Every year, tax season opens the door for a wave of cyber threats for both individuals and their employees that many know exist but few think to look out for: phishing schemes. Tax season-related phishing attacks have gotten more sophisticated as threat actors increasingly leverage generative AI in their attacks, allowing them to impersonate employees, executives, HR and finance departments, and even the IRS itself. With several potential origins for an attack, it’s critical for everyone both in their personal and professional lives to stay vigilant and take precautions.

IRS Impersonation on the Rise 

IRS impersonation remains one of the most reliable social engineering plays because it targets a true, and urgent, pain point. In fact, the IRS was one of the most highly impersonated brands last year. Taxes are confusing, time-sensitive, and high-stakes which attackers take advantage of by copying government language, citing reference numbers, and presenting next steps that appear legitimate and secure. The objective is to push the victim to submit personal data, credentials, or payment details quickly and without deeper thought.

Much of the attack relies on the general public not understanding how agencies like the IRS typically communicate. The IRS contacts taxpayers first by U.S. mail; it does not initiate contact through email, text message, or social media to request personal or financial information. If an unexpected message claims to be the IRS and demands immediate action, users and organizations should treat it as suspicious until proven otherwise. 

Beyond creating a sense of urgency, attackers have evolved to better bypass people’s instinctive defenses. Many people have been trained to inspect links to look for misspellings, unicode characters, or suspicious domain names. Because of this, campaigns have increasingly avoided direct URLs and shifted to QR codes, especially embedded in PDF attachments. Their goal is convenience: getting victims to quickly scan with their phone cameras and upload missing information or verify their identity. In reality, a QR code is typically just a URL that cannot be evaluated until scanned, often on a user’s personal phone, outside corporate protections. While the attack may come in via email, the shift to scanning a QR code means that any further actions are not tracked, or even noticed, by security teams. While QR codes make processes simpler, they are not how typical government business is performed, and attackers rely on the general public not realizing it.

Call-back phone numbers are another increasingly common defense bypass. Some scams steer victims to urgently call a specific phone number to resolve a relevant issue, relying on urgency and a persuasive script. Adversaries know that victims have been trained to not simply click links, and to verify via phone, so it's natural to then encourage using a call center (imitating the IRS) to collect information. Phone numbers contained within any email, attachment, or document received should not be trusted. Instead, search for the official call numbers of the agency and call directly. Phone numbers are also typically indexed via search engines, so searching the phone number provided to you by the attacker will often reveal that it has no ties to the agency. 

Identifying Workplace-Oriented Tax Season Scams

These tactics do not stop with individual taxpayers. They show up inside organizations as HR and Finance impersonation, and the impact is often tax-related. W-2 information, Social Security numbers, addresses, and payroll details are high-value identity artifacts. Attackers target HR, payroll, and finance teams with requests that look routine: resend a W-2, confirm employee tax details, change direct deposits, update vendor banking, or approve a payment. Oftentimes, these messages leverage a technique known as “threadjacking,” wherein attackers try to attempt to trick users by using existing context and fake threads to divert an ongoing conversation to a malicious payload. This is often completed by a compromised internal account, or one from a known vendor, where the adversaries search for existing email threads and try to persuade the victim. The message may appear to come from an employee, a vendor, or an executive, but an email thread is not identity proof.

Many of these malicious messages do not actually carry malware and contain no obvious links, so detection has to focus on intent. Lookalike domains, display name tricks, and compromised accounts can still produce convincing messages. Practical measures include labeling external senders, flagging messages that introduce new payment instructions or request tax forms, and treating last-minute shifts to other communication mediums, such as “text me” or “call this number,” as a risk signal. 

Steps to Mitigate the Risk

What should users do if they receive any information they’re unsure about related to their taxes? Go straight to the source. Users should not click, scan, or reply to any unexpected message appearing to be sent from the IRS. Instead, they should open a browser and navigate directly to the official destination. If searching via a search engine, ensure that an advertisement is not clicked. Malicious ads can be found on major search engines that mimic the look of the legitimate site. If a notice is real, it can be addressed from an official entry point without using the attacker’s provided route. The same goes for communication allegedly from an employee or an employer: it’s critical to verify directly with the specific point of contact before providing any information. This breaks the attacker’s advantage: controlling where the recipient lands and who they talk to.

For people and organizations alike, quick and easy reporting is the best way to counter a threat. People will receive convincing malicious messages, especially during tax season, and modern defenses should not be centered on assuming the email recipient will identify the threat. When reporting is blame-free and simple, scams get surfaced earlier and follow-on attempts become less effective.

IRS impersonation and HR or Finance targeting succeed when speed beats verification. It’s critical for users and organizations to verify the source, treat QR codes as hidden links, and never trust a phone number that arrives inside an unexpected message. More than anything, vigilance is key, but by disrupting attackers’ reliance on influencing urgent action, calmer heads prevail and everyone will be safer this tax season as a result.