Cybercriminals are escalating their tax season attacks in 2026, leveraging IRS and tax filing lures to deploy malware and steal credentials. This year has seen a significant increase in organized campaigns impersonating tax authorities and company HR departments, aiming to trick individuals into compromising their digital security. The sophisticated nature of these attacks, including the abuse of legitimate remote management tools, poses a growing threat to both individuals and organizations.
Numerous campaigns mimicking the Internal Revenue Service (IRS), national tax offices, and corporate human resources departments have been observed globally. These efforts are designed to trick recipients into downloading malware or revealing sensitive login information. Over a hundred such campaigns utilizing tax-related themes have been documented in 2026 alone, distributing a variety of malicious payloads, including malware, remote access tools, and credential-harvesting web pages.
The tactics employed in these evolving campaigns are more diverse than in previous years. Attackers are reportedly spoofing emails related to expired tax documents, IRS filing notices, and requests for W-2 forms from fraudulent HR departments. Furthermore, campaigns are targeting non-U.S. taxpayers with fake W-8BEN filing requests. A significant portion of the threats delivered through these tax-themed emails so far this year involve malware and Remote Monitoring and Management (RMM) tools.
While the United States remains a primary target, these fraudulent campaigns have also impacted users in Canada, Australia, Switzerland, and Japan. The volume of emails in these campaigns varies widely, from a few highly targeted messages to tens of thousands sent broadly. This broad reach underscores the widespread nature of the threat.
Increased Use of Remote Monitoring and Management (RMM) Tools in Tax Campaigns
Proofpoint researchers have identified more than a dozen IRS-impersonation RMM campaigns since January 2026. Two specific threat actor groups, identified as TA4922 and TA2730, are noted for running organized operations with clear financial motives. The researchers observed a greater prevalence of RMM payloads in 2026 tax season campaigns compared to previous years, with activity stemming from newly identified actors and a wider array of social engineering tactics.
The exploitation of legitimate RMM software has become a preferred method for these threat actors. Tools such as N-able, Datto, RemotePC, Zoho Assist, and ScreenConnect are often trusted by enterprise security systems because they are legitimate and digitally signed, which can make them harder to detect as malicious software. This reliance on legitimate tools circumvents common security measures designed to block unknown executables.
For instance, on February 5, a campaign impersonating the IRS sent emails with a deceptive “Transcript Viewer” button. This link led victims to an executable hosted on Bitbucket, which then silently installed N-able RMM on the compromised machine. To lend an air of authenticity, the attackers included a genuine IRS phone number within the email body.
Meanwhile, TA2730, a credential phishing group under observation since June 2025, has been conducting campaigns that impersonate investment firms. These phishing attempts request targets to update their W-8BEN tax forms, a common requirement for non-U.S. individuals receiving income from U.S. sources. This tactic preys on the necessity of tax compliance to trick users.
In February 2026, TA2730 impersonated Swissquote in Switzerland and Questrade in Canada. Victims were directed to fraudulent login pages meticulously designed to capture account credentials, with the ultimate goal of financial exploitation. These credential phishing pages are carefully crafted to mimic the genuine websites, increasing the likelihood of success.
TA4922’s Multi-Step Social Engineering Approach
TA4922 distinguishes itself among the identified threat actors this year through its deliberate, multi-stage attack methodology. Proofpoint has been tracking this financially motivated group, believed to be based in East Asia and likely Chinese-speaking, since the spring of 2025. The group’s primary objective is to gain remote access to victim systems, which can then be used for fraud, data theft, or sold to other criminal entities.
TA4922 predominantly distributes malware from the Winos4.0 ecosystem, also referred to as ValleyRAT. Their attacks typically involve a combination of loaders and information stealers to achieve their objectives. This layered approach makes it more challenging to detect the full scope of their malicious activities early in the attack chain.
What makes TA4922 particularly concerning is its two-phase attack strategy. The group initially sends impersonation emails posing as tax authorities, claiming the recipient has outstanding tax obligations and requesting a mobile phone number to continue communication. This establishes a more direct, private channel with the victim outside of traditional email channels.
Once this private communication channel is secured, the threat actor escalates the attack by posing as company finance leadership. They then deliver malicious files or links through this established channel, effectively bypassing email security filters and increasing the impact of their social engineering efforts. The shift from email to a more direct communication method is a key evolution in their tactics.
In early March 2026, a related campaign spoofed the Inland Revenue Department, ultimately leading victims to download an information stealer. This specific piece of malware is currently under active investigation by Proofpoint researchers. The ongoing analysis aims to understand the full capabilities and potential impact of this newly observed information stealer.
Organizations can mitigate these risks by enforcing allow-listing policies for RMM tools, ensuring only approved software can execute on corporate networks. This significantly reduces the possibility of unauthorized remote access software going undetected. Additionally, employees require regular, targeted training focused on tax-season phishing tactics. This training should equip them to critically evaluate emails requesting personal contact details or prompting immediate action on tax filings, especially through external links. Any unsolicited communication from supposed tax authorities or HR contacts should always be verified through official, known channels before any action is taken.