The period from January through April, recognized as tax season in the United States, has seen a significant surge in cyber threats exploiting IRS and tax-related themes.
According to Broadcom’s Symantec Security Center, cybercriminals are leveraging the season to launch phishing campaigns and register deceptive domains that mimic legitimate IRS websites.
These malicious activities aim to deceive individuals into divulging sensitive financial information.
Spike in Malicious Activity During Tax Season
A phishing text containing the fraudulent URL “hxxps://www.irs.gov.tax-initial[.]com” was identified.
A deeper analysis of WebPulse telemetry revealed numerous similar domains, including “irs.gov.reporting-tax[.]com” and “irs.gov.tax-winnings[.]com.”
These domains were actively promoted via smishing (SMS phishing) and social media campaigns.
Victims who clicked on these links were redirected to fake IRS websites designed to steal personal data.
Proliferation of Fraudulent Domains
A review of passive DNS (pDNS) data for January 2025 uncovered 158 unique subdomains following the pattern “irs.gov.*”.
The telemetry highlighted a broader trend, with nearly 3,500 unique IRS or tax-themed domains flagged as phishing or malicious during the same month.
Examples of these domains include “2024-tax-refund[.]info,” “claim[.]tax[.]refund[.]drtf5pe[.]us,” and “irs-claim-government[.]com.”
Many of these domains were crafted to exploit public trust in IRS-related content while disguising their malicious intent.
Additionally, new domain registrations with IRS or federal tax-related themes surged during January 2025, with nearly 150 suspicious domains identified.
Examples include “gov-irs[.]net,” “taxhelp-securelink[.]com,” and “federaltaxrebate-programs[.]click.”
These domains were likely created to target unsuspecting taxpayers during the peak tax-filing period.
The volume of lookups for these malicious domains spiked significantly throughout January 2025, reflecting the scale of these campaigns.
Symantec has categorized these domains under security threat categories within its WebPulse-enabled products, ensuring robust protection for its users.
The company continues to monitor and block such threats through its cloud-based Web Security Engine.
Taxpayers are urged to remain vigilant during this period by verifying URLs before clicking on links and avoiding sharing sensitive information through unsolicited emails or messages.
Cybersecurity solutions like those offered by Symantec play a critical role in safeguarding users from these evolving threats.
