Ddos 
Source: Proofpoint
Cybercriminals are capitalizing on the 2025 tax season with a wave of sophisticated phishing and malware campaigns, according to a new report from Proofpoint. The report reveals an alarming trend of malicious actors impersonating tax agencies and related financial organizations to steal sensitive information and deliver malware.
Proofpoint observed a significant increase in phishing campaigns impersonating the UK’s HM Revenue & Customs (HMRC). In one such campaign that began on January 12, 2025, attackers sent emails under the guise of HMRC, claiming urgent an “account update.” These messages included links to credential harvesting sites designed to steal usernames and passwords.
One Proofpoint researcher noted, “The websites impersonated HMRC in an attempt to steal personal information that could be used for fraudulent activity.” Such campaigns aim to manipulate victims by mimicking the language and branding of trusted government organizations.
Proofpoint’s Takedown team identified hundreds of malicious domains leveraging tax-related themes. A campaign launched on January 16, 2025, impersonated Intuit, the provider of QuickBooks software. Emails, such as those sent from “Intuit QuickBooks <work@secure[.]net>,” falsely claimed recipients’ tax forms were rejected. Clicking the links led victims to fake authentication pages, a tactic used to harvest user credentials.
Proofpoint emphasized, “This campaign included over 40,000 messages impacting over 2,000 organizations.”
In December 2024, a unique campaign targeted Swiss organizations with fraudulent emails masquerading as federal tax payment reminders. Victims were directed to make payments via Revolut accounts allegedly linked to the Federal Tax Administration. These emails threatened recipients with fines and additional fees for non-compliance. However, this campaign appeared less focused on credential theft and more on directly defrauding users.
Australia faced similar threats, with phishing campaigns exploiting the myGov portal, a government services platform. Proofpoint discovered a campaign starting January 3, 2025, where attackers sent emails mimicking myGov notices. The phishing websites not only captured usernames and passwords but also sought multifactor authentication (MFA) details and security question answers.
The Australian Taxation Office warned users against QR-code-based phishing attacks, a newer trend gaining traction among cybercriminals.
While most tax-themed campaigns focus on phishing, some deliver malware. On January 16, 2025, Proofpoint identified a campaign impersonating a tax software solutions provider to distribute the Rhadamanthys malware, which subsequently deployed zgRAT. This activity was linked to the well-known threat actor Aggah. Additionally, other campaigns were observed delivering malware such as MetaStealer, XWorm, AsyncRAT, and VenomRAT.
Tax lures are effective because they exploit urgency and fear, preying on individuals’ concerns about financial penalties. Proofpoint advises organizations to educate their employees on recognizing phishing tactics and to remain vigilant during tax seasons. As the report highlights, “Such lures can be convincing to recipients who are either expecting communications from authoritative organizations, or would be concerned and worried by receiving an email suggesting they will have fines or fees for incorrectly submitting information.”
Donate