Tax Season 2026: How Cyber Criminals Are Preparing Their Attacks Months in Advance — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 26, 2026

Severity: MEDIUM | View Full Scam Details

Tax Season 2026 Phishing Scam in India: How Cyber Criminals Are Preparing Attacks Months in Advance

As Tax Season 2026 nears, cybercriminals in India are ramping up phishing schemes to trick taxpayers and businesses, putting your money and personal data at serious risk.

What Is the Tax Season 2026: How Cyber Criminals Are Preparing Their Attacks Months in Advance?

This phishing scam targets individuals and businesses filing income tax returns and managing GST compliance in India. Cybercriminals are exploiting the busy tax-filing period by sending fake messages that look like official communications from the Income Tax Department, banks, or GST authorities. The scam aims to steal sensitive information such as PAN, Aadhaar numbers, login credentials, and bank details.

What makes this scam especially dangerous in 2026 is the way criminals prepare months in advance. They collect publicly available data from social media like Facebook and LinkedIn, as well as internet searches, to identify high-value targets with complex financial profiles. This targeted approach increases their chance of success, as victims trust messages that seem customized to their tax or financial situation.

According to CERT-In advisories, phishing attacks ramp up significantly during tax season, and RBI has issued warnings about fake tax refund SMSes and emails directing users to fraudulent payment portals. The Indian government’s I4C (Indian Cyber Crime Coordination Centre) also monitors such scams closely, urging taxpayers to stay vigilant.

How This Scam Works — Step by Step

1. Initial Contact: Victims receive a call, SMS, WhatsApp message, or email that appears to come from the Income Tax Department, GST portal, or their bank. The message may claim there is an issue with their tax return, pending refund, or GST payment.

2. Phishing Link or Phone Number: The communication includes a link to a fake website mimicking the official tax portal or a phone number to “resolve the issue.” Victims are urged to act quickly to avoid penalties.

3. Data Request: On the fake website or call, victims are asked to provide sensitive details such as PAN card number, Aadhaar number, OTPs (One-Time Passwords), bank account information, or UPI PIN.

4. Malware Installation: Sometimes, links lead to malware apps that secretly record keystrokes or steal data from the victim’s phone or computer.

5. Money Transfer: Using the stolen data, cybercriminals may initiate fraudulent UPI or net banking transactions, draining accounts or taking out loans in the victim’s name.

6. Cover-Up: Criminals may use SIM swap fraud to intercept OTPs, making recovery difficult for victims.

Real Warning Signs to Watch For

• Messages claiming urgent action on tax refunds or dues with threats of legal action
• Requests for sensitive information like OTPs, Aadhaar number, PAN, or UPI PIN
• Links directing to websites with unusual URLs (not ending with .gov.in or official domains)
• Poor grammar, spelling mistakes, or inconsistent logos in emails or messages
• Calls from numbers that don’t match official Income Tax or GST helpline contacts
• Pressure to download apps or software for tax filing or payment
• Unexpected messages on WhatsApp or SMS about tax dues when you have not initiated any request

What Happens to Victims

Victims can suffer serious financial loss when cybercriminals use stolen credentials to initiate unauthorized UPI payments or net banking transfers. In many cases, they also face the misuse of their Aadhaar number and PAN for fraudulent tax returns or loan applications.

Emotionally, victims often experience stress, anxiety, and loss of trust in online financial services. Recovery can be a long and frustrating process because SIM swap fraud or changed passwords often delay or prevent reversing unauthorized transactions in the RBI-regulated UPI framework.

What RBI and CERT-In Say

The Reserve Bank of India regularly advises users to avoid sharing OTPs, PINs, or passwords with anyone, even if the caller claims to be a bank or tax official. RBI’s helpline for fraud victims is 1800-180-8636. CERT-In has issued advisories warning against phishing attacks during tax season and urges users to verify URLs carefully and avoid clicking suspicious links.

I4C supports centralized cybercrime reporting and offers the 1930 cybercrime helpline for immediate assistance. Both CERT-In and RBI emphasize using official portals directly for tax filing and verifying messages through authorized government websites.

How to Protect Yourself

1. Always access the Income Tax Department or GST portal by typing the official URL yourself, never through links in messages.
2. Do NOT share OTPs, passwords, UPI PINs, or Aadhaar/PAN details over calls, SMS, or WhatsApp.
3. Verify any suspicious calls claiming to be from tax authorities by calling official helpline numbers.
4. Use two-factor authentication (2FA) on your online banking, UPI apps, and email accounts.
5. Update your mobile device and antivirus software regularly to protect against malware.
6. Avoid downloading unknown apps or software linked to tax filing.
7. Regularly review your bank and UPI transaction statements for unauthorized activity.

What to Do If You've Been Targeted

• Immediately block or freeze your bank account through your bank’s customer service.
• Contact your UPI app support and disable UPI transactions temporarily.
• Report the fraud to your bank and ask for reversal of unauthorized transactions (keep in mind RBI’s rules on time frames).
• File a complaint on the National Cyber Crime Reporting Portal at cybercrime.gov.in.
• Call the cybercrime helpline 1930 for assistance and guidance.
• Inform the police and provide all evidence such as messages, emails, call records, and transaction details.
• Change all passwords related to your email, tax portals, and banking immediately.

Frequently Asked Questions

Q: How can I be sure a message from the Income Tax Department is genuine?
A: The official tax department communicates through your registered email or via login alerts on their portal, never asking for OTP or password via SMS/WhatsApp. Always verify by logging into the official portal directly.

Q: What if I clicked on a phishing link but didn’t enter any data?
A: You should still run a full antivirus scan on your device, change your passwords on all important accounts, and monitor bank statements closely for suspicious activity.

Q: Can RBI reverse unauthorized UPI transactions done through phishing?
A: RBI allows banks to reverse fraudulent transactions if reported quickly (usually within 3 days), but delays or SIM swap fraud complicate recovery. That’s why timely reporting is critical.

Tax Season scams are getting smarter every year. Always stay cautious and double-check suspicious messages before acting. When in doubt, visit BharatSecure.app to verify any tax-related alerts or messages before sharing your personal or financial information. Your vigilance is your best defense!