Do Son 
Phishing lure impersonating the IRS delivering N-able RMM | Image: Proofpoint
As the 2026 tax season reaches its peak, cybersecurity researchers have identified a massive surge in digital threats designed to exploit the stress of filing deadlines. According to a recent report from Proofpoint, threat actors are capitalizing on a “recipe for cybercrime” by combining monetary anxiety with the widespread expectation of official tax-related emails.
So far this year, over a hundred distinct campaigns have been identified leveraging tax themes to deliver a variety of dangerous payloads. While annual tax lures are expected, 2026 has seen a notable increase in the use of Remote Monitoring and Management (RMM) tools and the emergence of newly identified threat groups.
The current threat landscape is diverse, ranging from malware delivery to sophisticated identity theft. A breakdown of the campaigns by threat type reveals the following distribution:
| Threat Type | Percentage of Campaigns |
| RMM (Remote Monitoring & Management) |
39% |
| Malware |
32% |
| Credential Phishing |
24% |
| Impostor (BEC) |
5% |
The most common payload delivered via tax themes is the RMM. These are legitimate software tools used by IT professionals for remote support, but they are increasingly being “abused by cybercriminals”.
Threat actors favor RMMs because they are often authoritatively signed and “fly under the radar in enterprise environments”. If a company does not maintain a strict allow-list for these tools, security software may fail to flag the malicious installation. Notable RMMs being deployed in these schemes include ScreenConnect, Zoho Assist, and N-able.
The report highlights TA4922, a financially motivated threat actor likely based in East Asia. This group frequently impersonates national tax authorities to target organizations in Japan and other regions.
One of their signature techniques involves an initial “impostor” email that “requests the recipient’s phone number to establish communications outside of email”. Once out-of-band communication is established, the actor escalates the social engineering—often “impersonating the target organization’s finance leadership”—to deliver final payloads like information stealers.
Another prominent actor, TA2730, has been observed using “W-8BEN” forms—a U.S. tax document for non-U.S. taxpayers—to target investors in countries like Switzerland and Canada. These emails direct victims to counterfeit authentication pages designed to harvest account credentials for financial gain.
Meanwhile, Business Email Compromise (BEC) actors are focusing on W-2 fraud. In these cases, attackers spoof the names of company executives to request that human resources staff compile and send “W-2 Wage and Tax Statements for all company employees”. Because these forms contain Social Security numbers, addresses, and full names, they are a goldmine for “identity theft and banking fraud”.
While the surge is tied to the current filing window, Proofpoint warns that “financial information can be an effective lure, no matter the time of year”. The convincing nature of these lures stems from the fact that many users are genuinely expecting communications from government or financial institutions.
To defend against these evolving threats, organizations are encouraged to educate users on these specific techniques and remain vigilant toward “timely and topical lure themes, with taxes being among their annual favorites”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
