures, taxes and financial information can be an effective lure, no matter the time of year.  

Tax lures are commonly used by threat actors, especially around filing seasons, as people leverage various applications and services to collate and file important business and personal finance information. Such lures can be convincing to recipients who are either expecting communications from organizations related to financial or government institutions or would be concerned and worried by receiving an email suggesting they will have fines or fees for incorrectly submitting information.  

In general, enterprises should educate users about the techniques and lures commonly abused by threat actors and be aware that cybercriminals routinely gravitate towards timely and topical lure themes, with taxes being among their annual favorites.  

Indicator	Description	First Seen
Aubrey162243her@hotmail[.]com	TA4922 Sender Email	06 March 2026
Baerg536714qrr@hotmail[.]com	TA4922 Sender Email	06 March 2026
Belinda319932ywa@hotmail[.]com	TA4922 Sender Email	06 March 2026
Brenda26111993bbs@hotmail[.]com	TA4922 Sender Email	06 March 2026
Brett77124cnd@hotmail[.]com	TA4922 Sender Email	06 March 2026
Clint15032004ye@hotmail[.]com	TA4922 Sender Email	06 March 2026
Dan0600ups@hotmail[.]com	TA4922 Sender Email	06 March 2026
Darryl658773qfs@hotmail[.]com	TA4922 Sender Email	06 March 2026
Elmer445637xqd@hotmail[.]com	TA4922 Sender Email	06 March 2026
Genet868615mfd@hotmail[.]com	TA4922 Sender Email	06 March 2026
Gilana406avh@hotmail[.]com	TA4922 Sender Email	06 March 2026
Gilbert6704ysw@hotmail[.]com	TA4922 Sender Email	06 March 2026
Glenn0045bnk@hotmail[.]com	TA4922 Sender Email	06 March 2026
Greg2505880dbq@hotmail[.]com	TA4922 Sender Email	06 March 2026
Hilda2441790ajg@hotmail[.]com	TA4922 Sender Email	06 March 2026
Kaitlyn135452qyw@hotmail[.]com	TA4922 Sender Email	06 March 2026
Kayla383537cau@hotmail[.]com	TA4922 Sender Email	06 March 2026
Kelly5906byn@hotmail[.]com	TA4922 Sender Email	06 March 2026
Mattie9227fdx@hotmail[.]com	TA4922 Sender Email	06 March 2026
Quirita42462vpp@hotmail[.]com	TA4922 Sender Email	06 March 2026
Rafael0746881jxk@hotmail[.]com	TA4922 Sender Email	06 March 2026
Sabah30035vrj@hotmail[.]com	TA4922 Sender Email	06 March 2026
Tanisha535486nyg@hotmail[.]com	TA4922 Sender Email	06 March 2026
Violet82113vbv@hotmail[.]com	TA4922 Sender Email	06 March 2026
Violet900048ege@hotmail[.]com	TA4922 Sender Email	06 March 2026
Yvette20071993pgc@hotmail[.]com	TA4922 Sender Email	06 March 2026
Yvonne8544809axa@hotmail[.]com	TA4922 Sender Email	06 March 2026
YObutler.jonasd8nC29@yahoo[.]com	TA4922 Reply-to Email	09 February 2026
hxxps://www[.]upsystems[.]one/Alex[.]exe	TA4922 Payload URL	06 March 2026
d338a7f85737cac1a7b4b5a1cca94e33d0aa8260548667c6733225d4c20cb848	TA4922 Information Stealer SHA256	06 March 2026
121[.]127[.]232[.]253:8443	TA4922 Information Stealer C2	06 March 2026
Bella1987Jenny8927@outlook[.]com	TA4922 Sender Email	02 February 2026
Cedric1985Mattie70601@outlook[.]com	TA4922 Sender Email	02 February 2026
Chappel1994Sunkel79549@outlook[.]com	TA4922 Sender Email	02 February 2026
Chris1987Juanita79531@hotmail[.]com	TA4922 Sender Email	02 February 2026
Elisa1966Tamara82159@hotmail[.]com	TA4922 Sender Email	02 February 2026
Ellis1986Akihito92@hotmail[.]com	TA4922 Sender Email	02 February 2026
Garrett2003Jaime3246@outlook[.]com	TA4922 Sender Email	02 February 2026
GhaemmaghamiBorg2909@outlook[.]com	TA4922 Sender Email	02 February 2026
Iris2003Francis43001@hotmail[.]com	TA4922 Sender Email	02 February 2026
Jo1990Nelson506@hotmail[.]com	TA4922 Sender Email	02 February 2026
Kamiisa1962Eunice52@outlook[.]com	TA4922 Sender Email	02 February 2026
KatsaounisSetlak6267@outlook[.]com	TA4922 Sender Email	02 February 2026
Lathrop1966Alice63@hotmail[.]com	TA4922 Sender Email	02 February 2026
Lucia1968Sheryl4254@outlook[.]com	TA4922 Sender Email	02 February 2026
LucinaMcnear6104@outlook[.]com	TA4922 Sender Email	02 February 2026
Morris1965Cruz7189@hotmail[.]com	TA4922 Sender Email	02 February 2026
Nabila2004Eunice770@hotmail[.]com	TA4922 Sender Email	02 February 2026
NicholWollan4783@outlook[.]com	TA4922 Sender Email	02 February 2026
Peony1982Jamila936@outlook[.]com	TA4922 Sender Email	02 February 2026
Quirita1980Laraine303@hotmail[.]com	TA4922 Sender Email	02 February 2026
SablanLoretz4374@outlook[.]com	TA4922 Sender Email	02 February 2026
Sheryl1993Sabah3812@outlook[.]com	TA4922 Sender Email	02 February 2026
SteadfastSeefried8443@outlook[.]com	TA4922 Sender Email	02 February 2026
Terrell1980Dawn020@hotmail[.]com	TA4922 Sender Email	02 February 2026
Vanessa1991Gretel73372@outlook[.]com	TA4922 Sender Email	02 February 2026
WaffleMehta9842@outlook[.]com	TA4922 Sender Email	02 February 2026
Wendell1988Lovice46@hotmail[.]com	TA4922 Sender Email	02 February 2026
844202972ff19afa760447fc87963de0fbbc0ebc69d50164f03ecf5d4e67952f	N-Able RMM Payload, Fake IRS Campaign	05 February 2026
hxxps[:]//bitbucket[.]org/pmlasobjekightailsians/rgww/downloads/amzn-s3-EfinTranscriptViewer.cm10_14_4_.EXE	Payload URL Fake IRS Campaign	05 February 2026
bksgcefzqyb[.]com	TA2730 Phishing Landing Domain	25 February 2026
whghfpytehu[.]com	TA2730 Phishing Landing Domain	25 February 2026
akcjdrya[.]com	TA2730 Phishing Landing Domain	27 January 2026
buwxkiy[.]com	TA2730 Phishing Landing Domain	27 January 2026
eodrggi[.]com	TA2730 Phishing Landing Domain	27 January 2026
gyglowcq[.]com	TA2730 Phishing Landing Domain	27 January 2026
iuzndfqr[.]com	TA2730 Phishing Landing Domain	27 January 2026
nirbsff[.]com	TA2730 Phishing Landing Domain	27 January 2026
rmwztbrr[.]com	TA2730 Phishing Landing Domain	27 January 2026
wijgzsfh[.]com	TA2730 Phishing Landing Domain	27 January 2026