By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: GlobalSignPublished November 5, 2025

TL;DR: As tax filing moves online, phishing, synthetic identities, and AI-written impersonation are making digital tax systems easier to abuse, with Microsoft reporting more than 2,300 organisations hit by tax-themed phishing in February 2025. The real issue is not just email fraud but the weakness of identity, certificate, and verification controls around high-trust financial workflows.


At a glance

What this is: This is an analysis of how digital tax filing expands the attack surface for phishing, synthetic identities, and certificate-based impersonation, with validation and PKI controls emerging as the main defensive line.

Why it matters: It matters because IAM, PKI, and fraud teams must secure online tax workflows where identity proofing, message authenticity, and transaction trust now intersect with citizen and workforce access.

By the numbers:

👉 Read GlobalSign's analysis of tax fraud, certificate trust, and digital identity


Context

Digital tax filing creates a trust problem as much as a convenience gain. Once tax services move from paper and branch-based interactions to online portals, the attack surface expands across email, browser identity, certificate validation, and payment workflows. The primary issue is not just fraud volume, but the way routine taxpayer interactions become high-value identity events that criminals can impersonate.

This pattern affects both human identity and adjacent non-human controls. Certificate validation, message authentication, and PKI now sit alongside MFA, domain trust, and transaction verification as part of the control plane for tax administration. When those signals are weak or inconsistent, attackers can make fraudulent requests look legitimate enough to bypass manual review.

The article’s starting point is typical of the current environment: tax digitisation is accelerating faster than user awareness and verification discipline. That makes tax fraud a governance problem, not only a user-awareness problem.


Key questions

Q: How should organisations secure online tax filing against phishing and impersonation?

A: They should treat tax filing as a high-trust identity workflow and layer sender authentication, certificate validation, and user verification. SPF, DKIM, and DMARC help establish email authenticity, while EV certificates and PKI help confirm portal and document legitimacy. No single control is enough when attackers can imitate authorities and exploit urgency.

Q: Why do certificate checks matter for tax portals and filings?

A: Certificate checks help distinguish a legitimate tax portal from a convincing fake. Encryption alone only protects the connection, while EV certificates and validated chains add evidence of organisational identity. That matters because tax fraud often succeeds when users trust a site that looks secure but is not actually authoritative.

Q: What do teams get wrong about synthetic identity detection?

A: They often assume a single signal will identify the fraud case. Synthetic identities are usually revealed by combinations of weak clues across metadata, behaviour, and device context, which is why agentic systems are attractive. The risk is over-trusting the workflow and under-reviewing how the system reached the conclusion.

Q: Who is accountable when fraudulent tax submissions succeed?

A: Accountability usually spans the tax authority, the filing platform, and the organisation processing the data, because the failure can sit in identity proofing, email authentication, portal validation, or user guidance. The practical question is which trust control failed first and which team owns remediation before the next filing cycle.


Technical breakdown

How tax phishing exploits identity trust, not just email delivery

Tax-themed phishing works because the message is framed as a legitimate administrative task, not because email itself is broken. Attackers mimic tax authorities, use urgency, and push the recipient toward actions that feel routine, such as refund checks or compliance responses. The security failure is often the absence of strong message authentication and user-side trust validation. SPF, DKIM, and DMARC help establish whether mail originated from an authorised sender, while certificate checks help distinguish genuine tax portals from lookalikes. Where those signals are missing or ignored, social engineering becomes much easier to execute.

Practical implication: security teams should treat tax communications as a high-risk identity channel and enforce sender authentication before users can act on them.

Why certificate validation matters for tax portals and digital filings

Extended Validation SSL/TLS certificates and correct domain naming provide stronger evidence that a tax site belongs to the organisation it claims to represent. A DV certificate can encrypt traffic without proving organisational identity, which is why encryption alone is not enough for tax workflows. The article also points to digital signatures and valid PKI as integrity controls for tax documents. Those signatures support non-repudiation and help detect tampering, but only if private keys are protected and certificate chains are validated correctly. In practice, trust in a tax portal depends on identity proofing, not only secure transport.

Practical implication: validate certificate type, domain, and signing chain before accepting a portal or document as genuine.

How synthetic identities complicate fraud detection in regulated workflows

Synthetic identity fraud blends real and fabricated data so the resulting profile can pass basic checks and continue operating after the first control layer is cleared. That makes it harder than classic account takeover because there may be no single stolen credential to revoke. Detection therefore needs cross-source correlation, anomaly analysis, and document intelligence that can flag inconsistencies across records, behaviour, and submission patterns. For tax environments, the control challenge is to separate a legitimate but unfamiliar filer from a fabricated persona that only appears credible at the point of onboarding or filing.

Practical implication: fraud teams should combine identity proofing, behavioural analysis, and document verification instead of relying on a single onboarding check.


Threat narrative

Attacker objective: The attacker aims to harvest sensitive tax and identity data or divert refunds through fraudulent submissions that appear legitimate to the victim and the tax system.

