IN early 2026, a wave of tax-themed cyber campaigns delivering malware, remote access tools, fraud schemes and credential phishing was detected. Proofpoint researchers identified more than a hundred such operations, according to Proofpoint, highlighting how attackers continue to exploit the pressures and expectations tied to tax season.
A new advisory published on 30 March by Proofpoint found that malicious campaigns are increasingly using remote monitoring and management (RMM) tools, and the firm observed activity from newly identified threat actors alongside a broader mix of social engineering techniques. Evolving threat groups include campaigns from TA2730 focused on organisations in Japan and other parts of Asia, while others targeted users in Canada, Australia, Singapore and Switzerland.
Attacks ranged from opportunistic phishing to more coordinated efforts aimed at long-term system access or stealing financial data, including posing as investment firms updating tax forms such as W-8BEN and directing victims to fake login pages to capture credentials. Tax lures remain effective because they align with expected communications during filing periods, with penalties, missing documents or compliance issues cited as prompts to act quickly.