Tax-Themed Phishing Attacks to Watch Out for in the 2026 Tax Season
With tax season comes those looking to take advantage of the season’s urgency. Cybercriminals are using manipulative phishing tactics to trick filers into revealing their passwords, sensitive financial data, or downloading malware.
With tax-related identity theft up by 45% since 2020, there’s no sign that these attacks are slowing down. From fake refund notices, payroll forms, and accountant impersonations, hackers are rolling out all the stops this year with several new tax-themed phishing campaigns.
Here’s what you need to know.
The Different Tax-Themed Phishing Campaigns
Microsoft Threat Intelligence has detailed several tax-themed phishing tactics that you should know about this season. Although varying in execution, these attacks all share a similar goal: Taking advantage of those rushing to file their taxes and cash their refunds.
Here are some tax-themed phishing tactics currently out there, as warned by Microsoft:
Certified Public Accountant (CPA) Lures
By using the names of real accountants and familiar software like OneDrive, this phishing campaign sneaks past security filters that usually catch “spam” mail. The trick starts with a highly personalized email containing a [Review Documents] button. Clicking it takes the user through a series of official-looking pages that ultimately lead to a fake login screen designed to harvest emails and passwords.
The Target: Several hundred emails were sent to industries including financial services, education, IT, insurance, and healthcare within the United States.
Fake 1099 Forms and Impersonation
This campaign tricks tax filers by impersonating trusted companies in the accounting and investing sectors. These emails use urgent subject lines, such as “Your Form 1099-R is Ready,” to trick users into clicking a “View Tax Forms” button. Instead of documents, the link downloads a remote access tool that allows the hacker to take full control of the victim’s system.
The Target: In early February 2026, several hundred of these emails hit a wide range of industries across the United States.
QR Codes and Fake W2 Lures
This tax-themed phishing campaign uses personalized emails labeled “2025 Employee Tax Docs” to trick employees into opening attachments that claim to hold critical tax paperwork. These documents use the recipient’s actual name to convince them to scan a QR code (a tactic known as “quishing“) that, once scanned, sends the user to a fake login page designed to steal user credentials.
The Target: This campaign was seen targeting approximately 100 organizations in the manufacturing, retail, and healthcare industries in the United States.
IRS and Crypto-Themed Phishing
The campaign combines IRS impersonation with a cryptocurrency lure. By abusing the popular platform Eventbrite, hackers were able to send emails that appeared to come from the IRS, using fake addresses such as:
- “IRS US” noreply@campaign.eventbrite.com
- “IRS GOV” noreply@campaign[.]eventbrite.com
- “.IRS.GOV” noreply@campaign[.]eventbrite.com
To sneak past security filters, the email asked the filers to copy and paste a web address (a tactic known as ClickFix) into their browser. Once pasted, the link downloads a remote access tool that gives the hacker access to the victim’s device.
Important: Always check the sender’s address. A real IRS email would always end in .gov, never Eventbrite.com.
The Target: Several thousand emails were sent exclusively to US organizations, with the bulk targeting higher education institutions.
Campaigns Targeting Tax Professionals
Filers aren’t the only ones being targeted. This campaign targets accountants by pretending to be a new customer. It starts with a request for a quote and a fake backstory. Once the professional replies, the hacker sends a malicious link designed to install Trojan viruses onto the victim’s device.
The Target: Approximately 1,000 emails were sent to multiple US-based accounting, legal, insurance, and financial firms.
How to Stay Safe This 2026 Tax Season
Staying safe is critical during any tax season. Here’s how you reduce the likelihood of falling for these tax-themed phishing attacks:
- Watch for urgent language: Bad actors are preying on those looking to file their taxes as fast as possible. If you receive any emails that push “Urgent tax deadlines” or report issues with your taxes, consider them with caution. Inflammatory and threatening language is a common sign that you’re being phished.
- Use multi-factor authentication (MFA): MFA is one of the easiest ways to secure your accounts, reducing cyberattack success by 99%.
- Configure automatic attack disruption in Microsoft Defender XDR: This security tool is designed to contain attacks in progress and limit the impact on your organization.
- Train your team: Provide your team with cyber awareness training programs so they can better spot social engineering tactics like these tax-themed phishing campaigns.
We also recommend checking out Microsoft’s full write-up on these campaigns here for the deeper technical details.
Stay Secure with an MSP
There will always be bad actors looking to take advantage of the tax season. Tax-themed phishing campaigns are only increasing in volume and complexity, which is why you should consider partnering with an expert security expert, like The 20 MSP.
At The 20 MSP, we know how stressful tax season can get. That’s why we provide our clients with cutting-edge security solutions, such as MFA, encryption, zero-trust security policies, and more, so they can file with confidence. Beyond that, we also provide our clients with critical cybersecurity resources (like this blog) and cyber awareness training, so they know how to spot the threats that enter their inboxes.
If you need help securing your business this tax season or you have questions about cybersecurity, reach out. We’d be happy to help make your tax season that much less stressful.
Want more tips like this?
Subscribe using the form on the right and get our latest insights delivered straight to your inbox.
About The 20 MSP
As a leading provider of managed IT services, The 20 MSP serves thousands of businesses nationwide, including single and multi-location organizations, delivering white-glove service, secure and streamlined IT infrastructure, and 24/7/365 support. We believe in building lasting relationships with clients founded on trust, communication, and the delivery of high-value services for a fair and predictable price. Our clients’ success is our success, and we are committed to helping each and every organization we serve leverage technology to secure a competitive advantage and achieve new growth.
