Fake US state-tax-authority refund-verification lure — impersonates CA Franchise Tax Board (FTB) / NY Department of Taxation (DTF) / IL / TX / FL / NJ / OR / PA / MA / MI / OH / GA / NC / VA revenue departments with "your state tax refund is on hold pending identity verification, verify within 48 hours or refund forfeited" targeting US state-tax filers in the mid-April-through-July window when state refunds (which arrive weeks later than federal) are actively awaited; SSN + DL number + bank routing + AGI harvest feeds downstream refund fraud (attacker files amended state return redirecting refund). Distinct from `fake-irs-refund-hold-lure` (federal IRS). Evidence: CA FTB phishing advisories, NY DTF 2024 impersonation alerts, IRS State Tax Security Summit 2024-2025

US STATE-tax-authority refund-verification phishing. Attackers impersonate state-level revenue departments — California Franchise Tax Board (FTB), New York Department of Taxation and Finance (DTF / NY DTF), Illinois Department of Revenue (IL DOR), Texas Comptroller, Florida Department of Revenue, New Jersey Division of Taxation, Oregon Department of Revenue, Pennsylvania Department of Revenue, Massachusetts Department of Revenue, Michigan Department of Treasury, Ohio Department of Taxation, Georgia Department of Revenue, North Carolina Department of Revenue, Virginia Department of Taxation — with a "your state tax refund is on hold pending identity verification" narrative. The typical message asks the victim to confirm SSN, date of birth, driver's license number (many state returns now use DL as an ID-verification proof), and bank routing / account numbers via a credential-harvesting link on a typosquat host (ftb-ca-refund-verify.example, ny-dtf-verify.example, il-revenue-verify.example). Harvested credentials feed downstream refund fraud where the attacker files a fraudulent amended state return redirecting the legitimate taxpayer's refund to an attacker-controlled bank account. Seasonal fit is the key leverage: federal IRS refunds (covered by iter-944 `fake-irs-refund-hold-lure`) typically arrive 1-3 weeks after filing, but STATE refunds arrive substantially later — California, New York, and New Jersey routinely take 4-12 weeks to process and deposit. That means from mid-April through July, state-tax filers are actively WAITING for a refund they know is coming. When a "verify your identity to release your refund" email arrives during that window, it fits the filer's expectations perfectly. The 2026 cycle is especially risky because California's new online-only ID-verification platform launched in February 2026 and millions of legitimate "verify your identity" emails have gone out — conditioning California filers to expect exactly this kind of request. Distinct from `fake-irs-refund-hold-lure` (federal IRS only, different authority allowlist, earlier season peak), from `fake-fafsa-deadline-lure` (federal student aid, not tax refund), and from generic tax-refund phishing (this signal specifically names state-level revenue departments with their recognizable acronyms — FTB, DTF, IL DOR — which catches the population-targeted variant). Real precedents: California FTB "phony refund emails" advisory on ftb.ca.gov; New York DTF 2024 phishing advisories tracking "DTF impersonation"; IRS State Tax Security Summit 2024-2025 reports highlighting state-tax phish as a growing vector; Krebs on Security state-tax-refund coverage. Legitimate state-tax communications come exclusively from the authority's own .gov domain: `ftb.ca.gov`, `tax.ny.gov`, `revenue.state.il.us`, `tax.illinois.gov`, `comptroller.texas.gov`, `floridarevenue.com`, `state.nj.us`, `oregon.gov`, `revenue.pa.gov`, `mass.gov`, `michigan.gov`, `tax.ohio.gov`, `dor.georgia.gov`, `ncdor.gov`, `tax.virginia.gov`. Any state-tax "verify identity to release your refund" email whose sign-in link is hosted elsewhere is, by construction, a phish. Go directly to your state revenue department's refund-status page via a bookmarked URL — never click the link in the urgency email. The real state tax authorities never send emails demanding SSN, DL numbers, or banking information; they send postal letters.