Beware the Tax Scam Tsunami: Unmasking QR Code schemes, Bogus Refunds and AI imposters

It’s tax season, that wonderful time of year when a refund check might be showing up in your mailbox—or going out to be sent to the government.

Around the world, many countries are gearing up for tax time. 

This becomes a common time for hackers to step in. Typically, hackers take advantage by distributing malicious files that masquerade as official files. It’s so pervasive, in fact, that the IRS releases an annual “Dirty Dozen” list, which outlines the most popular tax scams. 

Last year, we also saw a twist, with Check Point uncovering how ChatGPT can create convincing tax-related phishing emails. 

This year is no different. For example, in the UK, HM Revenue and Customs (HMRC) reported over 130,000 tax scam cases in the year leading to September 2023, including 58,000 fake tax rebate offers. The Government department even sent out an advisory ahead of their January deadline for 12 million individuals filing Self Assessment tax returns, warning that scammers are increasingly impersonating HMRC with scams varying from promising rebates, demanding tax detail updates, or even threatening arrest for tax evasion.

Check Point Research has found multiple instances of tax-related phishing and malware.

The goal is simple: to induce the end-user to either give over sensitive information or money.

The Tax QR Code Attack

In this attack, the threat actors are impersonating the IRS. Attached to an email is a malicious PDF, using a subject pattern of {NAME} TaxYearlyReturn3x{Company name}.pdf

The PDF file seemingly impersonates an official IRS correspondence, which informs the victim that there are documents awaiting them.

At the bottom of the document, there’s a QR code, which leads to several different malicious websites.

These sites are all verification websites, some with the pattern 1w7g1[.]unisa0[.]com/6d19/{USEREMAIL} which now lead to inactive malicious websites.

The QR code undergoes what we call conditional routing. In these attacks, the initial ask is similar, but where the redirection chain goes is quite different. The link looks for where the user is interacting with it and adjusts accordingly. If the user is using a Mac, for example, one link appears; if the user is on an Android phone, another appears.  The end-goal is the same—installing malware on the end-user endpoint, while also stealing credentials. By adjusting the destination based on how the end-user is accessing it, the rate of success is much higher.

The ‘We Owe You Money’ Tax Scam

In Australia, we saw a phishing scam that was allegedly sent from the “ATO Taxation Office”. In fact, it was sent from an iCloud address. In this email, the subject line is “We owe you money—register your bank details today.” The email guides the user to this link, hxxp://gnvatmyssll[.]online, where they are asked to enter their credentials:

We saw similar campaigns in other countries. This is from a phishing website impersonating the UK government, utilizing the malicious domain ukrefund[.]tax:

We also saw similar campaigns utilizing a number of domains, including:






Refunds for Sale

When people file their taxes, they expect them to go straight to the government.

They don’t expect it their private information to get in the hands of hackers.

But on the dark web, Check Point Researchers have found a flourishing market for sensitive tax documents. 

We’ve seen hackers selling legitimate W2 and 1040 forms. These are real W2 and 1040 forms, from real people, who are none the wiser.

These documents are being sold for as high as $75 a pop, although some are offering bulk discounts as low as $10. One hacker even offered a giveaway of 50 1040 and W2 forms. 

A screenshot of a computer program

Description automatically generated

Another tactic that hackers are using is by offering bank accounts for refund deposits. The threat actor offers a bank account number for the refund to be deposited in; in turn, the hacker then sends out the money to other hackers, taking a small percentage. 

A screenshot of a social media post

Description automatically generated

The final tactic is more troubling. Hackers are buying and giving away remote desktop privilege access to popular tax services. This includes a tax services company with 8,000 clients, with full information of their refund and bank routing numbers. This goes for $15,000.

For a relatively low dollar amount, hackers are able to file refunds on behalf of regular people—and reap the benefits. 

The ChatGPT Tax Assistant

Last year, Check Point researchers prompted ChatGPT to produce the text of an email that contained tax scam language. This resulted in a convincing email about the Employee Retention Credit. Another prompt created an email that comes from the IRS about a refund:

And another prompt provides a call script between a fake IRS agent and an elderly person:

How to Stay Safe in Tax Season

Remember, most tax agencies communicate directly through snail mail and will never email or call you first. 

However, with the proliferation of AI-generated phishing and malware campaigns, it can become nearly impossible to identify legitimate from illegitimate.

Despite this, there are still tricks to be able to identify phishing emails:

  • Unusual Attachments: Be wary of emails with suspicious attachments, such as ZIP files or documents that require enabling macros.
  • Incorrect Grammar or Tone: Though AI has improved the quality of phishing emails, inconsistencies in language or tone can still be red flags.
  • Suspicious Requests: Any email that asks for sensitive information or makes unusual demands should be treated with skepticism.

Staying Safe

  • Don’t Reply, Click Links, or Open Attachments: Engaging with a suspicious email only increases the risk.
  • Report and Delete: Reporting suspicious emails before deleting them can help protect others from falling victim to similar scams.
  • Invest in Anti-Phishing Solutions: Tools like Check Point Harmony Email & Collaboration Suite Security offer comprehensive protection against phishing attempts, safeguarding your digital communications.


During tax season, you have enough on your plate. Don’t add phishing to the equation. 

Awareness of these tax-related campaigns plays a large role in guarding your information and data. In addition, anti-phishing solutions can block attempted phishing campaigns from entering inboxes. Check Point Harmony Email & Collaboration Suite Security delivers complete protection for Microsoft 365, Google Workspace and all collaboration and file-sharing apps. 

“We’re already starting to see a tax scam tsunami forming. Hackers are leveraging AI, advanced phishing schemes and even QR codes to trick people out of their hard-earned tax refunds. We’re also seeing tax and financial documents for sale on the dark web, as hackers look to file taxes on behalf of regular people – in order to steal their refunds. At Check Point Research, we urge people to stay vigilant, file your taxes early and remember that most tax agencies will communicate directly through snail mail – not email, phone or text.” said Sergey Shykevich, Threat Intelligence Group Manager, Check Point Research.

Share on