Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

U.S. tax-season phishing and malware-delivery campaign

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

The U.S. tax-season phishing campaigns are harvesting credentials and delivering malware, putting individuals, accountants, and other professionals at risk. The lures mimic refund notices, payroll forms, filing reminders, and tax-related requests to push victims into opening malicious files, scanning QR codes, or clicking suspicious links. One large wave on February 10, 2026 affected more than 29,000 users across 10,000 organizations. The activity also uses PhaaS kits and RMM tools such as ScreenConnect, Datto, and SimpleHelp to gain persistent access and steal data.

Related Happenings

QR code phishing surged across email threats in Q1 2026

Target Trend
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: **Q1 2026** email-threat telemetry shows **QR code phishing** and **CAPTCHA-gated phishing** rising quickly, increasing the risk of **credential theft** across **organizations**....

Open Happening

Amazon SES phishing and BEC abuse campaign

Campaign
First: 04.05.2026 23:03 Last: 04.05.2026 23:03 Sources 1

About this happening: A phishing campaign is abusing Amazon Simple Email Service (SES) to send convincing emails that can bypass standard authentication and reputation-based defenses. Attackers are usi...

Open Happening

Formbook phishing campaign using DLL sideloading and obfuscated JavaScript

Campaign
First: 20.04.2026 18:01 Last: 20.04.2026 18:01 Sources 1

About this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...

Open Happening

Scattered Spider SMS phishing and SIM-swap crypto theft campaign

Campaign
First: 20.04.2026 16:33 Last: 20.04.2026 16:33 Sources 1

About this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...

Open Happening

FBI-led takedown of W3LL phishing network

Law Enforcement
First: 13.04.2026 13:35 Last: 13.04.2026 13:35 Sources 1

About this happening: **FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...

Open Happening

Timeline

  1. 23.03.2026 12:55 1 articles · 2mo ago

    IRS impersonation phishing wave affects more than 29,000 users

    Victim Impact Update

    On February 10, 2026, an IRS-impersonation phishing wave affected more than 29,000 users across 10,000 organizations, mostly in the U.S.; recipients were told to review purportedly irregular tax returns by downloading an "IRS Transcript Viewer" and were redirected through a "Download IRS Transcript View 5.1" button to smartvault[.]im, where a malicious ScreenConnect package enabled remote access and credential harvesting.

    Show sources
    Open in new tab
  2. 23.03.2026 12:55 2 articles · 2mo ago

    Microsoft warns of tax-season phishing campaigns

    Initial Disclosure

    Microsoft warned that U.S. tax-season phishing campaigns were targeting individuals, accountants, and other professionals with refund notices, payroll forms, filing reminders, QR codes, suspicious links, and IRS-themed lures to steal credentials and deliver malware, with some operations using PhaaS pages and others deploying ScreenConnect, Datto, or SimpleHelp for persistent access.

    Show sources
    Open in new tab