2026 Tax-Season Phishing: Fake Microsoft 365 Invoices & BEC Traps

Tax-season phishing 2026 is doing what it always does: showing up when people are busy, stressed, and clicking too fast. I see this exact problem three times a week. Somebody gets a scary “invoice” for Microsoft 365, or a “vendor bank change” email, and suddenly money is gone, accounts are hijacked, and everyone’s pointing fingers like it’s a courtroom drama.

Look, I’m not going to sugarcoat this. The crooks are not hacking your computer like in the movies. They’re hacking your habits. They send believable emails, use real brand names, and count on you to do the one thing you should not do: rush.

This post covers the current playbook I’m seeing in 2026: the fake Microsoft 365 invoice scam, QR-code invoice lures, and the classic business email compromise (BEC) payment reroute. Then we’ll circle back to boring-but-works fixes: MFA, Conditional Access, blocking auto-forwarding, auditing mailbox rules, and tightening SPF/DKIM/DMARC.

Tax-season phishing 2026: why “invoice” scams spike when you’re busy

Back in my day, tax season meant a shoebox of receipts, a squeaky calculator, and maybe a dot-matrix printout if you were feeling fancy. Now it’s email inboxes full of “renewal notices,” “payment failed” alerts, and “final reminder” threats.

Attackers love tax season because:

• Invoices are normal right now. So fake ones blend in.
• People approve payments faster to “clear the queue.”
• Finance and ops teams are overloaded, which is exactly when mistakes happen.

And no, buying a more expensive laptop won’t fix this. That’s like putting racing tires on a car because you keep running red lights.

Fake Microsoft 365 invoice scam: what it looks like and what it’s really doing

The most common bait I’m seeing is the fake Microsoft 365 invoice scam. The email claims your subscription is renewing, your license count changed, or your card failed. Sometimes it includes a PDF. Sometimes it’s a “View invoice” button. Sometimes it’s a QR code because apparently we all decided QR codes are magical and harmless (they’re not).

Red flags I keep seeing (and you keep ignoring)

• Sender domain is “close enough”: extra letters, weird hyphens, or a random .info/.top domain.
• Urgency language: “final notice,” “service interruption,” “collections,” “legal.”
• Odd line items: huge license counts, unfamiliar add-ons, or a “support fee.”
• Phone number to call: the goal is to get you talking to a scammer who walks you into a payment or remote access.

What not to do

• Don’t call the number in the email. That’s like calling the number on a “free VCR cleaning” flyer taped to a gas pump.
• Don’t open random attachments on a work machine “just to check.”
• Don’t log in through the email link. Go to the real site by typing it yourself or using a known bookmark.

What to do instead (boring, reliable, effective)

• Verify billing inside the real admin portal (Microsoft 365 admin center for Microsoft tenants, Google Admin for Workspace).
• Confirm with your internal purchasing records or whoever actually owns the subscription.
• Report and quarantine the message in your email system so others don’t get tagged.

If you want Microsoft’s official security guidance, start here: Microsoft Support security guidance.

Business email compromise and BEC invoice fraud: the “vendor bank change” trap

Now for the one that really hurts: business email compromise. This is where attackers either spoof a vendor or break into a real mailbox and then send a perfectly timed email: “Hi, our bank account changed, please send future payments to this new routing number.”

This is BEC invoice fraud and it’s not clever. It’s just persistent, patient, and targeted. It’s the email equivalent of swapping the labels on two VHS tapes and hoping you don’t notice until it’s too late.

How it actually plays out behind the scenes

• The attacker gets into someone’s mailbox (weak password, reused password, MFA fatigue, or a stolen session token).
• They read old threads and learn your vendors, payment schedules, and who approves what.
• They reply inside an existing email chain, or spoof it convincingly.
• They request a payment reroute or send a “corrected invoice.”
• Money goes to the wrong place. Then everybody discovers “email is not a payment system.”

The one rule that stops most vendor payment change email scams

Any request to change bank details must be verified out-of-band. That means a phone call to a known number from your records, not the number in the email. Or a verification step in your vendor portal. Boring. Effective. Do it every time.

QR code invoice phishing: the “camera makes it safe” illusion

QR codes are just links wearing a trench coat. That’s it. A QR code invoice phishing email typically says “Scan to view invoice” or “Scan to pay.” You scan it, it drops you on a fake Microsoft sign-in page or a fake payment page.

What makes QR lures nasty

• They dodge some link scanning because the link is embedded in an image.
• They move the action to your phone, which might not have the same protections as your work PC.
• They’re fast: scan, login, done, compromised.

Simple defenses that work

• Train staff to treat QR codes like unknown links.
• Require MFA (and not the “approve push no matter what” habit).
• If your team needs help cleaning up after a click, that’s when professional virus removal and malware cleanup matters.

Mailbox rule hijacking: the persistence trick most people miss

Here’s what actually happens when you ignore this: you change the password, you feel proud, and the attacker keeps winning anyway.

Why? Because they set mailbox rules and/or auto-forwarding to hide evidence and keep access. I’ve seen rules like:

• Move messages containing “invoice,” “wire,” “ACH,” or “payment” to Archive.
• Auto-delete replies from the real vendor.
• Forward all mail to an external address.

What to check in Microsoft 365 and Google Workspace

• Inbox rules for the compromised user (and executives, finance, and AP staff).
• Forwarding settings at the mailbox level and tenant level.
• Delegated access or suspicious app permissions (OAuth grants you didn’t approve).
• Sign-in logs for impossible travel and unusual IPs.

If you’re already in the weeds and need a steady hand, that’s where remote IT support can get eyes on the tenant quickly without waiting for someone to drive across town.

Microsoft 365 tenant security: the boring checklist that saves your budget

You don’t need a “next-gen AI cyber platform” (yes, I rolled my eyes while typing that). You need the basics done correctly. Like changing your oil before the engine seizes.

MFA, but done like you mean it

• Require MFA for all users, especially admins.
• Use strong methods where possible (authenticator app or security keys).
• Reduce “MFA fatigue” by limiting endless prompts and training users to deny unexpected approvals.

Conditional Access: stop risky logins before they become incidents

Conditional Access (available in Microsoft Entra ID plans that include it) lets you require MFA, block legacy authentication, and restrict access based on risk signals, device compliance, or location. Set it up carefully, test, and don’t lock out your whole company at 4:55 PM on a Friday. I’ve seen that movie.

Block auto-forwarding to external addresses

This one is huge for BEC. Many organizations allow auto-forwarding by default or forget to disable it. Don’t make it easy for attackers to siphon mail out quietly.

Audit admin accounts and reduce standing privilege

• Limit the number of global admins.
• Use separate admin accounts (no daily-email admin accounts).
• Review who has access to billing changes and payment methods.

Google Workspace invoice scam: yes, it hits Gmail too

If you’re on Google Workspace, don’t get smug. I’ve cleaned up plenty of Google Workspace invoice scam messes where the email looked like a renewal notice, an “account storage overage,” or a fake support ticket.

The same rules apply:

• Verify billing inside the real admin console.
• Don’t trust “reply-to” addresses just because the display name looks right.
• Lock down forwarding, app access, and recovery options.

SPF, DKIM, DMARC: not glamorous, but it cuts down spoofing

SPF, DKIM, and DMARC won’t stop every BEC attack (because some attacks come from real compromised accounts). But they do reduce domain spoofing and make it harder for criminals to impersonate your company and vendors.

What each one does (plain English)

• SPF: says which mail servers are allowed to send mail for your domain.
• DKIM: cryptographically signs outgoing mail so recipients can verify it was not altered.
• DMARC: tells recipients what to do if SPF/DKIM checks fail, and provides reporting.

What not to do

• Don’t publish DMARC with a strict policy without testing, unless you enjoy broken email and angry calls.
• Don’t ignore DMARC reports forever. They are telling you who is trying to impersonate you.

Email security training: teach people the two questions that matter

I’m not asking you to turn your staff into digital detectives. I’m asking for two simple habits:

1. Does this payment request make sense? (Timing, amount, vendor, tone.)
2. How do I verify it outside email? (Known phone number, vendor portal, second approver.)

Back in my day, we rewound cassette tapes with a pencil because it was cheaper than buying new ones. Same energy here: simple habits save money.

If a machine is acting weird after someone “just opened a PDF,” start with computer repair and troubleshooting and escalate to malware cleanup as needed. And if the worst happens and files get encrypted or wiped, you’re in data recovery territory.

What to do if you already clicked or paid

This is where people waste the most time doing the wrong things first. So here it is, in order.

If credentials were entered

• Reset the password immediately.
• Revoke active sessions and review sign-in activity.
• Check MFA methods and remove anything unfamiliar.
• Audit mailbox rules and forwarding.

If money was sent

• Call your bank immediately and request a recall or fraud process.
• Notify the real vendor using known contact info.
• Preserve the email and headers for investigation.

If you need a sanity check from people who do this all day

We can help clean up compromised mailboxes, lock down Microsoft 365 tenants, and set up the protections that should have been there in the first place. Locally, we cover West Palm Beach and the rest of Palm Beach County (yes, including the “my office is five minutes away” emergencies). If you’re not local, we also provide remote IT support nationwide that gets you back to boring and functional.

For general scam trends and how they evolve, I also point folks to Malwarebytes threat research and scam write-ups. It’s good reading if you like learning how criminals think (I don’t, but it’s useful).