Friday, May 9, 2025
Homecyber securityHackers Impersonate Top Tax Firm with 40,000 Phishing Messages to Steal Credentials

Hackers Impersonate Top Tax Firm with 40,000 Phishing Messages to Steal Credentials

Published on

SIEM as a Service

Follow Us on Google News

Proofpoint researchers have identified a marked increase in phishing campaigns and malicious domain registrations designed to exploit tax filing season.

These operations, targeting countries such as the UK, US, Switzerland, and Australia, leverage tax-related themes to dupe victims into divulging sensitive information or making fraudulent payments.

This surge in activity aligns with the yearly patterns seen from December to April, as businesses and individuals prepare their tax filings.

- Advertisement - Google News

Attackers commonly impersonate tax agencies or financial institutions linked to tax-related engagements.

These phishing lures exploit the perceived authority of these organizations, making them effective tools for credential theft, financial fraud, and malware delivery.

Region-Specific Campaigns: UK, US, Switzerland, and Australia in Focus

In the UK, multiple campaigns have surfaced impersonating HM Revenue & Customs (HMRC).

One notable campaign, active since January 12, 2025, employed “account update” phishing emails, which redirected recipients to fake HMRC-branded credential harvesting sites.

Top Tax Firm
HMRC lure impersonating the agency and distributing credential phishing. 

The effort targeted several organizations, using sophisticated branding and language to appear legitimate.

In the US, hundreds of malicious domains have been linked to tax-themed phishing campaigns this January.

A notable example involved attackers impersonating Intuit’s QuickBooks with emails that falsely claimed users’ tax forms were rejected.

Victims were redirected to phishing pages impersonating Intuit to steal credentials.

This campaign alone sent over 40,000 fraudulent emails targeting more than 2,000 organizations.

Swiss organizations were also targeted in December 2024 through fraudulent emails purporting to be from the Federal Tax Administration.

These messages requested payments via a legitimate Revolut payment link.

Unlike other campaigns, this effort emphasized financial fraud rather than credential theft, coercing recipients into transferring CHF 102.50 to an attacker-controlled account.

In Australia, campaigns disguised as communications from myGov, the Australian government services portal, have been active since early January 2025.

These phishing efforts aimed to steal usernames, passwords, and multifactor authentication (MFA) details by redirecting victims to fake myGov portals.

Attackers also attempted to bypass detection systems using advanced anti-bot protection measures.

Tax-Themed Threats Evolve to Deliver Malware

Beyond credential theft and fraud, tax-themed lures have also been employed to deliver advanced malware.

On January 16, 2025, a campaign used fake tax software emails to distribute Rhadamanthys and zgRAT malware.

Top Tax Firm
Malicious email impersonating tax software.  

Hosted on Microsoft Azure, these attacks executed malicious PowerShell scripts to compromise systems.

Other recent campaigns have delivered malware such as MetaStealer, XWorm, AsyncRAT, and VenomRAT, further highlighting the diverse techniques employed by threat actors.

The reliance on authoritative branding and the time-sensitive nature of tax-related communications make these campaigns particularly effective.

Proofpoint emphasizes the importance of organizational training to recognize phishing attempts and common attacker tactics.

Proactive measures, such as monitoring domain impersonation efforts and bolstering email security systems, remain crucial in mitigating these growing threats.

As tax season continues, vigilance against these evolving threats is vital to safeguard sensitive information and financial resources from exploitation.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Fedora Linux Joins the Windows Subsystem for Linux Officially

Fedora Project has announced the official availability of Fedora Linux on the Windows Subsystem...

Microsoft Launches “Copilot+ PC” for an Upgraded Windows Experience

Microsoft has announced a significant wave of new Windows experiences designed for Copilot+ PCs,...

Nomad Bridge Hacker Apprehended in Connection with $190 Million Heist

Alexander Gurevich, a 47-year-old dual Russian-Israeli citizen, was arrested last Thursday at Ben-Gurion Airport...

160-Year-Old Haulage Firm Falls After Cyber-Attack: Director Issues Urgent Warning

The 160-year-old haulage giant Knights of Old, once a stalwart of the UK’s logistics...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Fedora Linux Joins the Windows Subsystem for Linux Officially

Fedora Project has announced the official availability of Fedora Linux on the Windows Subsystem...

Microsoft Launches “Copilot+ PC” for an Upgraded Windows Experience

Microsoft has announced a significant wave of new Windows experiences designed for Copilot+ PCs,...

Nomad Bridge Hacker Apprehended in Connection with $190 Million Heist

Alexander Gurevich, a 47-year-old dual Russian-Israeli citizen, was arrested last Thursday at Ben-Gurion Airport...