Skip to main content
Dark background with blue code overlay

Two Years of Tax Phishing - The Oldest Scam in the Book

Or Katz

Written by

Or Katz

May 05, 2021

Tax scams are some of the oldest scams in a criminal's book, and they're highly attractive to criminals for many reasons. The most obvious reason is the potential financial gain of a successful scam. Successful scams can lead to the compromise of sensitive information, resulting in identity theft or fraudulent activity.

The second reason is related to the recurring nature of filing taxes. Filing taxes is an activity that happens every year. Criminals take advantage of tax time to target as many victims as possible in a single pass, which increases the potential revenue from successful scams.

The recurrent nature of tax scams has led to refinement, including improving social engineering techniques, scam distribution techniques, and general reliability of the scams overall. The refinements aim to improve victim engagement rates.     

In order to better understand the nature of these recurring scams, we tracked 5 of the most significant phishing toolkits being recycled and redeployed over the last2 years.   

Two years of tax scams - insights

Akamai was able to see some attack campaigns that were active all year long, even though one might expect to only see tax scams be an once-a-year occurrence when annual returns are due. A noticeable example can be seen in Figure 1, labeled as Tax Scam UK - 2. There is clear evidence that new domains were being deployed all throughout 2020, with over 650 new domains being used to host tax-based phishing scams over the year.

Figure 1: Reoccuring tax scam domains in the wild - 2019/2020 Figure 1: Reoccuring tax scam domains in the wild - 2019/2020

New toolkits in the block

Tax scams are continuously evolving, and new campaigns with new kit variants are being used. A good example of that is seen in Figure 1, labeled Tax Scam UK - 1. Initially seen in the wild in July 2020, this campaign was deployed to over 140 different domains between July 2020 and April 2021.

When toolkits fade away

The IRS phishing campaign, initially reported by Akamai back in 2019, was rarely used in 2020 (see Tax scam US - 1), indicating phishing scams' evolving nature and how this toolkit became deprecated. This gives us another glimpse into the ecosystem that drives phishing factories and economies. Once a phishing kit has become outdated, or deprecated, it fades away, leaving room for further development and improvements, in exactly the same way that one would expect the normal product lifecycle to function in a non-criminal environment.


In order to preserve the scam's reliability, tax-based phishing uses customized websites to contain references to recent events.Over the past year, Akamai observed COVID-19 related messaging included in almost all of them. The scams made mention of government aid programs and changes to filing schedules.

Moreover, as millions of people around the globe lost their jobs, received unemployment, or started to work from home in 2020, Akamai observed a strong uptick in the number of attacks seen in the wild following the start of the COVID-19 pandemic. According to our research, there was an increase in the volume of tax scams just after the pandemic began in April 2020. The increased usage of tax-based scams represents criminal motivations to exploit the situation and target taxpayers directly.

Scam that lives (almost) forever

Akamai tracked some tax scam toolkits back to April 2019, and you can see these campaigns labeled as Tax scam UK - 2 and Tax scam UK - 3 in Figure 1. As shown, Tax scam UK - 2 leveraged more than 600 domains during the campaign, and Tax Scam UK - 3 used more than 280 domains. This is another example of the forces and scale behind the phishing landscape and the recycling phenomena of phishing toolkits.

Furthermore, because the dataset we used in this report was limited by time, we suspect the scams go back even further into the past, representing scams that continue to live for many years and create a continuous challenge once defending against such scams. 

Figure 3: Tax scams examples Figure 3: Tax scams examples


Tax scams differ from many other phishing scams, as the by-product can lead to identity theft, resulting in significant financial loss for the victims, as well as the required involvement of law enforcement in such incidents.

As a result of the COVID-19 pandemic, millions of people around the globe lost their jobs, and needed government assistance. Criminals exploited the situation, increasing the volume of tax-based scams throughout 2020, targeting victims with fraudulent communications about unemployment benefits.

In order to avoid many unemployment- and tax-based scams, it's important to remember that tax authorities don't initiate contact with taxpayers by email, text messages, or social media channels to request personal, or financial, information. Therefore, if someone is approached on that level, be suspicious and don't give away personal information. When in doubt, reach out to your local tax office for verification.

As we look into the data shown above, we can't avoid noticing a much stronger presence of emerging UK-based tax scams, compared to the emerging US-based tax scams. While we can't say for sure why the emerging scams were at higher rates in the UK, it could be the outcome of different reasons such as different remediation techniques being taken against emerging scams and the resources being invested into awareness and education programs by governments.

We argue that awareness plays a significant role in the ability to mitigate and reduce phishing scams efficiency. As phishing scams are dependent on humans to be engaged, it only makes sense that continuous education on these scams will lead to victims being more vigilant, risk aware, and better protected in the long run.

Or Katz

Written by

Or Katz

May 05, 2021