Four years of DNSFilter threat data reveals how cybercriminals are evolving their tactics — and why the government's annual scam list only tells part of the story.
Every March, the IRS publishes its Dirty Dozen — a list of the top tax scams threatening taxpayers, businesses, and tax professionals. The 2026 edition, released on National Slam the Scam Day (March 5), includes the usual suspects: phishing, fake charities, ghost preparers, and misleading social media advice.
But one change stood out. The IRS dropped fuel tax credit scams from the list, replacing them with a new entry: abusive undistributed long-term capital gains claims tied to Form 2439. That's a scheme that plays out in fraudulent filings rather than malicious domains — a paperwork scam, not a web scam.
At DNSFilter, we've been tracking tax-related threat domains on our network for four years. And our data tells a more complicated — and in some ways more concerning — story than the Dirty Dozen alone.
The most striking finding in this year's data isn't any single spike. It's the shift in strategy.
Threat domains containing the generic keyword "tax" in the domain name actually declined in Q1 2026 — down 46% from Q1 2025. But that decline is misleading. The scammers didn't disappear. They diversified.
Domains containing "filing" surged 275% year over year. Fuel-related threat domains grew 116%. And charity scam domains — which had been declining for two straight years — came roaring back. In other words, attackers are moving away from generic "tax" domain names and toward more targeted, believable keywords that are harder to spot at a glance.
Fuel-related threat domains have been one of the most consistent growth stories in our tax season data. On the DNSFilter network, threat domains containing "fuel" in the domain name have climbed every year:
The spike patterns are intensifying too. A concentrated cluster from January 20–22, 2026 pushed fuel threat traffic to nearly 500% above the quarterly average. A second major spike followed on February 3.
Despite being removed from the 2026 Dirty Dozen, fuel-related threat domains haven't slowed down. These scams typically involve domains promoting fraudulent fuel tax credits or refunds, targeting both individuals and small businesses with sites that promise tax savings tied to fuel purchases.
The IRS kept fake charities on the 2026 Dirty Dozen. Our data shows they were right to.
Charity-related threat domain traffic on the DNSFilter network had been declining — and then stagnating — during tax season for two years running, dropping 64% from 2023 to 2024 before flatlining in 2025.
Then 2026 reversed the trend — dramatically. Charity threat domain traffic surged 793% over the prior year, more than tripling the 2023 level. The activity came in two distinct spike clusters:
The January timing is notable. That spike predates the start of tax filing season (the IRS began accepting returns January 27). It may be tied to disaster relief or end-of-year giving campaigns that carry into the new year — attackers setting up fake charity infrastructure early, before pivoting to tax-season exploitation in March.
One of the quieter but most dramatic trends in our data is the growth of threat domains containing "filing" in the domain name. Q1 daily averages have grown roughly 17x from 2023 to 2026, with a 275% jump in the last year alone. And unlike some categories where a single spike day inflates the numbers, 2026 "filing" activity is distributed across multiple spike clusters throughout Q1.
A real-world example: One domain DNSFilter flagged this season includes the phrase "state filings" and mimics a legitimate state tax filing portal. It uses a .com domain instead of .gov — a subtle but critical difference. DNSFilter threat analyst Gregg Jones notes the site uses this false trust signal to either charge inflated processing fees or harvest bank account information for resale. It's professional enough to pass a quick glance, which is exactly what makes it dangerous.
This category is growing precisely because it works. A domain containing "state filings" is more plausible than "turb0tax-refund[.]com" — and that shift toward legitimacy-mimicking domains is a core theme of what we're seeing across all our tax season data.
Not every trend line goes up. Threat domains impersonating TurboTax have dropped 95% over three years — from a concentrated February spike cluster in 2023 to barely any activity in 2026, with only 8 active days in the entire quarter.
This doesn't mean tax scams are slowing down. It means attackers are shifting away from brand impersonation — which is easier for security tools and savvy users to catch — and toward generic, official-sounding domains that don't trigger the same suspicion. The move from "fake TurboTax" to "fake state filing portal" is an evolution in sophistication, not a retreat.
The IRS Dirty Dozen is a valuable awareness tool, but it's a snapshot — curated once a year to highlight broad categories. DNS threat data gives us a real-time, continuous view of what attackers are actually doing on the internet, domain by domain, day by day.
Here's what four years of tracking tells us:
Scammers follow the calendar. Tax-related threat domains spike predictably in the weeks before April 15. In 2024, we saw a 693% increase in traffic to malicious "tax" domains in the 30 days before the filing deadline compared to the rest of tax season. Activity is ramping again in 2026 — but in more fragmented, harder-to-detect ways across multiple domain categories.
Scammers shift tactics every year. Brand impersonation (TurboTax) is down 95%. Generic filing scams are up 17x. Fuel credit fraud keeps growing at triple-digit rates. Charity scams reversed a two-year decline. The specific mix of threats changes annually, which is exactly why static blocklists and traditional threat feeds that catalog known domains aren't enough — by the time a threat domain lands on a list, it may have already done its damage.
The threat doesn't end on April 15. Our 2024 data showed that malicious traffic continued well past Tax Day, targeting taxpayers who filed extensions or were still searching for tax software. If you're an IT admin, don't relax your DNS filtering posture after the deadline passes.