As the 2025 U.S. tax season reaches its peak, cybersecurity analysts report a dramatic escalation in phishing campaigns exploiting IRS and federal tax themes.
Between January 1 and February 18, threat actors registered 158 unique domains mimicking official IRS subdomains like “irs.gov.*”, deploying advanced social engineering tactics through SMS phishing (smishing) and social media platforms.
The attacks coincide with heightened public engagement with tax filing systems, creating ideal conditions for credential harvesting and financial fraud.
New telemetry from Broadcom’s WebPulse reveals 3,500 unique malicious domains categorized as phishing or malicious in January alone, with attack infrastructure evolving daily to bypass traditional detection methods.
Attack chains begin with messages containing URLs like hxxps://www.irs.gov.tax-initial[.]com, redirecting victims to spoofed IRS portals requesting sensitive data under the guise of Economic Impact Payments or refund processing.
.webp)
Domain Spoofing Techniques Reach Unprecedented Sophistication
Analysis of passive DNS records shows attackers employing multi-layered subdomain spoofing, creating nested structures like “irs.gov.tax-private[.]com” that visually mimic legitimate IRS pathways.
The fraudulent portals replicate official IRS layout elements including:-
- Interactive tax tools section with options like “Get My Payment” and “Check withholding”
- Multi-language support panels in Spanish, Chinese, and Korean
- Footer navigation mirroring genuine IRS site architecture
.webp)
Threat actors combine these spoofed domains with dynamic content generation, creating unique phishing pages for each victim using parameters like “drtf5pe[.]us” and “eljungle[.]me”.
The infrastructure employs rotating domain registrations across 150+ newly observed domains daily, including “federaltaxrebate-programs[.]click” and “taxirs-gov[.]com”.
Symantec’s Web Security Engine (WebPulse) data shows these domains generating over 50,000 daily lookup requests at peak periods, indicating massive campaign reach.
Protective measures now automatically block access to confirmed malicious domains while flagging suspicious certificate patterns in real-time.
Security teams urge taxpayers to verify URLs through official IRS communication channels and enable multi-factor authentication on all tax preparation accounts.
With domain registration patterns showing no signs of abating, the 2025 tax season appears poised to break records for both legitimate filings and associated cybercrime activity.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting – Register Here