Tax season can be a time of rushed deadlines and heightened stress, and cybercriminals are banking on those emotions to steal your financial data. A new report found threats targeting taxpayers in 2025 have risen by 28%. In this article, we talk to experts about tax season scams in 2025 and how to detect them.
Tax scammers are back with new AI toys
On April 10, KnowBe4, a company helping organizations build their cybersecurity culture, reported that their Threat Labs teams detected a spike in tax season phishing of 27.9% in March compared to the previous month.
Most of the threats detected were email phishing that contained financial-themed payloads.
Cybercriminals are using finance-related language and advanced obfuscation techniques with the ultimate goal of stealing victims’ sensitive information or manipulating recipients into sending money.
GenAI and automation-AI are the main technologies that tax scammers use to impersonate legitimate businesses and individuals and blast out millions of emails, SMS, phone calls, and social media tax scams.
The source of the spike in tax-related scams
Attackers behind this wave of tax season scams are not new to the game. About half of all attacks came from compromised business email accounts — hacked emails.
A smaller percentage of all phishing emails (7.8%) abused legitimate QuickBooks services. Only 4.3% of these tax-themed phishing emails were sent from free email services, and the majority of these attacks were sent from aged domains (100 days or older).
KnowBe4 Threat Labs found that cybercriminals are employing embedded QR codes, polymorphic subject lines, and lookalike email domains in 2025.
Palo Alto Unit42 is also following this year’s activity on tax-related threats.
“Pay now or else” and other red flags you should not miss
Detecting emails that are a threat requires users to be on the lookout for certain red flags, such as an urgency to pay now. This is not normal behavior from tax agents or tax organizations.
Chris Hauk, Consumer Privacy Champion at Pixel Privacy, told Moonlock that US taxpayers need to stay alert for scammers that tell them to “pay now or else.”
“IRS agents do want to make you pay, but they will usually work with taxpayers and work out a reasonable payment schedule to pay their tax debt,” Hauk said.
If you receive an email from an individual who claims to be an IRS agent who threatens you with arrest or deportation if payment is not filed immediately, make no mistake: You are talking to a cybercriminal. Neither the IRS in the US nor His Majesty’s Revenue and Customs (HMRC) in the UK use such language or exhibit this type of behavior.
Taxpayers in other countries, like Canada, are also being targeted.
“Free tax advisors” on social media can cost you everything you have
Hauk from Pixel Privacy explained that it’s not just tax agents that cybercriminals are impersonating. They are also tricking victims by posing as “tax services” providers.
“Make sure you use a reputable tax accountant to do your taxes and don’t take ‘tax advice’ from anyone on social media,” Hauk said.
In many cases, videos on social media try to convince viewers that they know loopholes that can be used to avoid paying taxes, or they misinform viewers about the number of exemptions they can claim, Hauk added.
The rise of GenAI tax platforms
Menlo Security researchers recently found 600 incidents of GenAI fraud in 2024. Threat actors increasingly leverage new technologies like AI to create more convincing phishing emails. They also use automated SMS and email “blasters” to scale the volume of their campaigns and drive success rates.
By using databases that cybercriminals buy on the dark web, they can also hyper-personalize phishing with victims’ full names, addresses, and other data.
Criminal trends, popular scam scripts, and attack techniques in 2025
Devin Ertel, Chief Information Security Officer (CISO) at Menlo Security, spoke to us about criminal trends in the 2025 tax season and how they exploit human emotions.
“Cybercriminals are fully aware of the stress and anxiety that surrounds tax season, and every year, they take full advantage,” Ertel said.
Cybercriminals are fully aware of the stress and anxiety that surrounds tax season, and every year, they take full advantage.
Devin Ertel, Chief Information Security Officer (CISO) at Menlo Security
Threat actors prey upon consumers and businesses alike, knowing that an individual is more likely to make a mistake and fall for a scam when they feel pressured or stressed.
Ertle from Menlo Security said that common 2025 tax-related scams include:
- Fake emails claiming to be from the IRS
- Phony tax preparation services
- Fraudsters posing as new clients targeting tax professionals
- Tax GenAI platform impersonations to steal sensitive data
- Sites that promise free advice or instructions for filing taxes
- Quishing (QR code phishing) tied to tax scams
- Malicious QR codes embedded in emails or physical documents
“Being aware of these types of scams is certainly a good first step, but organizations should also prioritize browser security to detect and thwart web and email-based attacks from reaching employees,” Ertel said.
CTO of top email security provider opens up on the tax phishing frontlines
Stephen Kowski, Field Chief Technology Officer (CTO) at SlashNext Email Security+, also spoke to us about the types of attacks they are seeing on the front lines.
“The most prevalent attacks we’re seeing involve links that direct users to cloud collaboration services where malicious files are hosted or legitimate services are impersonated,” Kowski said.
Attackers are increasingly registering legitimate accounts on trusted platforms and using the platform’s own notification systems to deliver phishing attempts. This makes them harder to detect, Kowski explained.
Unfortunately, it’s not just email phishing that’s on the rise. As taxpayers turn to their smartphones more and more every day, so do cybercriminals.
Phishing via text and voice is also on the rise, driven by threat actors in the phishing-as-a-service black markets who offer platforms and ready-to-use technologies for any criminal willing to commit a large-scale SMS or smishing attack.
We recently reported on how the Smishing Triad, a massive phishing technology vendor, works from abroad, targeting Americans and Europeans with common scams.
The wide availability of these easy-to-use phishing tools has effectively lowered the barrier of entry for attackers to reach potential victims.
How to protect yourself from tax-related scams in 2025
Kowski from SlashNext Email Security told us that the best defense is implementing separate validation controls. In simple terms, always verify requests through an independent channel rather than responding directly to the message you received.
Because cybercriminals use these new technologies, scams are becoming increasingly difficult to tell apart from the real thing.
“Look for subtle inconsistencies in language patterns, and consider using live scanning technology that can analyze content, behavior, and intent to identify malicious elements before you interact with them,” said Kowski.
Look for subtle inconsistencies in language patterns, and consider using live scanning technology that can analyze content, behavior, and intent to identify malicious elements before you interact with them.
Stephen Kowski, Field Chief Technology Officer at SlashNext
If you suspect that your personal data has been compromised, contact the IRS Identity Protection Specialized Unit immediately and file Form 14039 (Identity Theft Affidavit) to alert them of the situation.
You can also file a fraud alert with one of the 3 major credit bureaus, which will automatically notify the other 2. Additionally, consider freezing your credit to prevent new accounts from being opened.
Kowski said that the IRS typically doesn’t initiate contact through email, text messages, or social media channels, so any proactive communication through these channels should immediately raise suspicion.
Final thoughts
As cybercriminals gain access to new and more effective technologies, the classic tax season scams modernize and evolve. If before, you could spot these scammers easily, that has changed.
Criminals are impersonating not just tax agencies and agents but also tax service providers and fake AI-tax platforms on the web and on social media. From email to SMS to phone calls, stay on alert when doing your taxes in 2025.
