Every year around tax time, there are a lot of phishing attacks, but 2026 has already seen a bigger and more organized push than in previous years This article explores threats come tax. . Cybercriminals are pretending to be the IRS, national tax authorities, and company HR departments to trick people into installing malware or giving them their login information.

So far this year, there have been more than a hundred campaigns that use tax-related lures to deliver malware, remote access tools, and pages that steal credentials. Campaigns have mostly gone after people in the United States, but also in Canada, Australia, Switzerland, and Japan. The number of emails sent has ranged from a few to tens of thousands.

This year, most of the threats that come through tax-themed emails are malware and remote monitoring and management (RMM) payloads. Researchers found that 2026 has more RMM payloads, new actors, and a wider range of social engineering lures than they had seen before. In early March 2026, a related campaign tricked people into downloading an information stealer by pretending to be the Inland Revenue Department.

Businesses and workers can do things to keep themselves safe. Security teams should make sure that only approved RMM tools can run on corporate networks by enforcing allow-listing policies. Employees need to get regular training that teaches them how to spot phishing emails during tax season and how to question emails that ask for personal information or tell them to take action on tax filings through links to other sites.

Always check with official sources before taking any action on an unsolicited message from someone who claims to be a tax authority or HR contact. Set ZeroOwl as a Preferred Source in Google, LinkedIn, and X to Get More Instant Updates. Set ZeroOwl as a Preferred Source in Google, LinkedIn, and X to get more instant updates.