Post-deadline US tax-return phishing — IRS or major e-file / tax-prep brand (TurboTax / H&R Block / TaxAct / FreeTaxUSA / TaxSlayer / Cash App Taxes / Jackson Hewitt / Liberty Tax) impersonation with a POST-processing narrative: "e-file rejected," "amended return (1040-X) required," "return under additional review," "additional documentation required," "extension denied," "correct and resubmit." Credential + SSN + prior-year-AGI + bank-account harvest for downstream tax-refund fraud. Shipped into the 2-6 week post-April-15 peak window. Distinct from iter-944 `fake-irs-refund-hold-lure` (pre-processing refund-hold shape). Evidence: IRS Dirty Dozen 2026; IRS CID tax-scam advisories; Proofpoint + Abnormal Security + TIGTA + FTC tax-phishing coverage

Post-deadline US tax-return phishing that hits peak volume in the 2-6 week window after the April filing deadline. While the pre-deadline wave is about refund-hold urgency ("your refund is on hold pending identity verification" — covered by iter-944 `fake-irs-refund-hold-lure`), the post-deadline wave uses POST-processing narrative shapes: "Your e-file was rejected — correct and resubmit within 48 hours." "Amended return (Form 1040-X) required." "Your return is under additional review." "Additional documentation required to process your return." "Extension request denied." "Your refund has been delayed pending verification — upload documents now." The brand mask is drawn from both the IRS itself and the major e-file / tax-prep platforms that legitimately handle e-file acceptance / rejection (TurboTax, H&R Block, TaxAct, FreeTaxUSA, TaxSlayer, Cash App Taxes, Jackson Hewitt, Liberty Tax) because any of them are plausible senders of a "your return needs attention" email in this window. The credential-harvesting link points at a typosquat host (irs-efile-resubmit.example, turbotax-amend-1040x.example, irs-review-upload.example) that captures SSN, prior-year AGI, full name + DOB, bank account details, or uploaded tax documents — all of which feed downstream refund-fraud schemes where the attacker files a fraudulent amended return redirecting the refund to their own bank account. Evidence: IRS Dirty Dozen 2026 list (the IRS publishes this annually in April with post-deadline threats highlighted); IRS Criminal Investigation Division tax-season-scam advisories; Proofpoint "Tax Season Scams" April 2026 report; Abnormal Security post-deadline phishing telemetry; TIGTA (Treasury Inspector General for Tax Administration) 2026 tax-fraud report; FTC Consumer Sentinel tax-scam statistics. Distinct from the existing refund-hold-lure because the vocabulary is disjoint — "rejected / amended / additional review / resubmit" is this signal; "on hold / pending / held" is the other signal. Legitimate IRS communications come exclusively from `irs.gov`; legitimate TurboTax from `turbotax.intuit.com`; H&R Block from `hrblock.com`. Any post-deadline "your return needs attention" email whose link target is a non-IRS / non-tax-prep host is, by construction, a phish. Go directly to irs.gov/refunds or your tax-prep provider's real account portal via a bookmarked URL — never click the link in the email. The real IRS never sends emails demanding SSN, banking information, or immediate payment.