Hackers Impersonate Top Tax Firm with 40,000 Phishing Messages to Steal Credentials

Proofpoint researchers have identified a marked increase in phishing campaigns and malicious domain registrations designed to exploit tax filing season.

These operations, targeting countries such as the UK, US, Switzerland, and Australia, leverage tax-related themes to dupe victims into divulging sensitive information or making fraudulent payments.

This surge in activity aligns with the yearly patterns seen from December to April, as businesses and individuals prepare their tax filings.

Attackers commonly impersonate tax agencies or financial institutions linked to tax-related engagements.

These phishing lures exploit the perceived authority of these organizations, making them effective tools for credential theft, financial fraud, and malware delivery.

Region-Specific Campaigns: UK, US, Switzerland, and Australia in Focus

In the UK, multiple campaigns have surfaced impersonating HM Revenue & Customs (HMRC).

One notable campaign, active since January 12, 2025, employed “account update” phishing emails, which redirected recipients to fake HMRC-branded credential harvesting sites.

The effort targeted several organizations, using sophisticated branding and language to appear legitimate.

In the US, hundreds of malicious domains have been linked to tax-themed phishing campaigns this January.

A notable example involved attackers impersonating Intuit’s QuickBooks with emails that falsely claimed users’ tax forms were rejected.

Victims were redirected to phishing pages impersonating Intuit to steal credentials.

This campaign alone sent over 40,000 fraudulent emails targeting more than 2,000 organizations.

Swiss organizations were also targeted in December 2024 through fraudulent emails purporting to be from the Federal Tax Administration.

These messages requested payments via a legitimate Revolut payment link.

Unlike other campaigns, this effort emphasized financial fraud rather than credential theft, coercing recipients into transferring CHF 102.50 to an attacker-controlled account.

In Australia, campaigns disguised as communications from myGov, the Australian government services portal, have been active since early January 2025.

These phishing efforts aimed to steal usernames, passwords, and multifactor authentication (MFA) details by redirecting victims to fake myGov portals.

Attackers also attempted to bypass detection systems using advanced anti-bot protection measures.

Tax-Themed Threats Evolve to Deliver Malware

Beyond credential theft and fraud, tax-themed lures have also been employed to deliver advanced malware.

On January 16, 2025, a campaign used fake tax software emails to distribute Rhadamanthys and zgRAT malware.

Hosted on Microsoft Azure, these attacks executed malicious PowerShell scripts to compromise systems.

Other recent campaigns have delivered malware such as MetaStealer, XWorm, AsyncRAT, and VenomRAT, further highlighting the diverse techniques employed by threat actors.

The reliance on authoritative branding and the time-sensitive nature of tax-related communications make these campaigns particularly effective.

Proofpoint emphasizes the importance of organizational training to recognize phishing attempts and common attacker tactics.

Proactive measures, such as monitoring domain impersonation efforts and bolstering email security systems, remain crucial in mitigating these growing threats.

As tax season continues, vigilance against these evolving threats is vital to safeguard sensitive information and financial resources from exploitation.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free