With the start of the 2026 Income Tax return filing period, Kaspersky is warning of an increase in online scams exploiting the topic. In March alone, the company identified 61 malicious domains dedicated to fraud using the theme as bait. Cybercriminals are intensifying phishing attacks targeting both the theft of gov.br credentials and direct financial fraud, such as a new malicious campaign that simulates pending issues with the Federal Revenue Service to extort urgent payments via PIX or bank slip.
Cybercriminals exploit various hooks, creating numerous fraudulent domains with variations of keywords such as "IRPF" (Brazilian Income Tax Return), "online," "regularization," "accountant," "tax return template," and "access key." Scammers also use the terms "Receita Federal" (Brazilian Federal Revenue Service) or "gov" (government) in different ways and incorporate elements of "checkout" and "receita digital" (digital tax return). This strategy aims to confuse taxpayers, increase the number of accesses to malicious websites, and ultimately steal gov.br credentials and personal data.
Kaspersky has also identified a new ongoing scam campaign based on an alleged "income tax issue" communicated via email, simulating a notification from the Brazilian Federal Revenue Service. The message seeks to deceive taxpayers by claiming that a single issue related to their income tax return has been found and offering a discount of 100% on interest and penalties. The victim is then pressured to pay via PIX (Brazilian instant payment system) or bank slip, under the promise that regularization will bypass the tax audit process and prevent the inclusion of their CPF/CNPJ (Brazilian taxpayer ID) in the Federal Government's Active Debt list, with a tight deadline of only two business days for payment. The goal is to induce the transfer of funds to "mule" accounts, individuals who lend their accounts to criminals, while the sense of urgency and the false offer of benefit pressure the victim to act.
