Proofpoint researchers identified more than 100 malicious tax-themed phishing campaigns in early 2026, and Canadian organizations are among the primary targets. With April representing the peak filing period for most Canadians, attackers are exploiting the urgency, distraction, and financial stress that tax season reliably produces. Most organizations have not updated their security awareness training to address tax season phishing specifically, and that gap is exactly what this year’s campaigns are designed to exploit.
What the Campaigns Look Like This Year
The attacks arrive through multiple channels and use several distinct lures. One approach involves emails impersonating the Canada Revenue Agency, threatening penalties for missing documents or offering refunds that require immediate verification. Another involves threat actors posing as investment companies requesting that recipients update their W-8BEN tax forms, a lure that carries credibility because Canadians with US investment accounts regularly receive legitimate requests of this kind.
Proofpoint’s March 30 advisory identified a specific threat group, designated TA2730, that is primarily targeting organizations in Canada, Australia, Singapore, Switzerland, and Japan. The group directs victims to counterfeit authentication pages that closely mimic the login portals of financial institutions and tax authorities. Victims who enter credentials hand attackers persistent access to the accounts they rely on for payroll, banking, and tax filing.
A separate category of attack targets finance teams directly through executive impersonation. Emails purporting to come from company leadership request copies of T4 forms or employee tax data under the guise of an urgent internal deadline. Business email compromise campaigns of this type are particularly effective in April because the request fits exactly what a finance team expects to be handling.
Why This Type of Lure Keeps Working
Tax season creates a set of psychological conditions that attackers have studied and learned to exploit. Employees are managing personal financial stress while simultaneously handling year-end payroll tasks, vendor tax forms, and CRA correspondence. The mental state an attacker wants, preoccupied, time-pressured, and operating slightly outside normal routine, is broadly available throughout April.
A growing share of the phishing emails hitting inboxes this season are generated with AI tools, which means the detection signals that trained employees once relied on are disappearing. Clean grammar, accurate branding, and a tone that matches what the CRA or a financial institution would actually send are now table stakes for any reasonably resourced threat actor. The old approach of scanning for typos and awkward phrasing is no longer sufficient on its own.
The Ontario Provincial Police issued a public warning in early March noting that the Canadian Anti-Fraud Centre is receiving a high volume of tax-related fraud reports. The CRA has confirmed it will never send refunds by e-transfer or text message, request personal or financial information by voicemail, or pressure recipients to click links to avoid penalties. These reminders are accurate but do not close the gap. Employees under deadline pressure do not always pause to recall what the CRA will or will not do.
Three Steps to Take Before the Filing Deadline
The April filing deadline creates a narrow window of elevated risk that organizations can address with targeted action right now.
Brief your team this week. A short, direct communication covering the specific lures in circulation takes less than an hour to write and distribute. Cover the main attack types: fake CRA refund and penalty emails, W-8BEN form requests from impersonated investment companies, and internal T4 requests that appear to come from leadership. Name the tactics explicitly. Employees who can picture the attack are far more likely to recognize it when it arrives.
Add tax-themed scenarios to your testing. If your organization runs simulated phishing exercises, this is the right moment to deploy a CRA-branded or investment-firm-branded test. Employees who encounter a convincing fake in a safe environment are substantially more likely to handle the real version correctly. Seasonal scenarios improve training relevance and retention far more than generic annual modules.
Reinforce the verification habit. Any request involving financial data, a tax form, or account credentials should trigger a pause and a direct callback to a verified number. This applies whether the request arrives by email, text, or phone call. Finance staff and managers in particular need to hear this before the deadline, not after an incident. Organizations that address these risks year-round through a structured human risk management program consistently enter high-risk periods with better-prepared staff than those that rely on reactive reminders.
The Pattern That Repeats Every Spring
Tax season phishing is not new, but it is reliably effective because most security programs are designed around threats in the abstract rather than threats tied to the calendar. The 2026 campaigns documented by Proofpoint are more sophisticated than those of prior years, with broader geographic targeting and more convincing lures than previous seasons produced. The tactics being used this April will be refined and redeployed next year. What changes between now and then depends entirely on what your team learns before this filing season closes.
Sources
- Proofpoint Threat Research, Security Brief: Tax Scams Aim to Steal Funds from Taxpayers (March 30, 2026)
- PTBO Today, OPP Warns of Rising CRA Scam Activity During Tax Season (March 2026)
- Infosecurity Magazine, Cybercriminals Exploit Tax Season With New Phishing Tactics
- Canada Revenue Agency, Scams and Fraud Official Information
- Canadian Centre for Cyber Security, National Cyber Threat Assessment 2025-2026
