Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Digital tax fraud and identity trust gaps: what teams need now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: As tax filing moves online, phishing, synthetic identities, and AI-written impersonation are making digital tax systems easier to abuse, with Microsoft reporting more than 2,300 organisations hit by tax-themed phishing in February 2025. The real issue is not just email fraud but the weakness of identity, certificate, and verification controls around high-trust financial workflows.

NHIMG editorial — based on content published by GlobalSign: an analysis of tax fraud, digital identity trust, and PKI-based protections

By the numbers:

Questions worth separating out

Q: How should organisations secure online tax filing against phishing and impersonation?

A: They should treat tax filing as a high-trust identity workflow and layer sender authentication, certificate validation, and user verification.

Q: Why do certificate checks matter for tax portals and filings?

A: Certificate checks help distinguish a legitimate tax portal from a convincing fake.

Q: What do teams get wrong about synthetic identity detection?

A: They often assume a single signal will identify the fraud case.

Practitioner guidance

  • Harden tax communication trust checks Require SPF, DKIM, and DMARC alignment for tax-related email flows and block action links when sender authenticity cannot be verified.
  • Validate tax portals beyond encryption Check EV certificate status, domain ownership, and certificate chain validity before allowing staff or customers to submit tax information.
  • Tie document integrity to PKI controls Use digital signatures and protected private keys for tax forms and submissions so tampering and spoofing are detectable.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step guidance on checking EV, DV, and PKI trust signals across tax-related websites and messages.
  • Specific examples of how SPF, DKIM, and DMARC help distinguish legitimate tax communications from spoofed ones.
  • Recommended deployment patterns for HSMs, certificate pinning, DNS filtering, and network segmentation in tax-processing environments.
  • The article’s fraud-detection discussion, including ML-based document analysis and multi-source verification.

👉 Read GlobalSign's analysis of tax fraud, certificate trust, and digital identity →

Digital tax fraud and identity trust gaps: what teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Digital tax fraud is an identity assurance problem before it is a fraud problem. The article shows that online filing expands the number of trust decisions made by users, portals, and security tools. If taxpayers cannot reliably distinguish a legitimate authority message, portal, or document from a fake, the control failure begins long before money moves. Practitioners should treat tax workflows as high-assurance identity paths, not routine web transactions.

A few things that frame the scale:

  • 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to the Ultimate Guide to NHIs.
  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.

A question worth separating out:

Q: Who is accountable when fraudulent tax submissions succeed?

A: Accountability usually spans the tax authority, the filing platform, and the organisation processing the data, because the failure can sit in identity proofing, email authentication, portal validation, or user guidance. The practical question is which trust control failed first and which team owns remediation before the next filing cycle.

👉 Read our full editorial: Digital tax fraud exposes the limits of trust in online identity



   
ReplyQuote
Share: