Cybercriminals are fast to use seasonal occasions — and tax season is not any exception. It’s a yearly honeypot for cybercriminals, who reap the benefits of heightened stress, tight deadlines, and delicate monetary information.
With deadlines looming throughout the US and EU, our Risk Labs crew noticed a 27.9% enhance in phishing assaults in March 2025 in comparison with the earlier month — lots of which contained financial-themed payloads.
These emails used social engineering ways, finance-related language and superior obfuscation methods in makes an attempt to steal delicate info or manipulate recipients into sending cash.
Particularly, KnowBe4 Defend recognized a pointy spike in tax-related phishing exercise on March 14, 2025, with 16% of all phishing emails processed that day containing the phrase “tax” within the topic line. Curiously, solely 4.3% of those tax-themed phishing emails had been despatched from free e mail providers.
Practically half of all recognized assaults (48.8%) originated from compromised enterprise e mail accounts, whereas 7.8% leveraged the authentic QuickBooks service, as noticed in earlier incidents. Moreover, nearly all of these assaults had been despatched from aged domains (100 days or older), using ways particularly designed to reinforce legitimacy and bypass conventional safety filters, similar to safe e mail gateways (SEGs).
All assaults analyzed from this marketing campaign had been recognized and neutralized by KnowBe4 Defend and analyzed by our Risk Labs crew.
Tax-Associated Phishing Assault Instance:
On this instance, the cybercriminal has impersonated a lawyer from a good legislation agency to ship a faux tax return. The phishing assault is designed to reap Personally Identifiable Info (PII), particularly concentrating on delicate information similar to addresses and Social Safety Numbers. A hyperlink embedded inside a QR code directs victims to a fraudulent type crafted to seize this info and facilitate identification theft. To boost the e-mail’s legitimacy and deliverability, attackers make use of a wide range of ways, together with QR code obfuscation, polymorphic components, and lookalike domains.
Screenshot of tax-related phishing e mail despatched from a lookalike area, with KnowBe4 Defend anti-phishing banners utilized
Screenshot of QR code payload discovered inside the e mail attachment
Tactic One: Embedding a QR Code in an Attachment
Above is an instance of a financial-themed phishing assault leveraging the phrase “tax” within the topic line. On this case, the e-mail delivers a faux tax return embedded inside a DOCX file containing a QR code that conceals the malicious payload — an obfuscation approach designed to bypass conventional safety instruments. Detecting the malicious payload requires superior applied sciences that may scan attachments and analyze each hidden content material and social engineering cues inside the e mail physique.
If the recipient had been to open the attachment and scan the payload, this could additionally transfer the assault away from a safe work machine and onto a cell machine that probably lacks correct safety protocols.
Tactic Two: Polymorphic Topic Traces and Attachment Names
These assaults additionally featured a wide range of polymorphic components throughout the e-mail’s topic line, show title, physique, and attachment, which might be tailor-made to the recipient. For instance, the attachment title could alter to mirror the recipient’s firm, whereas its content material may range primarily based on the recipient’s location or e mail preferences.
Within the instance above, the cybercriminal has included randomized characters within the topic line, show title and reference quantity, making mass remediation far more tough for IT and safety groups. This customization is definitely automated utilizing scripts or phishing toolkits, permitting attackers to tailor every e mail for higher credibility. In some circumstances, attackers could even leverage AI to generate these polymorphic components, permitting them to churn out customized assaults at scale.
Tactic Three: Lookalike E-mail Domains
The attacker despatched the phishing e mail from a lookalike area mimicking a authentic US authorized service, with solely minor character modifications. As a result of this was a lookalike — not a direct spoof — the area might be simply registered and was capable of bypass conventional SEG controls that rely closely on area fame. This specific area was additionally over 1000 days, serving to the assault bypass authentication checks.
How Ought to Organizations Reply?
Cybercriminals will proceed to use seasonal occasions to launch more and more refined phishing assaults. To counter these threats, organizations ought to make the most of superior safety applied sciences able to conducting a holistic evaluation of all e mail components — like language, tone, topic strains, and attachments evaluation on this case — to determine refined indicators of malicious intent. In parallel, organizations have to implement focused and related coaching applications that equip workers with the data to pre-empt these assaults and reply accordingly.
On the subject of tax-related phishing, attackers are banking on the chaos of the season — however a well-prepared group that leverages applicable know-how, coaching and insurance policies ought to go away them empty-handed.
