Hoxhunt analysts detect a 400% increase in tax authority impersonation campaigns targeting U.S. employees, and 147% overall spike in Spring, 2026 U.S. phishing volume

You've filed your taxes—or perhaps an extension. The deadlines are behind you, the paperwork is done, and the stress of tax forms finally feels like it's fading into yesterday.

But just when it felt safe to go back into your inbox…

An unprecedented wave of tax-themed phishing campaigns targeting employees is sweeping over US organizations, and it’s threatening to not just stay, but go global.

In the spring of 2026, Hoxhunt detected the largest tax-related phishing campaign ever observed in its global threat intelligence data—collected from tens of millions of threat reports from over 4M global Hoxhunt users—with U.S. tax authority impersonation campaigns increasing by over 400% compared to the baseline from the previous two years.

Overall, Spring 2026 saw a 147% increase in phishing volume targeting US employees. These tax-themed phishing attacks are unusually personalized and contextualized to blend into corporate workflows. Considering AI enables personalization at-scale, this campaign might be tied to the 10x-plus surge in AI-generated phishing attacks kicking off 2026, which Hoxhunt reported in March.

These findings raise questions as to whether this will spark a global phishing trend and, potentially, mark a new seasonal phishing campaign that security leaders should plan for on their security awareness training calendars.

Overview

Phishing campaigns that spoof tax authorities have made the rounds for years, luring victims with fear-based urgency about mishandled filing, or reward-based anxiety about missing a bogus refund. But they’ve historically targeted private individuals.

What distinguishes the spring 2026 period is:

• The targeting of US employees
• The personalization and contextualization into corporate workflows
• The magnitude of change; it’s one of the bigger localized spikes in tactics we’ve seen
• The potential seasonality of the spike
• The coinciding threat landscape trends, such as soaring U.S. phishing volumes this spring and the mass adoption of AI-generated phishing campaigns.

It raises the question as to whether this will spark a global phishing trend and, potentially, mark a new seasonal phishing campaign that security leaders should plan for on their yearly calendars.

Findings

Analysis of millions of phishing threats reported by 4M+ employees in the Hoxhunt network this spring revealed:

• Over 400% increase in U.S. tax authority impersonation campaigns compared to the baseline from the previous two years
• No comparable spike in previous spring periods
• 147.3% increase in malicious phishing emails reported by U.S. users overall during spring 2026 compared to prior periods
• 14X surge in AI-generated threats, as reported March 2026 in the Hoxhunt Phishing Trends report; it’s possible this tax phishing campaign’s at-scale personalization and targeting of emails was enabled by AI tooling.
• 4-fold elevated risk of malicious clicks, according to Hoxhunt simulation data on personalized, tax-themed phishing attacks
• 16% failure rate of personalized, tax-themed phishing simulations, compared to the global average failure rate of 4-6%

The findings suggest meaningful shifts in attacker behavior with a new regional campaign tactic that could spread globally via AI-enabled localization. It should be tracked and prepared for via training throughout 2026, particularly through October Cyber Awareness Month.

In the US, around 10% of Americans use the October, 15th late filing deadline for taxes, a time when communications concerning tax authorities increases. Other countries (e.g. Australia, Ireland, and Austria) have filing deadlines in the fall as well. Security awareness leaders might consider deploying tax-themed phishing awareness campaigns in the fall, in case a second wave of attacks occurs.

We will monitor this campaign throughout summer and fall. After the filing period, employee vigilance may decline while activities persist around refund processing, documentation requests, and reconciliation activities. This combination creates conditions in which malicious messages may appear more credible, particularly if they mirror expected procedural language.

Methodology

Data from millions of real threat reports submitted by 4M+ Hoxhunt users was analyzed for this report. Every Hoxhunt user’s threat report is automatically analyzed by our native-AI platform and then categorized as: safe (legitimate communications or harmless spam); possibly malicious; likely malicious; or malicious. Malicious attacks are grouped, categorized, prioritized for SOC response and, if desired, auto-removed by the Hoxhunt incident response system. Moreover, attacks are categorized into a purpose-built phishing framework covering the various themes and techniques observed in the threat landscape, offering the end-user and security team granular visibility into what types of attacks are landing in inboxes.

