TLDR
The IRS added QR code phishing to its 2026 Dirty Dozen tax scam list for the first time, recognizing quishing as a significant and growing threat to taxpayers. Fake IRS emails containing QR codes direct victims to credential harvesting sites that steal Social Security numbers, bank information, and tax filing details. Microsoft Security reported 15,000 malicious QR code emails per day targeting educational institutions alone, and the technique has expanded aggressively into tax-related fraud. ScamVerify™ FTC data includes 684,045 impersonation complaints, many from government impersonation campaigns that now incorporate QR codes. Check any suspicious QR code at the ScamVerify QR scanner.
What the IRS Dirty Dozen Is
The IRS publishes an annual "Dirty Dozen" list identifying the twelve most dangerous tax scams of the year. The list serves as a public warning system, highlighting scam tactics that the IRS, Treasury Department, and tax professionals are seeing at elevated levels. Making the Dirty Dozen means a scam has reached sufficient scale and impact to warrant national attention.
Previous Dirty Dozen entries have included phishing emails, phone impersonation, fake tax preparers, and identity theft. The 2026 addition of QR code phishing reflects how rapidly this attack vector has grown. For more on IRS phone scams that also made the list, see our IRS Dirty Dozen phone scam analysis.
How IRS QR Code Phishing Works
The Email Bait
The attack begins with an email that appears to come from the IRS, a tax preparation service (TurboTax, H&R Block, Jackson Hewitt), or a state tax authority. The email contains a QR code instead of a traditional clickable link. Common pretexts include:
- "Scan to verify your tax return status"
- "Your refund requires identity verification. Scan the code below."
- "Action required: Scan to update your IRS account"
- "Your tax transcript is ready. Scan to download."
- "Important notice about your 2025 filing. Scan for details."
The email body uses official IRS language, formatting, and sometimes spoofed IRS email addresses to appear legitimate.
The Credential Harvest
When the victim scans the QR code, their phone browser opens a site designed to mimic an IRS login page or tax filing portal. The fake site requests:
| Data Requested | How Scammers Use It |
|---|---|
| Social Security Number | File fraudulent tax returns, identity theft |
| Date of birth | Identity verification bypass |
| Bank account and routing numbers | Redirect legitimate tax refunds, direct theft |
| Prior year AGI (Adjusted Gross Income) | File fraudulent returns (AGI is used for IRS identity verification) |
| Filing status and dependents | Complete fraudulent tax returns |
| Username and password | Access IRS.gov accounts, tax preparer accounts |
| Driver's license number | Identity theft, account verification fraud |
The combination of SSN, bank details, and prior year AGI gives criminals everything needed to file a fraudulent tax return and redirect the refund to their own account.
Why QR Codes Bypass IRS Email Filters
The IRS, tax preparation companies, and email providers have invested heavily in detecting phishing links in email text. When a scammer includes a irs.gov.fake-domain.com link in an email, pattern-matching filters catch it. When the same URL is embedded in a QR code image, it passes through most email filters undetected because the filters analyze text, not pixel patterns.
Microsoft Security documented 15,000 malicious QR code emails per day targeting educational institutions alone. The volume targeting taxpayers during filing season (January through April) is estimated to be significantly higher.
The Scale of IRS Impersonation
ScamVerify FTC data provides context for how massive government impersonation fraud has become:
| Metric | Value | Source |
|---|---|---|
| Total impersonation complaints (FTC) | 684,045 | FTC Consumer Sentinel |
| Government impersonation subset | Top category within impersonation | FTC data |
| IRS-specific phone scam complaints | Tens of thousands annually | IRS reports |
| Malicious QR emails per day (education alone) | 15,000 | Microsoft Security |
| QR phishing growth rate | 5x (2024 to 2025) | Keepnet Labs |
| Tax-related identity theft cases (2025) | Millions reported | IRS Identity Protection Unit |
| ScamVerify total threat records | 8 million+ | ScamVerify database |
The 684,045 impersonation complaints represent a massive, sustained campaign of government impersonation. QR code phishing is the latest technique being layered onto this existing infrastructure.
What Real IRS Communications Look Like
The IRS has clear, published rules about how it contacts taxpayers:
The IRS will NEVER:
- Send an email with a QR code
- Send an email asking you to click a link to verify your identity
- Request sensitive financial information via email
- Threaten arrest or deportation for unpaid taxes
- Demand immediate payment via gift cards, wire transfer, or cryptocurrency
The IRS DOES:
- Send physical mail (paper letters) as the primary communication method
- Provide case numbers and specific details in letters
- Allow taxpayers to verify through irs.gov directly (typed into the browser, not clicked from an email)
- Offer phone assistance through published numbers (not numbers provided in unsolicited contact)
If you receive an email from the IRS containing a QR code, it is a scam. Full stop. The IRS does not send QR codes.
