Tax phishing has long been easy to dismiss as a seasonal consumer scam: fake IRS emails, refund bait, audit threats, and other lures aimed at people anxious about filing deadlines. New research from Hoxhunt suggests that the picture is increasingly outdated.
The company found that U.S. tax authority impersonation campaigns surged more than 400 percent above the two-year baseline in spring 2026, marking the largest tax-related phishing campaign it has observed in its global threat intelligence data. But the shift was not only about volume. The attacks were increasingly landing in workplace inboxes.
“We typically think about IRS spoofing and tax-themed campaigns as targeting private individuals, but it’s clear that tax phishing has increasingly shifted into employee work environments, not just personal inboxes,” said Mika Aalto, co-founder and CEO at Hoxhunt. “From an attacker’s perspective, compromising corporate accounts in an at-scale phishing campaign offers a greater payoff via access to sensitive financial workflows, internal systems, and confidential data.”
Hoxhunt said the findings are based on millions of real threat reports submitted by more than 4 million Hoxhunt users, giving the company visibility into phishing messages that reached employee inboxes rather than only attacks blocked by email gateways.
Overall, malicious phishing emails reported by U.S. users rose 147.3 percent during the same spring 2026 period. Tax-themed scams appear every spring, but Hoxhunt said previous filing seasons did not show comparable activity.
Why the Campaign Was Effective
Hoxhunt’s findings suggest the campaign was effective in part because it did not resemble the phishing attempts many employees have been trained to spot.
In the company’s simulations, personalized tax-themed attacks produced a 16 percent employee failure rate. That was more than three times higher than Hoxhunt’s 4 to 6 percent global average, suggesting that familiar awareness cues may be less effective against tax lures that appear to fit routine workplace activity.
The messages lacked obvious scam signals such as bad grammar, awkward phrasing, exaggerated threats, or refund bait. Instead, they used formal, procedural language similar to what employees might expect from tax agencies, payroll departments, HR portals, or compliance systems, with routine prompts to review documents, check returns, log in to portals, or confirm information.
Most of the observed campaign emails used malicious links, which appeared in 66 percent of cases. Hoxhunt also saw attachment-based and reply-based variants, giving attackers multiple ways to pursue the same goal. Some messages directed employees to fake portals, while others appeared designed to start a conversation before escalating the attack.
How AI May Be Changing an Old Scam
Hoxhunt stops short of saying AI caused this specific tax campaign. The report points to the campaign’s scale, consistency and personalization as signs that AI may be helping attackers industrialize an old lure, not as proof that every message was machine-generated.
In a March 2026 phishing trends report, Hoxhunt documented a 14-fold rise in AI-generated phishing attacks. The tax campaign fits that pattern, with polished language, localized impersonation, and enough variation to make the same basic scam work across different employees and contexts.
Generative AI could make that model easier to scale. Attackers no longer have to choose as sharply between volume and quality. They can generate clean, formal emails in multiple languages, adapt messages to specific tax authorities, and tailor lures to workplace routines without manually writing every version.
“Traditional phishing emails used to carry clear warning signs like poor grammar, inconsistent branding, or unusual formatting,” said Nicole Carignan, senior vice president, Security & AI Strategy, and field CISO at Darktrace. “Today, AI has removed many of those indicators.”
Why Tax Season Is Useful to Attackers
Tax season gives attackers a built-in source of urgency. Employees already expect deadlines, forms, notices, and documentation requests during filing season. A message about a tax return check, payroll update, or portal login may look like one more administrative task.
The risk also does not end in April. The October extension deadline creates a second period of tax-related activity, especially for organizations that treat tax phishing as a spring-only problem.
Why Training Needs to Change
The findings suggest security teams may need to treat tax phishing as part of the enterprise threat calendar, not merely as a seasonal consumer nuisance.
The October extension deadline deserves attention, along with payroll cycles, benefits enrollment, financial reporting, and other business processes that give attackers a plausible reason to ask employees for documents, credentials, or approvals. Simulations built around random, generic lures may miss the risk if real attackers are timing campaigns around periods when employees already expect administrative friction.
The guidance also needs to evolve. Employees should still watch for suspicious links, strange senders, and mismatched domains. But those red flags are less reliable when messages are polished, personalized, and written to sound like routine work. The safer habit is verification. Employees should go directly to known portals, contact HR or payroll through established channels, and avoid using links or contact details supplied in unexpected messages.
The broader warning is that attackers are increasingly exploiting ordinary business processes — forms, deadlines, portals, approvals, and compliance tasks — and AI may make those campaigns easier to scale. For security teams, that means training and detection need to account for the tax deadlines, payroll cycles, and other routine business processes attackers are using as part of the lure.