The model is built to recognize and categorize even new, zero-day phishing attacks, which can be reported by a Hoxhunt user on one side of the globe, and then the AI is trained to recognize and respond to similar campaigns everywhere. These findings were discovered by a team of dedicated Hoxhunt threat analysts, and are exclusive to the threats that bypass filters and land in employee inboxes.

‍

Campaign characteristics

Consistent structural patterns were observed across the campaigns. Among tax-themed phishing emails analyzed during the spring 2026 period:

• 66% included malicious links
• 15% included attachments
• 12% requested replies

Links represented the dominant method, typically directing recipients to credential-harvesting environments designed to resemble legitimate tax portals.

Attachment-based messages frequently referenced:

• Tax return reviews
• Supporting documentation
• Verification requirements

Reply-based messages, including call-back phishing attacks leveraging malicious phone numbers, often attempted to collect sensitive information directly through conversational exchanges.

The tax phishing campaign has similar characteristics to other attacks designed to blend into administrative workflows. These distributions are broadly consistent with what would be expected from campaigns designed to imitate administrative processes.

The messaging tone stood out in this campaign. Contrary to the highly-charged emotional tone that is typical of social engineering, many of these tax-themed messages did not rely on dialed-up urgency or explicit financial incentives.

Instead, they typically used:

• Formal, administrative language
• Neutral tone
• Procedural framing

Examples included messages structured around:

• Return review notifications
• Document confirmation requests
• Portal login instructions

This seemingly formal tone can ease the recipient’s suspicions, particularly with employees who are more likely to have some training against the common red flags of a phishing message. Thus, a more realistic and official-sounding spoof of an IRS message might make sense to attackers crafting an employee-targeted campaign.

‍

Ideal social engineering conditions

In addition to tone, the context of these campaigns naturally triggers an emotional response.

“Your pulse spikes when you see a message from powerful tax authorities, so that sense of urgency and the fear of consequences that social engineers prey upon is already built into the sender field of a message from the IRS, or the comparable authorities elsewhere,” said Mika Aalto.

Attackers’ choices in tone, timing, and messaging appear to tap into predictable human responses during high-pressure yearly cycles.

“Tax season creates unusually favorable conditions for social engineering,” said Maxime Cartier, VP of Human Risk at Hoxhunt.

“It combines deadline pressure, stress, and the routine exchange of sensitive information,” continued Cartier. “Employees expect to receive messages about refunds, missing documents, fees, or payment deadlines. When a phishing message references taxes and demands actions and information that would normally seem off-limits, it feels more credible by default.”

In the United States, a substantial portion of taxpayers file extensions, shifting final deadlines into September and October.

This period recreates many of the same environmental conditions present during spring filing periods, including:

• Deadline pressure
• Exchange of sensitive information
• Increased administrative messaging

Heightened attention to compliance requirements

“Urgency plays a central role in social engineering success,” said Cartier. “The promise of a refund or the fear of penalties manipulates people to act quickly and rashly without verifying the message. Attackers seek to time their campaigns with moments when people feel overwhelmed and used to receiving legitimate requests of a similar nature.”

From a strategic defensive perspective, popular new campaigns often indicate that specific techniques are yielding results for attackers. Like any business, cyber criminals take notice of what phishing campaigns are working best, and seek to replicate that success.

“Large increases in campaign volume usually indicate that attackers are achieving consistent results,” said Cartier. “When a tactic scales this quickly, organizations should assume it is working, and they should adjust training accordingly. In the U.S., the October extension deadline presents a second window where tax-themed phishing remains highly relevant. And across the globe, awareness campaigns should be tailored to local tax authorities and deadlines as we do see tax-themed phishing attacks in every country.”

Securing employees against tax phishing

“We typically think about IRS spoofing and tax-themed campaigns as targeting private individuals, but it’s clear that tax phishing is seeping into work environments,” said Mika Aalto, CEO of Hoxhunt. “From an attacker’s perspective, compromising corporate accounts in an at-scale phishing campaign offers a greater payoff via access to sensitive financial workflows, internal systems, and confidential data.”

A prevailing thread in many of these tax phishing campaigns are subtle deception techniques after the initial compromise to gain the victim’s trust and evade detection.

“One tactic we frequently observe involves redirecting victims to a legitimate site after credentials are submitted. That transition makes the interaction feel routine and reduces the likelihood that the victim will recognize what has happened or report it in time to contain the damage,” said Mika Aalto, CEO of Hoxhunt

Many organizations schedule awareness initiatives during Cybersecurity Awareness Month in October. It’s the yearly Super Bowl for security awareness leaders, who get buy-in for big campaigns geared for raising awareness, trying new tools, establishing benchmarks, and building security culture.

