The Internal Revenue Service has warned taxpayers for years to be wary of online phishing, where people impersonate the agency using fake emails, text messages, or websites in order to steal your personal information. Last month, phishing topped the agency’s “dirty dozen” list of most prevalent scams.

But online scammers do more than masquerade as the IRS. Some have created fake versions of online accounting tools like QuickBooks, while others pretend to be tech support agents. The cybersecurity firm Lookout discovered more than 100 websites registered in recent months that appear designed to dupe people trying to file their taxes. The domains target a large pool of potential victims: More than 135 million Americans filed their taxes electronically last year, according to the IRS.

Lookout discovered that tax scammers start early: Dozens of these websites were created in December, right around the time people begin receiving their W-2 forms. (Some of the sites also targeted victims in the United Kingdom.) Many of the domains appear designed to steal login credentials or personal information like passport numbers. Other varieties coax people to download malicious software.

One of the most basic scams Lookout uncovered are sites that impersonate accounting tools from the company Intuit, which makes popular software like Quickbooks and TurboTax. These sites often use domain names that are very similar to the real ones, like “quickbooksltd.com” or “accounts-quickbooks.com.” The domains are often engineered to steal users’ login credentials for the legitimate sites.

Lookout also found a breed of sites that appear to retrofit a classic online scam for tax season: pretending to be tech support. Tax software isn’t something most people use on a regular basis, so it makes sense that many users look for help navigating it. Unfortunately, scam websites like “quickebooksupport.com” and “quickbooks-helpline.com” are waiting for them. “The mode of attack is an SEO optimization thing,” says Jeremy Richards, a security intelligence researcher at Lookout, meaning the scams try to snag people who are searching sites like Google or Bing for help.

At the 1-800 numbers listed on these sites, people posing as “support” technicians often ask for remote access to victims’ computers in order to steal sensitive personal information. Other schemes use the numbers to sell bogus, unnecessary software. Similar sites have been built to impersonate Apple support technicians, and the podcast Reply All did a deep dive on comparable tech support fraud in 2017.

Richards also discovered over 50 tax-related domains that appeared to be part of the same malicious advertising network. It’s not clear exactly how the scam works, but once on the site, users would be directed to download malware disguised as things like software updates. The group of sites may represent a clever way for phishing scammers to dupe you, even if they can’t obtain your login credentials or personal information.

In general, Richards says, phishing websites redirect you to Google if you don’t land on the right phishing trap, or they present a 404 error. “But now they’re redirecting to some way that they can monetize,” he explains. Didn’t hand over your login credentials? Here, have a malicious Flash update instead.

To find these tax scams, Lookout used an AI tool built in 2017 that monitors internet infrastructure organizations—like companies that offer free web hosting—for suspicious-looking domains. Lookout finds thousands of potential new phishing sites each day, and regularly alerts companies whose websites scammers are trying to mimic.

But because the tool only watches for websites, it can’t provide a full picture of how every tax scam works. For example, if a scammer sends an email asking you to click on a bogus IRS link, Lookout can detect the domain, but not the email itself. It’s like “we see blood on the floor but we don’t know where the knife is,” Richards says.

Lookout’s research only represents a small slice of the total number of tax scams out there this year. Other recently reported scams involve using social media to target users with misinformation about phony tax breaks to obtain their personal information. But the websites show scammers are evolving, and indicate that phishing is still a serious threat. There’s still more to be learned about how many of these scams operate, but in the meantime there are simple ways to stay safe.

The IRS says it typically contacts citizens first by mail, not via email. If you haven’t received a paper letter, it’s unlikely that any electronic communication claiming to be from the agency is real. Legitimate tech support agents also don’t need to see your screen or obtain your login information in order to help you. And it’s always a good idea to use a password manager instead of reusing the same password across multiple accounts.

More Great WIRED Stories