With Tax Day coming up, a few industry experts have shared commentary with VMblog -- related to the onslaught of tax-related scams consumers and
businesses face each year during this time. Threat actors are increasingly
leveraging AI to enhance the scale, sophistication, and effectiveness of tax
fraud, Internal Revenue Service (IRS) scams, and financial cybercrimes. AI
enables automation, personalization, and deception, making scams harder to
detect and more damaging to victims.
According to the IRS, more than $37 billion in tax and financial crimes were identified in 2023...and that's
just what they were able to catch! With the arrival of AI, individuals must be
aware of the possibility that cybercriminals could impersonate GenAI platforms
to manipulate users into entering sensitive data with the promise of free
advice or instructions for filing taxes.
++
Devin Ertel, CISO, Menlo Security
Tax season is challenging for many reasons. Preparing your taxes can take many hours, even if you hire a professional to help; realizing you may owe taxes you weren’t prepared for places additional financial hardship on the process, and the severe consequences of making mistakes or missing deadlines weighs heavily. Cybercriminals are fully aware of the stress and anxiety that surrounds tax season, and every year they take full advantage. Threat actors prey upon consumers and businesses alike, knowing humans are more likely to make a mistake and fall for a scam when they are feeling pressured or stressed.
Common tax-related scams include fake emails claiming to be from the IRS, phony tax preparation services, and even fraudsters posing as new clients targeting tax professionals. And with the advent of AI, individuals must be aware of the possibility that cybercriminals could impersonate GenAI platforms to manipulate users into entering sensitive data with the promise of free advice or instructions for filing taxes. In fact, our researchers found 600 incidents of GenAI fraud in 2024.
Being aware of these types of scams is certainly a good first step, but organizations should also prioritize browser security to detect and thwart web and email based attacks from reaching employees.
++
J Stephen Kowski, Field CTO at SlashNext Email Security+
The most prevalent attacks we’re seeing involve links that direct users to cloud collaboration services where malicious files are hosted, or legitimate services are impersonated. Attackers are increasingly registering legitimate accounts on trusted platforms and using the platform’s own notification system to deliver phishing attempts, making them harder to detect.
Phishing via text and voice is also on the rise, effectively lowering the barrier of entry for attackers to reach potential victims. AI tools are making it easier for scammers to create convincing impersonations that bypass traditional security measures through perfectly crafted messages. The best defense is implementing separate validation controls - always verify requests through an independent channel rather than responding directly to the message you received. Look for subtle inconsistencies in language patterns and consider using live scanning technology that can analyze content, behavior, and intent to identify malicious elements before you interact with them.
If you suspect that your personal data has been compromised, contact the IRS Identity Protection Specialized Unit immediately and file Form 14039 (Identity Theft Affidavit) to alert them of the situation. Place a fraud alert with one of the three major credit bureaus, which will automatically notify the other two, and consider freezing your credit to prevent new accounts from being opened. The IRS typically doesn’t initiate contact through email, text messages, or social media channels, so any proactive communication through these channels should immediately raise suspicion. Urgency is a major red flag - scammers create artificial time pressure to force quick decisions before you can properly validate the request. Always slow down and independently verify the source through official channels rather than using contact information provided in the suspicious message - this approach catches most sophisticated scams regardless of how authentic they appear.
++
Patrick Tiquet, Vice President, Security & Architecture at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software
In 2025, we’re seeing AI-driven phishing attacks and credential stuffing becoming more prevalent. Cybercriminals are using AI tools to create highly convincing phishing emails, mimicking communications from trusted entities like the IRS or financial institutions. These attacks often target individuals during tax season, capitalizing on the urgency to file taxes and the potential for confusion.
Credential stuffing attacks also continue to rise, where attackers use stolen login information from previous data breaches to access accounts with sensitive tax data. This is especially concerning when individuals reuse passwords across multiple sites. The best defense is ensuring strong, unique passwords for every account. Password managers can help with this, and enabling Multi-Factor Authentication (MFA) is essential. If individuals and businesses employ least-privilege access – limiting who has access to sensitive financial information – they can reduce the likelihood of breaches.
Generative AI and deepfake technology are making tax scams more sophisticated. Cybercriminals can now create realistic video and audio impersonations of IRS agents, tax professionals or even family members, tricking individuals into divulging sensitive information like Social Security numbers or tax credentials. To spot AI-generated content, look for subtle mismatches in tone, unnatural speech patterns or slight inconsistencies in the video. Scammers may also try to pressure you into taking urgent actions – if something feels rushed or too good to be true, it likely is.