This October timing creates an opportunity to align awareness efforts with operational risk conditions, as October coincides with:

• Extension filing deadlines
• Ongoing tax documentation activity
• Renewed administrative pressure

Just like the shark in Jaws kept swimming back for another meal every time citizens of the fictional Amity Island thought it was safe to get back in the water, the tax phishing campaign is likely to return. October awareness month’s overlaps with the tax season increases the relevance of tax-themed messaging during this period.

Awareness programs that reflect real-world phishing campaigns, world events, and administrative cycles are likely to produce stronger recognition and response outcomes than those delivered independently of operational timing. A few of Hoxhunt’s most successful recent October awareness month campaigns transformed dramatic shifts in the threat landscape for hyper-relevant phishing simulation campaigns, such as emergences of QR code phishing, deepfake voice and video attacks, and malicious SVG files.

The trick is to close the loop between the threat feed and training.

‍

Seasonal phishing patterns: Usually, it’s not a thing

Seasonal phishing campaigns that are widely reported by the popular media often suggest predictable increases of travel-themed campaigns around holidays such as Christmas, or imposter emails around major retail events for fake offers, shipping disruptions, or billing issues.

However, Hoxhunt has picked up minimal increases in such holiday-themed attacks targeting employees.

That’s partly because many publicly cited seasonal spikes are derived from filter-level telemetry, which includes large volumes of personal Gmail, Hotmail, and Yahoo addresses. Being caught by filters for analysis, these attacks don’t necessarily reflect the threats people are actually seeing, particularly in employee inboxes.

Tax season represents a clearer case of workplace-relevant seasonal risk, as tax deadlines intersect directly with internal workflows involving:

• Payroll
• Finance
• HR documentation
• Regulatory reporting

This alignment between external deadlines and internal administrative processes likely increases the credibility of tax-themed communications. Historically, Hoxhunt experts say that phishing attacks pegged to seasonal corporate activities can be quite effective, as employees are used to exchanging sensitive information during this time.

“There can be heightened activity and danger in attacks that target employees during cyclical corporate activities like budget reviews, HR reviews, quarterly reporting, bonuses, and things of that nature,” said Petri Kuivala, CISO Advisor at Hoxhunt.

AI-driven tax phishing surge?

Changes in campaign volumes can be linked to changes in attacker capability.

Recent observations suggest that advances in automation via generative AI are reducing the effort required to produce convincing phishing messages, particularly those that can be personalized and localized at-scale.

“For years, phishing awareness focused on spotting grammatical errors or visual inconsistencies,” said Pyry Åvist, Co-founder and CTO of Hoxhunt. “That guidance is becoming less reliable as attackers adopt generative technologies.

“We have observed rapid growth in AI-assisted phishing beginning in late 2025. Attackers can now generate realistic messages in multiple languages, tailor them to specific tax authorities, and produce many variations of the same lure. That combination makes filtering more difficult and increases the likelihood that at least one version will succeed.”

Messages can push victims to engage outside of the email itself in calls to malicious numbers, or to visit multiple sites. The email itself represents only the initial point of engagement in an extended attack chain made possible by AI.

“In some cases, the phishing email is only the first step,” Åvist said. “It may be followed by a phone call or voice message reinforcing the same narrative. It’s only a matter of time before these include deepfake videos with a trusted authority or colleague. Once an individual is engaged in a live conversation, the opportunity for manipulation increases significantly.”

Conclusion: Targeted attacks demand targeted training

The observed 400% increase in U.S. tax authority impersonation campaigns, combined with the 4-fold increased effectiveness of such personalized and contextualized employee-targeted campaigns, suggests that tax-themed impersonation is an emerging threat worthy of organizations’ attention.

More broadly, these findings reinforce the fact that phishing effectiveness is closely linked to personalization and the credibility of surrounding workflows.

Organizations that align awareness and training with these operational realities are better positioned to reduce successful tax-themed phishing interactions. This logic holds for other seasonal campaigns that hijack corporate workflows such as budgetary periods, performance reviews, bonuses, invoicing, and the like.

‍

• Research led by Mikko Alikärri, Junior Threat Data Scientist; Jon Gellin, Threat Team Lead