Tax Season Scams: How Refund Fraud Escalates Into Enterprise Risk
Each filing season, threat actors execute coordinated, identity-driven campaigns that begin with refund fraud and rapidly escalate into credential harvesting and enterprise exposure.


Tax season marks one of the most consistent social engineering cycles of the year. Every year, thousands fall victim to IRS impersonation scams, refund fraud, and identity theft as filing deadlines and refund anticipation create the perfect cover for deception.
As employees gather W-2s, communicate with preparers, monitor refund status, and access IRS or state portals, legitimate tax communication increases sharply. That surge creates cover, and within that noise, malicious emails, SMS messages, QR-coded documents, spoofed portals, and impersonation calls are far more likely to blend in unnoticed.
Core to tax scams is the exploitation of urgency and institutional authority. Messages threaten penalties, promise unexpected refunds, or claim filing errors requiring immediate verification. Modern tax scams are identity-driven and engineered for cross-channel delivery across email, SMS, phone calls, collaboration platforms, and social channels. On top of this, the IRS Criminal Investigation division identified approximately $4.5 billion in tax fraud in fiscal year 2025 alone, a 111% increase compared to the prior year, showing just how substantial the financial impact of these campaigns are.
Tax fraud in 2026 is not just about stolen refunds. This blog examines how tax season fraud evolves from personal identity theft into enterprise credential compromise and why security teams must treat it as a predictable Q1 user-driven risk cycle.

