publishing date icon
May 7, 2021
read time icon
5 min. read

Tax phishing—Off the hook

Author image
Jon Gellin
Junior Threat Analyst
Post hero image

Table of contents

share this post

Death and taxes. And phishing.

In the old days, there were only two things you could count on in life: death and taxes. But during tax season nowadays, you can pretty much count on getting phished, too.Which seems particularly cruel because tax season is stressful enough as it is. Forms to fill, old receipts and documentation to find… all while the big deadline closes in. Who could possibly enjoy this time of year?Well, for phishing predators, tax season is like Christmas. They often try to create a false sense of urgency, stress, and uncertainty in their victims to encourage a hasty click or download. What better trigger than taxes to induce the right level of anxiety?Here’s the latest insights into:

  • What we’re seeing
  • Why it's dangerous
  • How it works

And how to stay Off the Hook!

Initial approach

This tax season, we’ve seen a plethora of different phishing approaches leveraging the topic of taxes.The most common attack vector is tax refunds. The malicious actor informs the victim he or she is eligible for a tax refund and should Act Now!!! to claim it. These come in various shapes and sizes, as tax systems vary between countries. Attackers often do their homework and either directly rip off the original message, or change the text slightly, or craft messages based off the original. Consequently, attackers have up-to-date content with localized targeting.Here we have an example. This campaign used mimicking in the sender field, creating the illusion that the message originates from Her Majesty's Revenue and Customs. The message is not a straight copy of a legit message by HMRC, but uses proper language and formatting to increase credibility.

The message slightly differs from typical phishing. Its wording doesn’t create the sense of urgency, fear or curiosity common to phishing emails. Instead, it pushes on the negative useful emotions already associated with the topic and pulls victims with the monetary incentive.The 24 hour deadline is even softened by informing that the money may still be received, just a year later.Another common type of delivery is quite simple but very efficient: Tax notices.  It may be a fictitious update on your taxes, or new documents to read, or confidential messages accessible only by login to your tax service. Curiosity is a strong motivator, and when joined with the emotional topic of taxes, curiosity is an effective lever for manipulating a victim to click a malicious link.Direct facsimiles of legit messages are often used in this approach. Below we see a phish using the Dutch MijnOverheid (MyGovernment) service as an attack vector. The service is used, among other things, for messaging with the government.


The payload differs from campaign to campaign, owing largely to the technical capabilities of the attacker. Some utilize very basic credential harvesting sites hosted on different form creation sites. More advanced attackers often use breached blogs, which can be made to look very convincing.Malware is spread disguised as tax declarations, forms, and other tax related documents. Downloading one of these can compromise a company’s whole network, instead of just one victim’s finances.Also worryingly common is identity theft, where the victim is urged to send a picture of their passport, a portrait of themselves, and other personal information.Here’s an example of what may be found behind the malicious link in one of these messages. This is a screen capture of a malicious credential harvesting site used in a tax phishing campaign targeting Danish citizens during the spring of 2021.[video width="1220" height="720" mp4=""][/video]The site is very cleverly created. It copies the real Danish tax authority's site, to which all links lead except for the malicious ones. Fortunately, a few simple tricks like checking the URL-field in the browser or hovering over the links in the email would save the victim in this case.


While the topic of taxes adds an additional level of emotions to the game, the methods used are not that different from typical phishing campaigns. The key here is to stay calm, not make any rash decisions, and always verify:Where the email came from. For example, by taking your time to read the sender field letter by letter to spot any attempts of mimicking (e.g. →, → the link leads to. For example, by hovering with your cursor over the link to reveal the URL. In most cases the URL will show something completely unrelated to taxation or government services, since the phishing site is hosted on whatever domain the attacker has got their hands on, and is therefore very easy to spot.If these tricks do not work, navigate to the website of your tax authority manually and log in there. Messages sent to you via email will usually be found there. And do not hesitate to contact them to verify if a message is real or not.

Hoxhunt response

We analyze tens of thousands of phishing emails like this a week to ensure our training is at the cutting edge of the latest threat developments. We organize the threats, rate them, and incorporate the nasty ones into our training simulations, sometimes within a day of reporting. This ensures that Hoxhunt users are being drilled on spotting and reporting the actual threats making the rounds, thus removing potentially catastrophic threats from your system.

Subscribe to Threat Feed

Subscribe to Hoxhunt's Threat Feed to get the latest phishing threats delivered to your inbox, every Friday.

Form CTA

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.