DATE
Threat Intelligence Briefing

The Tax Season Attack Calendar

MK By Mohammed Khan Founder & Principal Consultant, 313SEC CPTS · arcX CTI Practitioner & Advanced · MAD20

Cybercriminals do not attack randomly. They study your deadlines, peak periods, and seasonal stress points. Then they strike when your team is least likely to question an email. Here is their calendar.

01The Pattern

They Know When You Are Busiest

HMRC reported over 135,500 scam reports in ten months, with clear spikes around Self Assessment deadlines, year-end filings, and MTD submission windows. This is not coincidence. Attackers study the accountancy calendar the way a burglar studies when you leave for work.

The logic is simple: urgency overrides caution. When your team is processing 200 returns in the week before a deadline, an email that says "HMRC: Urgent action required for client UTR 12345678" gets clicked. The same email in August gets scrutinised. Attackers know this.

02The Calendar

Click Any Month to See the Threat Landscape

DATE 2026 Attack Surface Calendar
Critical
Elevated
Baseline
03Attack Types

What Lands in Your Inbox

Not all phishing is created equal. Modern attacks against accountancy practices use four distinct approaches, each designed to exploit a different trust relationship.

MAIL
HMRC Impersonation
Fake HMRC emails referencing real deadlines, penalties, or refunds. Uses official branding and urgent language to trigger immediate action.
69% of breaches start here
USER
Client Impersonation
Emails appearing to come from existing clients requesting fund transfers, document sharing, or credential changes. Exploits established trust.
Hardest to detect
WORK
New Client Lure
Fake prospective client with a plausible story sends malicious documents disguised as tax correspondence. Targets the onboarding process.
Most targeted vector
TOOLS
Software Supply Chain
Compromised updates to accounting software, cloud platforms, or practice management tools. The attack comes from a trusted vendor, not a stranger.
Fastest growing
04Real Lures

What These Emails Actually Look Like

Click each example to see the analysis. These are based on real attack patterns documented by HMRC, ICAEW, and incident response teams working with accountancy practices.

WARN Phishing Lure Analysis
URGENT: Client SA return rejected - action required within 24hrs
From: noreply@hmrc-gov-returns.co.uk
Domain
hmrc-gov-returns.co.uk is not an HMRC domain. Genuine HMRC emails come from @hmrc.gov.uk. The addition of extra words is designed to look plausible at a glance.
Urgency
24-hour deadline creates panic, especially during filing season. HMRC does not impose 24-hour action windows via email.
Goal
Credential harvesting. The link leads to a fake Government Gateway login page that captures agent credentials.
New client enquiry - urgent HMRC correspondence attached
From: david.mitchell@realbusiness.co.uk
Method
Uses a real local business name and a plausible contact person. Initial phone call establishes trust before the email arrives. Attachment is a cloud storage link, not a direct file.
Payload
The "HMRC letter" link downloads legitimate remote access software. No malware alert is triggered because the tool itself is not malicious.
Goal
Persistent access. The attacker can observe every screen, capture every login, and access every client file for weeks before detection.
Tax refund of £2,847.63 has been processed - verify your details
From: refunds@hmrc-online-services.org
Domain
hmrc-online-services.org is fraudulent. The specific refund amount adds false credibility. HMRC does not send refund notifications with verification links via email.
Timing
Typically sent January-March when tax refunds are expected. The amount is deliberately specific to feel legitimate.
Goal
Financial details harvesting. The "verification" page requests bank details under the guise of confirming refund destination.
05Seasonal Defence

How to Defend Against Calendar-Aware Attacks

01Run phishing simulations timed to your deadlines, not random dates+

Most phishing training sends test emails at random times. That misses the point entirely. Send your simulated phishing during the week before the SA deadline, during year-end processing, during MTD submission windows. Test your team when they are under the same pressure that real attackers exploit. The results will be dramatically different from a simulation sent on a quiet Tuesday in August.

02Implement a "slow down" protocol for peak filing periods+

During high-risk months, add a mandatory verification step for any email requesting credential entry, document downloads, or payment actions. This could be as simple as a Slack message to a colleague: "Can you verify this looks legitimate?" The goal is to interrupt the urgency loop that attackers depend on. Five seconds of pause prevents five-figure losses.

03Pre-brief your team before every peak period+

In the week before each major deadline, send a 2-minute briefing to all staff: "We are entering a high-risk window. Attackers will send HMRC-themed phishing this week. Do not click links in unexpected HMRC emails. Verify via the HMRC app or by calling 0300 200 3310 directly." Repetition is not annoying. It is effective.

04Block known phishing infrastructure at the network level+

HMRC publishes indicators of known scam domains and phone numbers. Feed these into your email security and DNS filtering. HMRC closed down 25,000 fake websites and phone numbers in 10 months. Your email security should be blocking these domains before they reach your team's inbox, not relying on human judgment alone.

05Verify every new client enquiry independently before opening documents+

The most targeted attack against accountancy practices starts with a fake new client. Before opening any documents from an unknown contact: check Companies House for the business, find a phone number independently, call and verify the person exists and made the enquiry. This adds two minutes and eliminates the most dangerous attack vector in the sector.

06Assessment

The Bottom Line

Attackers are not more sophisticated than your team. They are more patient. They study your calendar, wait for the moment of maximum pressure, and strike when caution is at its lowest. The defence is not better technology alone. It is calendar-aware security: different protocols for different risk windows, timed training, and a culture that says slowing down during busy periods is not a weakness but a discipline.

They know your deadlines. Make sure your defences know them too.

Protect Your Practice Year-Round

313SEC provides calendar-aware security assessments for accountancy practices, including seasonal phishing simulations, HMRC agent account hardening, and incident response planning aligned to your filing cycles.

Request a practice reviewView our services