Tax Season Timing: When Quishing Peaks
IRS QR code phishing follows a predictable seasonal pattern:
| Period | Activity Level | Scammer Focus |
|---|---|---|
| January | Ramping up | "Your W-2 is ready," "Download tax documents" |
| February - March | Peak volume | "Refund status check," "Filing verification required" |
| April 1-15 | Highest intensity | "Deadline approaching," "Last chance to file" |
| April 16 - May | Post-deadline | "Your extension requires verification," "Audit notice" |
| June - December | Lower but persistent | "Tax transcript available," "Account update required" |
The window from February through April 15 represents the highest risk period. Scammers know that taxpayers are actively engaged with the tax system during this window and are more likely to respond to IRS-themed communications.
How to Protect Yourself
During Tax Season
- Delete any email from the IRS containing a QR code. The IRS does not use QR codes in email communications.
- Access IRS services directly. Type
irs.govinto your browser. Never follow links or scan codes from emails. - Verify tax preparer communications through their official app or website. If TurboTax or H&R Block emails you, open their app directly rather than scanning any QR code.
- Scan suspicious QR codes through ScamVerify QR scanner before visiting any URL. This checks against 74,032 malicious domains and 60,758 threat indicators.
Year-Round Protection
- File your taxes early. Filing before a scammer does prevents fraudulent return filing.
- Get an IRS Identity Protection PIN. This six-digit number is required on your tax return and prevents others from filing in your name. Request one at irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin.
- Monitor your IRS account. Create an account at irs.gov to track your filing status, transcripts, and any activity on your tax record.
- Report IRS impersonation. Forward suspicious IRS emails to phishing@irs.gov. Report QR-based scams to the FTC at reportfraud.ftc.gov.
What the Dirty Dozen Addition Means
The IRS adding QR code phishing to the Dirty Dozen is significant for several reasons:
Validation of the threat. The Dirty Dozen list requires sustained, documented evidence of widespread impact. QR code phishing has reached a scale that the IRS considers a top-twelve threat nationally.
Public awareness. The Dirty Dozen receives extensive media coverage during tax season. Millions of taxpayers learn about listed threats through news coverage, tax preparer advisories, and IRS publications.
Enforcement attention. Dirty Dozen items receive prioritized attention from the IRS Criminal Investigation division, the FBI, and the Treasury Inspector General for Tax Administration (TIGTA).
Industry response. Email providers and tax preparation companies often enhance their filtering and detection capabilities in response to Dirty Dozen additions.
For a broader look at how IRS phishing campaigns operate through email, see our IRS tax refund phishing email analysis.
FAQ
Does the IRS ever send QR codes?
No. The IRS does not include QR codes in email, text, or social media communications. The primary IRS contact method is physical mail sent to your address on file. Any email containing a QR code and claiming to be from the IRS is fraudulent. Report it to phishing@irs.gov.
What should I do if I scanned an IRS QR code and entered information?
Act immediately. If you entered your Social Security number, file an Identity Theft Affidavit (IRS Form 14039) and get an IRS Identity Protection PIN. If you entered bank information, contact your bank to secure your accounts. If you entered a username and password, change that password immediately and enable two-factor authentication. File a report with the FTC at identitytheft.gov.
Why is QR code phishing harder to detect than regular phishing?
Traditional phishing includes clickable text links that email filters can scan and block. QR codes embed the malicious URL as an image, which most email filters do not decode and analyze. The URL is invisible until the QR code is scanned. Additionally, scanning with a phone bypasses any desktop-based security tools and corporate web filters.
Is this only a problem during tax season?
Tax season (January through April) is the highest-risk period because taxpayers are actively expecting IRS communications. However, IRS QR code phishing operates year-round using pretexts like "audit notice," "tax transcript available," and "account verification required." The threat does not disappear on April 16.
How many people fall for IRS QR code scams?
Exact victim counts are not publicly available, but the 684,045 FTC impersonation complaints indicate the massive scale of government impersonation fraud. With 73% of Americans scanning QR codes without verifying the destination (NordVPN), the pool of potential victims is enormous. The IRS Identity Protection Unit processes millions of identity theft cases annually, and QR code phishing is an increasingly common entry point.