++
Satyam Sinha, CEO and Co-founder at Acuvity, a Sunnyvale, Calif.-based provider of runtime Gen AI security and governance solutions
These days, GenAI is being used for everything to boost productivity. For example, it’s quite easy to upload paystubs to receive a summary of salary information, upload sensitive data, such as your W-2 or financial statements to correlate information. This poses significant risks based on documents being used and the GenAI service, the tools, plugins, and even tier of usage. Everyone should be aware of the risks involved with sharing the content, especially on work devices, and understand that it could be prone to data leakage, training of models with your data, and data residency complications among other things.
GenAI is here to stay and what’s needed is secure and responsible adoption to foster productivity and innovation. As GenAI attack vectors are new, and the consumption of these will only grow, a ground up security mindset to tackle the issues brought up by GenAI is needed. They must discover, visualize, formulate policies and protect their organizations.
++
Casey Ellis, Founder at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity
In 2025, we’re seeing a sharp rise in AI-driven attacks, particularly around tax season. Generative AI and deepfake technologies are being weaponized to create highly convincing phishing emails, voice calls, and even video messages that impersonate trusted entities like the IRS or tax preparers. Attackers are also leveraging stolen data from past breaches to craft hyper-personalized scams, making it harder for victims to discern fraud.
One specific trend to watch is the use of AI-generated voice phishing (vishing) attacks. Scammers are using deepfake audio to mimic the voices of tax professionals or government officials, tricking people into divulging sensitive information or making fraudulent payments. Another is the exploitation of unpatched vulnerabilities in tax software or third-party integrations, which can lead to data breaches.
Generative AI and deepfakes are game-changers for scammers. They allow attackers to scale their operations while increasing the believability of their scams. For example, a deepfake video of a “tax advisor” could be used to lure victims into sharing sensitive information, or AI-generated emails could mimic the tone and style of legitimate IRS communications with uncanny accuracy.
To spot AI-generated content, people should:
- Look for inconsistencies: AI often struggles with fine details. In videos, watch for unnatural blinking or mismatched lip-syncing. In emails, look for odd phrasing or slight formatting errors.
- Verify independently: If you receive a suspicious message or call, don’t engage directly. Instead, contact the organization using official channels to confirm its legitimacy.
- Use reverse image or video search tools: These can sometimes reveal if a piece of content has been artificially generated or manipulated.
++
Chad Cragle, CISO at Deepwatch, a San Francisco, Calif.-based AI+Human Cyber Resilience Platform
Cybercriminals are employing increasingly sophisticated scams this tax season. They are reviving previously reputable domains to host fake tax services, bypassing standard security filters. Typosquatting remains a major strategy, with domains resembling popular tax services such as ‘H&RBl0ck[.]com' to trick users. Many counterfeit sites leverage SEO poisoning, altering search engine rankings to seem legitimate and lure in victims.
Additionally, and of course, AI-driven threats are on the rise. Cybercriminals generate convincing phishing emails that impersonate IRS agents or tax preparers, complicating detection efforts. Deepfake audio scams are emerging, with attackers replicating voices to deceive victims over the phone. The delivery of malware has increasingly involved multiple stages, embedding harmful links in cloud-based document-sharing services like Google Drive or OneDrive. Attackers exploit LinkedIn and other professional networks to build trust before sending malware-laden tax documents.
Beyond these tactics, hackers are executing credential-stuffing attacks on tax filing platforms, utilizing stolen credentials to access taxpayer accounts. The prevalence of fake charities has surged, taking advantage of crises to steal funds and personal data. Scammers are impersonating tax preparers to trick victims into providing sensitive financial details to help with IRS online accounts. Reports also indicate a rise in counterfeit websites using IRS logos or targeting search terms like “Trump tax refund” to mislead taxpayers. These deceptive sites manipulate Google search standings to seem credible, increasing the risk of identity theft and financial fraud.
While these scams peak during tax season, tactics like AI-driven phishing, SEO poisoning, and multi-stage malware will continue evolving, fueling financial fraud and social engineering year-round.
++
Thomas Richards, Principal Consultant, Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions
Lately there have been attacks that use legitimate Microsoft and GitHub services to facilitate complex attacks. The landing pages all appear to be authentic and even try to capture multi-factor authentication tokens. Emails that request an immediate action and threaten the of a loss of payment or other negative actions, should be treated as incredibly suspicious. I would advise people to not click on links in emails that raise any concern about their tax return and instead go directly to their official tax service website and log in to see if there’s action for them to take.
If you feel that your identity has been compromised on a tax return, the first step is to report it to IdentityTheft.gov and also contact the IRS. You should also contact your state tax agency and put a freeze on your credit. Note that the IRS will not call, text, or email someone regarding an issue with their tax return as a first attempt of communication. All communications are done through regular postal mail initially. From there, if you do have a case with the IRS, it is only then that they will call or email you. Ignore any first communication with the IRS that threatens you through social media, an automated phone call, or asks for immediate payment.
++
Kern Smith, Vice President, Americas at Zimperium, a Dallas, Texas provider of mobile security solutions
Tax season remains a prime target for cybercriminals, and this year, we’re seeing a rise in mobile-first attacks, including phishing (mobile-specific phishing), fake tax-related websites, and fraudulent mobile apps impersonating the IRS or tax services.
One of the biggest threats is mishing, where attackers send texts posing as the IRS or a tax service, urging recipients to click on malicious links or download fake apps. These scams are designed to steal login credentials, Social Security numbers, and other sensitive financial information. Another trend is phishing sites that behave differently depending on the device accessing them. These sites may appear harmless on a desktop but deploy phishing attacks or malware when opened on a mobile device, bypassing traditional security measures. Attackers are also reusing the same hosting infrastructure across multiple scam sites, keeping them active and harder to shut down.
There’s also an uptick in quishing (QR code phishing) tied to tax scams, with malicious QR codes embedded in emails or physical documents that lead victims to phishing sites. With mishing attacks peaking at over 1,000 incidents per day in 2024, it’s clear that cybercriminals are prioritizing mobile-focused scams this tax season.
++
Saeed Abbasi, Manager, Vulnerability Research, Qualys Threat Research Unit (TRU)
As tax season arrives, ransomware operators—particularly those tied to the BlackBasta group—are ramping up phishing campaigns that masquerade as official tax communications. Recently leaked chatter suggests they are specifically targeting documents that must be filed, such as charities and nonprofit returns and other personal tax return checklists, to craft convincing bait.
These cybercriminals aim to trick recipients into downloading malware or surrendering sensitive information by spoofing IRS or CRA correspondence. Discussions about embedding official logos and images in phishing emails hint at sophisticated tactics designed to bypass security filters and exploit the chaos of tax filing deadlines.
With files and emails posing as legitimate tax forms, it’s vital to remain vigilant. Always verify the source of any urgent or unexpected tax-related message, especially those containing attachments or demanding quick action. In a season already filled with deadlines and details, staying cautious is your best defense against ransomware threats.
++
Eric Schwake, Director of Cybersecurity Strategy at Salt Security, a San Francisco, Calif.-based leader in API security
During tax season, there tends to be a rise in API traffic and the urgency of deadlines significantly increase cybersecurity threats. The high volume of data flowing through APIs and the time-sensitive nature of tax submissions create an ideal environment for attackers. This results in a higher likelihood of misconfigurations, and gathering sensitive financial data makes these systems attractive targets.
Therefore, organizations should prioritize comprehensive API discovery and inventory to mitigate these risks, which offers a clear understanding of their attack surface. API posture governance must also be established to guarantee that all APIs follow security best practices, such as effective authentication, authorization, and data management. In addition, training employees on API security is essential, especially during the busy tax season. Developers should receive secure coding training, security teams need API specific incident response education, and customer support should be trained to identify and report suspicious activities that could indicate API attacks. Highlighting phishing awareness, social engineering tactics, and practical simulations will create a proactive, organization-wide defense against vulnerabilities.
When filing personal taxes, individuals should focus on using reputable tax preparation services. It's important to create strong, unique passwords and activate multi-factor authentication. Staying alert to phishing emails, texts, and phone calls is essential, as is using private and secure Wi-Fi networks while filing taxes. Individuals should carefully check website URLs and be cautious of scams involving IRS impersonation, refund offers that claim to expedite returns for a fee, and the ongoing risk of tax identity theft. Regularly reviewing credit reports and tax records for unusual activity can aid in detecting and reducing these risks.
##