Article Summary: IRS impersonation scams in 2026 are moving faster and operating at a higher level of coordination. Bolster AI identified 152 new IRS-themed domains this year, with 82% already active and malicious, and phishing infrastructure activating within hours of registration. The campaign is generating roughly 62 malicious URLs per month, outpacing 2025, while leveraging trusted platforms like DocuSign, Coda, Netlify, and Vercel to evade detection. It has also expanded beyond credential theft, with malware payloads and organized cash-out networks offering 40–45% commissions, targeting both individual filers and businesses through tax, payroll, and identity verification workflows.
Tax season phishing is not new. But the 2026 campaign targeting IRS and CRA filers is not a repeat of last year’s playbook. It is faster, more organized, and harder to detect.
Bolster AI’s threat research team tracked IRS-themed domain registrations, confirmed malicious URLs, and underground monetization infrastructure across the first three months of 2026. The findings point to a professionally managed fraud operation, not opportunistic phishing.
The numbers tell the story.
Key Findings
125 confirmed malicious URLs identified year-to-date.
152 new IRS-themed domains registered in 2026 so far.
82% of those domains are actively malicious. That is the most important number in this report. The gap between domain registration and live attack is now measured in hours, not days. Defenders relying on registration monitoring are already behind.
2,700+ total domains tied to this campaign ecosystem have been registered in 2026. Malicious phishing URL volume is trending at 62 per month, slightly ahead of the 59/month average in 2025, despite fewer newly registered domains. Domains are being activated faster, not stockpiled.
Attackers Are Using Platforms You Trust
The most significant shift in this campaign is infrastructure abuse. Our 2026 Fraud Trends Report identified platform abuse as one of the defining shifts in modern phishing. Threat actors are not just spinning up suspicious domains. They are embedding phishing inside platforms that victims already use and trust. This campaign is a direct example of that shift.
Docusign and Coda are being used to deliver fake “Tax Refund Document” and “Urgent Filing Notice” lures. The victim interacts with a real platform interface before encountering anything malicious. Email security filters pass it through because the sending domain is legitimate.
ID.me is spoofed because the IRS uses it as its official identity verification provider. Victims who have completed ID.me verification before are primed to do it again without hesitation.
Netlify, Vercel, and Pages.dev host fake refund portals under subdomain structures that mimic official IRS formatting. The cost to attackers is essentially zero.A victim following the full chain may never encounter a single red flag that conventional security training would catch. That is the design.
It’s Not Just Phishing Anymore
This campaign has moved beyond credential theft.
A dedicated server hosts malicious payloads named IRS-Document.exe and IRS-Document.pkg. The .pkg format targets macOS, a deliberate choice: tax professionals and enterprise users skew heavily toward Apple hardware, and many organizations maintain weaker endpoint controls on Mac than on Windows.
Payloads are also distributed through TEMP.SH, a disposable file-sharing service requiring no registration. Uploads auto-expire. Static blocklists cannot keep up.
Once malware executes, the attacker gains persistent access, keylogging, file exfiltration, and a potential path into corporate networks. A single employee opening a tax document on a work device becomes a breach entry point.
The Fraud Chain Extends Past the Phishing Page
Bolster AI’s monitoring of underground forums identified active advertising of IRS refund cash-out services: 40-45% commission, $50,000 minimum transactions, bank account provisioning under stolen identities, scaling across multiple U.S. banks, coordination via Telegram.
The people running the phishing infrastructure and the monetization layer may not be the same operators. They are working toward the same outcome.
Who Is Being Targeted
The lure mix maps directly to specific victim profiles:
- Refund themes (42% of volume): Financial urgency targeting broad consumer filers
- Identity verification (27%): ID.me spoofs harvesting credentials and MFA tokens
- Audit and enforcement (22%): Fear-based triggers using fake IRS notices
- Malware delivery (9%): Document lures dropping .exe and .pkg payloads
Elderly filers, first-time filers, gig economy workers, immigrants, and small businesses each face tailored attack vectors calibrated to exploit specific knowledge gaps and emotional triggers.
Why Companies Should Care
This is not just a consumer problem. Companies that sit at the intersection of employee data, tax workflows, and customer trust face direct exposure.
HRIS platforms are natural impersonation targets. Employees expect tax communications through their HR systems. A spoofed portal that mimics W-2 delivery or direct deposit confirmation has built-in plausibility.
Payroll providers face higher-stakes fraud. A fake “payroll tax notice” sent to an SMB customer can produce immediate fraudulent wire transfers. The underground cash-out infrastructure in this dataset creates specific incentive to target payroll accounts over individual refunds.
Tax compliance platforms are being used as credibility layers. A confirmed malicious domain in this dataset is “taxcomplianceservices.cloud.” Phishing emails that invoke a known compliance platform by name convert at higher rates.
Consumer tax software has the most direct exposure. The fake e-file portals and refund status check infrastructure in this campaign directly impersonate the product category. When attackers use the same hosting platforms (Netlify, Vercel) that legitimate products use, the distinction between real and fake collapses at the user experience layer.
What Happens Next
Activity will peak in the two to three weeks before April 15. It will not stop after.
Based on 2025 full-year data, refund lures decline post-deadline while audit notices, penalty threats, and enforcement impersonation increase through summer. A secondary spike around the October extension deadline is consistent with historical patterns. The 18% of currently parked domains represent staged infrastructure that has not yet been activated.
Recommendations
Domain monitoring specifically, newly registered IRS and CRA-themed domains across high-abuse TLDs (.xyz, .sbs, .live, .website, .cloud). Flag Netlify, Vercel, and Pages.dev subdomains containing tax-related keywords.
Block disposable file-sharing services like TEMP.SH at the network perimeter. Scrutinize inbound emails containing Docusign or Coda links from unexpected senders during peak filing season.
Communicate the seasonal phishing window to employees and customers before peak filing, with specific emphasis on trusted platform abuse. Reinforce that the IRS contacts taxpayers via postal mail, not email or SMS.
For companies serving small businesses: circulate guidance on EIN verification scams and payroll tax fraud before the peak window. For consumer-facing platforms: deploy in-app notifications stating clearly what the platform will and will not ask users to do.
This analysis is based on Bolster AI’s continuous monitoring of external attack surfaces including domains, websites, social media, app stores, and email. For the full threat report including IOCs and infrastructure details, download the complete report. To learn how Bolster AI can help protect your brand and customers from tax season fraud and digital impersonation, request a demo.
