Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Tax-fraud phishing and digital filing trust: what breaks now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Digital tax filing is expanding the attack surface for phishing, identity fraud, and document tampering, with Microsoft reporting tax-themed phishing sent to more than 2,300 organisations between 12 and 28 February 2025. The real security gap is not convenience, but whether identity, certificate, and email trust controls can still distinguish legitimate filing workflows from convincing fraud.

NHIMG editorial — based on content published by GlobalSign: tax fraud and online filing scams

By the numbers:

  • According to Microsoft security intelligence, tax-themed phishing emails were sent to more than 2,300 organisations between 12 and 28 February 2025.
  • In the UK, Making Tax Digital obligations for recording income and expenses become mandatory from April 2026.
  • According to Microsoft security intelligence, tax-themed phishing was delivered to more than 2,300 organisations across multiple sectors.

Questions worth separating out

Q: What breaks when tax fraud controls rely on email or certificate checks alone?

A: Standalone email or certificate checks can confirm that a message or site looks authenticated, but they do not prove the request is legitimate.

Q: Why do tax and filing workflows create identity verification risk?

A: They concentrate financial urgency, personal data, and trusted communications in one place, which makes them attractive to impersonators.

Q: What do security teams get wrong about synthetic identity fraud?

A: They often treat it as an onboarding problem, when it is really a lifecycle problem.

Practitioner guidance

  • Implement end-to-end filing verification Require the filing portal, sender domain, document origin, and transaction context to be verified together before any tax-related request is accepted.
  • Harden email trust checks Enforce SPF, DKIM, and DMARC for all tax communications, and quarantine messages that fail alignment or originate from lookalike domains.
  • Use certificate-aware fraud controls Validate EV certificate chains, domain ownership, and certificate pinning for high-risk filing workflows where spoofed sites are likely to appear.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • Practical examples of how EV certificates, SPF, DKIM, and DMARC are used together in tax-related trust verification.
  • Implementation guidance for HSM-backed key protection and certificate-based MFA in high-risk filing environments.
  • Operational controls such as certificate pinning, DNS filtering, and network segmentation for tax processing systems.
  • Response planning for tax fraud, including 24/7 incident handling and red team validation exercises.

👉 Read GlobalSign's analysis of tax fraud, phishing, and digital identity trust →

Tax-fraud phishing and digital filing trust: what breaks now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Tax fraud is now an identity assurance problem, not just a phishing problem. The article shows that digital tax filing widens the trust boundary across email, portals, certificates, and documents. When that trust boundary is weak, attackers do not need to break encryption or compromise infrastructure, they only need to persuade a person or system to accept a fraudulent identity claim. For IAM and IDV teams, the lesson is that assurance must extend beyond login to the entire filing workflow.

A question worth separating out:

Q: Who is accountable when fraud gets through digital tax controls?

A: Accountability usually spans fraud operations, identity governance, application owners, and the teams managing authentication and email trust. If a workflow accepts claims without validating the sender, document integrity, and transaction context, the failure is organisational, not just user error. Frameworks such as NIST CSF and NIST SP 800-53 can help assign control ownership.

👉 Read our full editorial: Tax-fraud phishing is exploiting digital filing trust at scale



   
ReplyQuote
Share: