{"id":8488,"date":"2026-04-02T07:15:00","date_gmt":"2026-04-02T12:15:00","guid":{"rendered":"https:\/\/www.dnsfilter.com\/blog\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing"},"modified":"2026-04-02T07:15:00","modified_gmt":"2026-04-02T12:15:00","slug":"the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/04\/02\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing\/","title":{"rendered":"The Tax Scams the IRS Stopped Warning You About Are Still Growing"},"content":{"rendered":"<p><em><span><br \/>Four years of DNSFilter threat data reveals how cybercriminals are evolving their tactics \u2014 and why the government&#8217;s annual scam list only tells part of the story.<\/span><\/em><\/p>\n<p><!--more--><\/p>\n<p><span>Every March, the IRS publishes its<\/span><a href=\"https:\/\/www.irs.gov\/newsroom\/dirty-dozen-tax-scams-for-2026-irs-reminds-taxpayers-to-watch-out-for-dangerous-threats\" rel=\"noopener\" target=\"_blank\"><span> <\/span><u><span>Dirty Dozen<\/span><\/u><\/a><span> \u2014 a list of the top tax scams threatening taxpayers, businesses, and tax professionals. The 2026 edition, released on National Slam the Scam Day (March 5), includes the usual suspects: phishing, fake charities, ghost preparers, and misleading social media advice.<\/span><\/p>\n<p><span>But one change stood out. The IRS dropped fuel tax credit scams from the list, replacing them with a new entry: abusive undistributed long-term capital gains claims tied to Form 2439. That&#8217;s a scheme that plays out in fraudulent filings rather than malicious domains \u2014 a paperwork scam, not a web scam.<\/span><\/p>\n<p><span>At DNSFilter, we&#8217;ve been tracking tax-related threat domains on our network for four years. And our data tells a more complicated \u2014 and in some ways more concerning \u2014 story than the Dirty Dozen alone.<\/span><\/p>\n<h2><strong><span>The big picture: Scammers are getting more specific<\/span><\/strong><\/h2>\n<p><span>The most striking finding in this year&#8217;s data isn&#8217;t any single spike. It&#8217;s the shift in strategy.<\/span><\/p>\n<p><span>Threat domains containing the generic keyword &#8220;tax&#8221; in the domain name actually declined in Q1 2026 \u2014 down 46% from Q1 2025. But that decline is misleading. The scammers didn&#8217;t disappear. They diversified.<\/span><\/p>\n<p><span>Domains containing &#8220;filing&#8221; surged 275% year over year. Fuel-related threat domains grew 116%. And charity scam domains \u2014 which had been declining for two straight years \u2014 came roaring back. In other words, attackers are moving away from generic &#8220;tax&#8221; domain names and toward more targeted, believable keywords that are harder to spot at a glance.<\/span><\/p>\n<h2><strong><span>Fuel scam domains are still surging \u2014 even without the spotlight<\/span><\/strong><\/h2>\n<p><span>Fuel-related threat domains have been one of the most consistent growth stories in our tax season data. On the DNSFilter network, threat domains containing &#8220;fuel&#8221; in the domain name have climbed every year:<\/span><\/p>\n<ul>\n<li><strong><span>2023 \u2192 2024:<\/span><\/strong><span> 43% increase in fuel-related threat domain traffic during tax season.<\/span><\/li>\n<li><strong><span>2024 \u2192 2025:<\/span><\/strong><span> That growth accelerated to 121% year over year.<\/span><\/li>\n<li><strong><span>2025 \u2192 2026:<\/span><\/strong><span> Another 116% increase \u2014 more than double the prior year.<\/span><\/li>\n<\/ul>\n<p><span>The spike patterns are intensifying too. A concentrated cluster from January 20\u201322, 2026 pushed fuel threat traffic to nearly 500% above the quarterly average. A second major spike followed on February 3.<\/span><\/p>\n<p><span><span><img data-recalc-dims=\"1\" fetchpriority=\"high\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing.png?resize=640%2C396&#038;ssl=1\" width=\"640\" height=\"396\" alt=\"Fuel scam domains are still surging \u2014 even without the spotlight\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing-4.png 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing.png 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing.png 1800w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing.png 2400w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing.png 3000w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing.png 3600w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><\/span><\/span><\/p>\n<p><span>Despite being removed from the 2026 Dirty Dozen, fuel-related threat domains haven&#8217;t slowed down. These scams typically involve domains promoting fraudulent fuel tax credits or refunds, targeting both individuals and small businesses with sites that promise tax savings tied to fuel purchases.<\/span><\/p>\n<h2><strong><span>Fake charity domains came back \u2014 hard<\/span><\/strong><\/h2>\n<p><span>The IRS kept fake charities on the 2026 Dirty Dozen. Our data shows they were right to.<\/span><\/p>\n<p><span>Charity-related threat domain traffic on the DNSFilter network had been declining \u2014 and then stagnating \u2014 during tax season for two years running, dropping 64% from 2023 to 2024 before flatlining in 2025.<\/span><\/p>\n<p><span>Then 2026 reversed the trend \u2014 dramatically. Charity threat domain traffic surged 793% over the prior year, more than tripling the 2023 level. The activity came in two distinct spike clusters:<\/span><\/p>\n<ul>\n<li><strong><span>Early January (Jan 7\u201315):<\/span><\/strong><span> A massive spike on January 8 \u2014 more than 1,000% above the quarterly average \u2014 followed by sustained elevated days through January 15.<\/span><\/li>\n<li><strong><span>Mid-to-late March (Mar 16\u201326):<\/span><\/strong><span> A sustained cluster with multiple days well above the quarterly norm, peaking on March 18.<\/span><\/li>\n<\/ul>\n<p><span><span><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing-1.png?resize=640%2C396&#038;ssl=1\" width=\"640\" height=\"396\" alt=\"In 2026, Charity threat domain traffic surged 793% over the prior year\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing-5.png 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing-1.png 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing-6.png 1800w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing-7.png 2400w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing-8.png 3000w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing-9.png 3600w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><\/span><\/span><\/p>\n<p><span>The January timing is notable. That spike predates the start of tax filing season (the IRS began accepting returns January 27). It may be tied to disaster relief or end-of-year giving campaigns that carry into the new year \u2014 attackers setting up fake charity infrastructure early, before pivoting to tax-season exploitation in March.<\/span><\/p>\n<h2><strong><span>&#8220;Filing&#8221; scam domains have exploded \u2014 17x growth in four years<\/span><\/strong><\/h2>\n<p><span>One of the quieter but most dramatic trends in our data is the growth of threat domains containing &#8220;filing&#8221; in the domain name. Q1 daily averages have grown roughly 17x from 2023 to 2026, with a 275% jump in the last year alone. And unlike some categories where a single spike day inflates the numbers, 2026 &#8220;filing&#8221; activity is distributed across multiple spike clusters throughout Q1.<\/span><\/p>\n<p><span><span><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing-2.png?resize=640%2C396&#038;ssl=1\" width=\"640\" height=\"396\" alt=\"&quot;Filing&quot; scam domains have exploded \u2014 17x growth in four years\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing-10.png 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing-2.png 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing-11.png 1800w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing-12.png 2400w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing-13.png 3000w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/04\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing-14.png 3600w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><\/span><\/span><\/p>\n<p><strong><span>A real-world example:<\/span><\/strong><span> One domain DNSFilter flagged this season includes the phrase &#8220;state filings&#8221; and mimics a legitimate state tax filing portal. It uses a .com domain instead of .gov \u2014 a subtle but critical difference. DNSFilter threat analyst Gregg Jones notes the site uses this false trust signal to either charge inflated processing fees or harvest bank account information for resale. It&#8217;s professional enough to pass a quick glance, which is exactly what makes it dangerous.<\/span><\/p>\n<p><span>This category is growing precisely because it works. A domain containing &#8220;state filings&#8221; is more plausible than &#8220;turb0tax-refund[.]com&#8221; \u2014 and that shift toward legitimacy-mimicking domains is a core theme of what we&#8217;re seeing across all our tax season data.<\/span><\/p>\n<h2><strong><span>TurboTax impersonation is fading \u2014 and that tells us something<\/span><\/strong><\/h2>\n<p><span>Not every trend line goes up. Threat domains impersonating TurboTax have dropped 95% over three years \u2014 from a concentrated February spike cluster in 2023 to barely any activity in 2026, with only 8 active days in the entire quarter.<\/span><\/p>\n<p><span>This doesn&#8217;t mean tax scams are slowing down. It means attackers are shifting away from brand impersonation \u2014 which is easier for security tools and savvy users to catch \u2014 and toward generic, official-sounding domains that don&#8217;t trigger the same suspicion. The move from &#8220;fake TurboTax&#8221; to &#8220;fake state filing portal&#8221; is an evolution in sophistication, not a retreat.<\/span><\/p>\n<h2><strong><span>What the Dirty Dozen misses \u2014 and what DNS data catches<\/span><\/strong><\/h2>\n<p><span>The IRS Dirty Dozen is a valuable awareness tool, but it&#8217;s a snapshot \u2014 curated once a year to highlight broad categories. DNS threat data gives us a real-time, continuous view of what attackers are actually doing on the internet, domain by domain, day by day.<\/span><\/p>\n<p><span>Here&#8217;s what four years of tracking tells us:<\/span><\/p>\n<p><strong><span>Scammers follow the calendar.<\/span><\/strong><span> Tax-related threat domains spike predictably in the weeks before April 15. In 2024, we saw a 693% increase in traffic to malicious &#8220;tax&#8221; domains in the 30 days before the filing deadline compared to the rest of tax season. Activity is ramping again in 2026 \u2014 but in more fragmented, harder-to-detect ways across multiple domain categories.<\/span><\/p>\n<p><strong><span>Scammers shift tactics every year.<\/span><\/strong><span> Brand impersonation (TurboTax) is down 95%. Generic filing scams are up 17x. Fuel credit fraud keeps growing at triple-digit rates. Charity scams reversed a two-year decline. The specific mix of threats changes annually, which is exactly why static blocklists and traditional threat feeds that catalog known domains aren&#8217;t enough \u2014 by the time a threat domain lands on a list, it may have already done its damage.<\/span><\/p>\n<p><strong><span>The threat doesn&#8217;t end on April 15.<\/span><\/strong><span> Our 2024 data showed that malicious traffic continued well past Tax Day, targeting taxpayers who filed extensions or were still searching for tax software. If you&#8217;re an IT admin, don&#8217;t relax your DNS filtering posture after the deadline passes.<\/span><\/p>\n<h2><strong><span>How to protect yourself and your organization<\/span><\/strong><\/h2>\n<ul>\n<li><strong><span>Verify every tax-related domain.<\/span><\/strong><span> If you&#8217;re filing online, navigate directly to your tax software provider or IRS.gov. Don&#8217;t click links from emails, texts, or search ads. Look for .gov domains when interacting with government services \u2014 a .com claiming to handle state filings is a red flag.<\/span><\/li>\n<li><strong><span>Be skeptical of fuel tax credit offers.<\/span><\/strong><span> If someone is promising you a refund or credit tied to fuel purchases, verify through the IRS directly \u2014 not through the site making the offer.<\/span><\/li>\n<li><strong><span>Check charity legitimacy.<\/span><\/strong><span> Before donating for a tax deduction, confirm the organization&#8217;s tax-exempt status using the IRS&#8217;s<\/span><a href=\"https:\/\/www.irs.gov\/charities-non-profits\/tax-exempt-organization-search\"><span> <\/span><u><span>Tax Exempt Organization Search<\/span><\/u><\/a><span> tool.<\/span><\/li>\n<li><strong><span>Use DNS-layer protection.<\/span><\/strong><span> DNSFilter blocks malicious domains at the DNS layer using AI-powered threat detection, catching new threat domains an average of 10 days before traditional threat feeds. That speed matters most during events like tax season, when attackers spin up new domains daily.<\/span><a href=\"https:\/\/www.dnsfilter.com\/use-case\/threat-defense\" rel=\"noopener\"><span> <\/span><u><span>Learn more about how DNSFilter protects against phishing and malicious domains.<\/span><\/u><\/a><\/li>\n<\/ul>\n<p><a href=\"https:\/\/app.dnsfilter.com\/signup\" rel=\"noopener\" target=\"_blank\"><u><span>Start your free trial of DNSFilter today<\/span><\/u><\/a><span>.<\/span><\/p>\n<p><a href=\"https:\/\/www.dnsfilter.com\/blog\/the-tax-scams-the-irs-stopped-warning-you-about-are-still-growing\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Four years of DNSFilter threat data reveals how cybercriminals are<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[79],"tags":[87],"class_list":["post-8488","post","type-post","status-publish","format-standard","hentry","category-cyber-threats","tag-cyber-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"DNSFilter","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/dnsfilter\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cyber-threats\/\" rel=\"category tag\">Cyber Threats<\/a>","tag_info":"Cyber Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8488","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8488"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8488\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}