Tax Season as an Identity Theft Accelerator
Tax season compresses large volumes of sensitive personal data into a short, nationally synchronized window. Social Security numbers, income details, employer information, and bank account credentials are more frequently accessed, transmitted, and verified. For threat actors, this creates a concentrated identity opportunity.
Using breached data from prior leaks, attackers file fraudulent tax returns early in the season to capture refunds before legitimate taxpayers submit filings. Others impersonate the IRS across email, SMS, phone calls, or social media, claiming refund recalculations, verification discrepancies, stimulus eligibility, or outstanding balances. Victims are pressured to disclose additional personal information or submit documentation under the guise of compliance.
While many attacks end with refund theft, confirmed identity information carries compounding value and can fuel more advanced social engineering campaigns.
.png)
Tax-Themed Social Engineering and Credential Harvesting
Social engineering and credential harvesting are not the only tax-season scam patterns, but they are among the most prevalent and consequential. Tax-themed campaigns may begin with refund fraud, IRS impersonation, or direct credential harvesting. In many cases, attackers use filing season as a credible and time-sensitive pretext to redirect users to spoofed portals that mimic IRS.gov, state tax systems, trusted preparer platforms, or enterprise single sign-on pages. Messages referencing refund verification, documentation discrepancies, or required updates are engineered to capture credentials, financial information, or multi-factor authentication codes that can later be reused, resold, or leveraged in broader fraud.
These operations are deliberately cross-channel. Refund status texts, QR-coded PDF attachments, collaboration platform messages, and voice-based impersonation campaigns may operate independently or in coordination to funnel victims toward credential harvesting infrastructure designed to evade traditional inspection controls. By combining institutional authority, deadline pressure, and repeated touch-points across mediums, attackers reinforce credibility, amplify urgency, and increase the likelihood of user compliance.
Evidence of this coordinated, multi-channel activity is already visible at enterprise scale. In 2025, Microsoft Threat Intelligence reported tax-themed phishing campaigns targeting more than 2,300 organizations, including operations that used QR-coded PDF attachments to redirect employees to spoofed IRS and Microsoft 365 login pages to harvest enterprise credentials. In January 2026, the Federal Trade Commission recently warned of a surge in phone-based IRS impersonation scams using fabricated “tax resolution” agencies to pressure individuals into disclosing Social Security numbers and financial data.
Beyond refund-related messaging, tax season also drives fraudulent preparer portals, payroll impersonation attempts, and W-2 data requests aimed at expanding identity exposure. While many campaigns remain financially motivated, credential capture and identity validation techniques observed during filing season can intersect with enterprise identity systems when passwords are reused or corporate authentication sessions are active, transforming seasonal scams into broader access and enterprise risk events.
.png)
From Refund Fraud to Enterprise Exposure
Enterprise risk escalates when personal tax activity intersects with corporate identity systems. Employees routinely check refund notifications, upload documentation, and respond to verification prompts from managed devices. Password reuse across personal and professional accounts remains common, and corporate browsers often store credentials, maintain active sessions, and rely on federated identity providers. The boundary between personal identity workflows and enterprise authentication systems is more porous than many organizations assume.
Attackers do not always need to initiate an explicitly enterprise-focused campaign to create organizational exposure. Credentials harvested through tax-themed phishing, validated identity data, or compromised session information can overlap directly with corporate systems. A reused password or captured single sign-on credential may provide access to enterprise applications without triggering immediate suspicion.
Tax season also amplifies enterprise-facing schemes. W-2 data exfiltration attempts target HR teams. Business email compromise campaigns pressure finance departments using filing deadlines as leverage. Fraudulent preparer or payroll verification portals intersect with internal workflows. As personal identity activity overlaps with enterprise infrastructure, seasonal deception aimed at individuals can translate quickly into measurable exposure across the User Layer.
.png)
Securing the User Layer During Tax Season
Tax scams blend identity theft, refund fraud, and credential compromise to exploit the surge of deadlines, documentation exchanges, and financial verification that define filing season. While many campaigns pursue immediate financial gain, increasingly attackers leverage validated identity data and harvested credentials to expand into broader enterprise exposure.
Breaking the Q1 social engineering cycle requires recognizing tax season as a recurring identity risk window rather than an isolated consumer fraud problem. As event-driven scams grow more sophisticated and identity-centric each year, security leaders must equip their teams with tools that provide visibility across the User Layer, enabling early identification of elevated-risk users and automated, targeted remediation where exposure is greatest.
This is the gap Dune Security was built to address. By continuously measuring user risk across channels and dynamically prioritizing intervention around high-risk individuals while allowing low-risk users to operate with minimal friction, organizations can reduce seasonal identity exposure, contain user-driven threats before they propagate across enterprise systems, and align security investment directly with measurable business risk.
Key Takeaways
Featured Speakers
Never Miss a Human Risk Insights
Subscribe to the Dune Risk Brief - weekly trends, threat models,and strategies for enterprise CISOs.
FAQs
Complete the form below to get started.
Most tax scams center on IRS impersonation delivered across email, SMS, phone calls, and collaboration platforms. These messages may claim refund recalculations, tax credit eligibility, verification errors, or outstanding balances, often using QR-coded documents or spoofed portals to harvest credentials. While many aim for refund theft, increasingly these campaigns validate identity data and capture credentials that can later be reused in broader fraud or enterprise targeting.
Each filing season introduces more sophisticated variations, reinforcing tax scams as an evolving identity-driven threat. These scams have evolved from isolated refund fraud into coordinated, cross-channel identity campaigns. Attackers now blend impersonation, credential harvesting, QR-based delivery, and data validation techniques to increase credibility and scale. Filing season has become a structured identity attack cycle rather than a simple spike in phishing emails.
Tax scams create enterprise risk when tax-themed phishing and identity theft campaigns target employees across channels and intersect with corporate identity systems. What begins as personal refund fraud can escalate into credential harvesting, W-2 data exposure, or business email compromise when validated identity data and compromised access are reused against enterprise environments. As personal identity activity overlaps with organizational infrastructure, seasonal deception can translate directly into measurable enterprise exposure.
Tax scams follow the same structural pattern as holiday shipping scams, year-end bonus fraud, and other event-themed phishing. Attackers anchor deception to predictable calendar moments when identity activity, financial transactions, and communication volume surge. The theme changes, but the mechanics remain consistent: urgency, authority, and high-trust workflows are exploited to harvest credentials and validate identity data.
At their core, tax-themed social engineering campaigns exploit user behavior across channels, devices, and identity systems during the concentrated identity activity of filing season. These attacks succeed because adversaries manipulate how users verify, share, and authenticate sensitive information under deadline pressure and institutional authority. Organizations must continuously measure and reduce risk across this critical layer while educating employees on the real-world threats they are most likely to encounter, including multi-channel tax scams that blur the line between personal activity and enterprise exposure.

Tax Season Scams: How Refund Fraud Escalates Into Enterprise Risk
Each filing season, threat actors execute coordinated, identity-driven campaigns that begin with refund fraud and rapidly escalate into credential harvesting and enterprise exposure.

The User Is Still the Weakest Link - Now What?
Dune Security CEO David DellaPelle joins Secure Insights to break down why user risk drives breaches, how AI is accelerating social engineering, and why legacy awareness models are no longer effective.
%20(1).avif)
Dune Security and OmegaBlack Partner to Deliver Intelligence-Driven Protection for the User Layer
Threat actors are building their campaigns across the dark web long before they reach the enterprise. Dune Security and OmegaBlack are partnering to deliver layered protection that connects external exposure with user level risk scoring and automated remediation.

Never Miss a Human Risk Insights
and strategies for enterprise CISOs.

