The Internal Revenue Service has warned taxpayers for years to be wary of online phishing, where criminals impersonate the agency using fake emails, text messages, or websites in order to steal your personal information. Last month, phishing topped the agency’s “dirty dozen” list of most prevalent scams.

But online scammers do more than masquerade as the IRS. Some have created fake versions of online accounting tools like QuickBooks, while others pretend to be tech support agents. The cybersecurity firm Lookout discovered more than 100 websites registered in recent months that appear designed to dupe people trying to file their taxes. The domains target a large pool of potential victims: More than 135 million Americans filed their taxes electronically last year, according to the IRS.

Louise Matsakis covers cybersecurity, law, and internet culture for WIRED.

Lookout discovered that tax scammers start early: Dozens of these websites were created in December, right around the time people begin receiving their W-2 forms. (Some of the sites also targeted victims in the United Kingdom.) Many of the domains appear designed to steal login credentials or personal information like passport numbers. Other varieties coax people to download malicious software.

Some of the most basic scams Lookout uncovered are sites that impersonate accounting tools from the company Intuit, which makes popular software like Quickbooks and TurboTax. These sites often use domain names that are very similar to the real ones, like “quickbooksltd.com” or “accounts-quickbooks.com.” The domains are often engineered to steal users’ login credentials for the legitimate sites.

Some tax phishing schemes mimic popular filing software like Intuit's QuickBooks. Lookout

Lookout also found a breed of sites that appear to retrofit a classic online scam for tax season: pretending to be tech support. Tax software isn’t something most people use on a regular basis, so it makes sense that many users look for help navigating it. Unfortunately, scam websites like “quickebooksupport.com” and “quickbooks-helpline.com” are waiting for them. “The mode of attack is an SEO optimization thing,” says Jeremy Richards, a security intelligence researcher at Lookout, meaning the scams try to snag people who are searching sites like Google or Bing for help.

Some scams pose as tech support sites, hoping to nab people searching the web for help filing taxes. Lookout

At the 1-800 numbers listed on these sites, people posing as “support” technicians often ask for remote access to victims’ computers in order to steal sensitive personal information. Other schemes use the numbers to sell bogus, unnecessary software. Similar sites have been built to impersonate Apple support technicians, and the podcast Reply All did a deep dive on comparable tech support fraud in 2017.

Richards also discovered over 50 tax-related domains that appeared to be part of the same malicious advertising network. It’s not clear exactly how the scam works, but once on the site, users would be directed to download malware disguised as things like software updates. The group of sites may represent a clever way for phishing scammers to dupe you, even if they can’t obtain your login credentials or personal information.

Didn’t fall for the tax scam? Here, have a malicious Flash update instead. Lookout

In general, Richards says, phishing websites redirect you to Google if you don’t land on the right phishing trap, or they present a 404 error. “But now they’re redirecting to some way that they can monetize,” he explains. Didn’t hand over your login credentials? Here, have a malicious Flash update instead.

To find these tax scams, Lookout used an AI tool built in 2017 that monitors internet infrastructure organizations—like companies that offer free web hosting—for suspicious-looking domains. Lookout finds thousands of potential new phishing sites each day and regularly alerts companies whose websites scammers are trying to mimic.

But because the tool only watches for websites, it can’t provide a full picture of how every tax scam works. For example, if a scammer sends an email asking you to click on a bogus IRS link, Lookout can detect the domain, but not the email itself. It’s like “we see blood on the floor, but we don’t know where the knife is,” Richards says.