  1. Entry occurs through tax-themed phishing emails that impersonate authorities such as the IRS or HMRC and use urgency to drive action.
  2. Escalation follows when the victim discloses credentials, personal data, or payment information, or is redirected to a fraudulent tax site that accepts the submission as legitimate.
  3. Impact is achieved through refund diversion, personal data theft, or fraudulent filing activity that exploits trusted digital tax channels.
  • Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Digital tax fraud is an identity assurance problem before it is a fraud problem. The article shows that online filing expands the number of trust decisions made by users, portals, and security tools. If taxpayers cannot reliably distinguish a legitimate authority message, portal, or document from a fake, the control failure begins long before money moves. Practitioners should treat tax workflows as high-assurance identity paths, not routine web transactions.

Certificate-based trust is useful only when it is part of a broader identity model. EV certificates, PKI, and digital signatures strengthen authenticity and integrity, but they do not solve the full verification problem on their own. The gap is not transport security, it is whether the organisation can prove who is sending, signing, and receiving the transaction. Practitioners should align certificate checks with sender validation, domain control, and user verification steps.

Synthetic identity fraud shows why static checks fail under real-world abuse. A fabricated persona can clear initial controls if those controls only ask whether the data looks plausible. The named concept here is trust signal fragmentation: when identity, email, portal, and document signals are evaluated separately, attackers can exploit the gaps between them. Practitioners should consolidate those signals into a single fraud and identity review flow.

AI increases the quality of impersonation faster than most filing processes can adapt. The article’s warning about AI-written phishing is credible because language quality is no longer a reliable defense signal. That weakens user training alone as a control and pushes the programme toward stronger sender authentication, portal validation, and transaction monitoring. Practitioners should assume the human eye will lose more often in tax-related impersonation scenarios.

From our research:

What this signals

Trust signal fragmentation: tax and finance programmes increasingly fail when email, portal, certificate, and document checks are run as separate controls. The operational risk is not just fraud volume, but inconsistent trust decisions that attackers can chain together.

As digital filing grows, identity teams should expect higher demand for proof of sender authenticity, certificate validation, and transaction-level verification. The governance shift is toward combining fraud signals with IAM and PKI signals so that one weak control does not decide the outcome alone.


For practitioners

  • Harden tax communication trust checks Require SPF, DKIM, and DMARC alignment for tax-related email flows and block action links when sender authenticity cannot be verified.
  • Validate tax portals beyond encryption Check EV certificate status, domain ownership, and certificate chain validity before allowing staff or customers to submit tax information.
  • Tie document integrity to PKI controls Use digital signatures and protected private keys for tax forms and submissions so tampering and spoofing are detectable.
  • Correlate identity signals across fraud checks Combine onboarding data, filing behaviour, device signals, and document analysis so synthetic identities do not pass as isolated normal events.

Key takeaways

  • Digital tax fraud is exploiting identity trust gaps across email, portals, and document verification, not just user gullibility.
  • Certificate validation, sender authentication, and PKI are necessary controls, but they only work when they are used together.
  • Organisations need correlated identity and fraud signals so synthetic identities and impersonation attempts are detected before submission is accepted.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Identity proofing and access validation are central to tax portal trust.
NIST SP 800-53 Rev 5IA-2Strong identification and authentication directly support secure filing workflows.
NIST Zero Trust (SP 800-207)The article's continuous validation theme aligns with Zero Trust principles.
NIST SP 800-63SP 800-63CFederated identity and assertions matter where portals rely on external trust signals.

Map tax filing trust controls to PR.AC-1 and validate identities before transactions are accepted.


Key terms

  • Synthetic Identity: A synthetic identity is a software-based actor that can authenticate, request access, and execute actions without being a human user. In practice, this includes AI agents, bots, service accounts, tokens, and other machine identities that need clear ownership, scope, and revocation.
  • Domain Validated Certificate: A domain validated certificate confirms control of a domain name but does not prove the legal identity of the organisation behind it. It provides encryption for the connection, yet it is a weak trust signal for high-assurance transactions such as tax filing or regulated financial workflows.
  • Extended Validation Certificate: An Extended Validation certificate is a public certificate that links a website or service to a verified legal entity. In practice, it is meant to strengthen trust by connecting technical encryption with organizational identity, but its value depends on how well issuance, naming, and dispute controls are enforced.
  • Trust Signal Fragmentation: Trust signal fragmentation happens when email, portal, certificate, and document signals are assessed separately instead of as one identity assurance picture. Attackers exploit the gaps between those controls by making each layer look acceptable even when the overall transaction is fraudulent.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step guidance on checking EV, DV, and PKI trust signals across tax-related websites and messages.
  • Specific examples of how SPF, DKIM, and DMARC help distinguish legitimate tax communications from spoofed ones.
  • Recommended deployment patterns for HSMs, certificate pinning, DNS filtering, and network segmentation in tax-processing environments.
  • The article’s fraud-detection discussion, including ML-based document analysis and multi-source verification.

👉 GlobalSign's full article covers PKI controls, fraud signals, and hardening steps for digital tax workflows.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org