TLDR
The IRS never initiates contact by email, text, or social media. Every year, scammers exploit tax season by sending millions of phishing emails impersonating the IRS, requesting W-2 information, offering fake refunds, and directing victims to counterfeit portals. In 2025, the IRS identified $5.5 billion in fraudulent tax claims. ScamVerify™ tracks these campaigns as they emerge each filing season. If you received an email claiming to be from the IRS, it is not from the IRS.
IRS Dirty Dozen 2026: Email Threats
The IRS publishes its "Dirty Dozen" list of tax scams annually. For 2026, email-based threats dominate the list:
| Dirty Dozen Category | Email Variant | Risk Level |
|---|---|---|
| Phishing and smishing | Fake refund status emails | Critical |
| Employee Retention Credit fraud | Fake ERC eligibility emails | High |
| Fake charities | Donation confirmation phishing | High |
| Tax preparer fraud | Fake e-file confirmation emails | Medium |
| W-2 theft | CEO/HR impersonation emails | Critical |
| QR code scams | Emails with QR codes to fake IRS portals | High |
The IRS flagged QR code phishing as a new and growing category for 2026. These emails contain QR codes instead of clickable links, directing victims to fake IRS login pages that harvest credentials.
The 7 Most Common IRS Phishing Email Types
1. Fake Refund Status Emails
Subject lines: "Your IRS Tax Refund Status - Updated" or "Refund Approved: Verify Your Bank Information"
These emails claim your refund is ready but requires "bank account verification." The IRS never asks you to verify bank details via email. Your refund information is available only at IRS.gov/refunds (the "Where's My Refund?" tool).
2. W-2 Phishing (CEO Fraud)
Subject lines: "Urgent: All Employee W-2s Needed" or "Year-End Tax Filing Request"
These emails target HR departments and payroll staff, impersonating the CEO or CFO and requesting all employee W-2 data. This is a form of business email compromise that costs companies millions annually. A single successful W-2 theft compromises every employee's tax identity.
3. Fake CP2000 Notices
Subject lines: "IRS Notice CP2000: Income Discrepancy Found" or "Action Required: Unreported Income"
Real CP2000 notices are sent exclusively by postal mail. The IRS sends approximately 4 million CP2000 notices annually, making this a plausible-sounding scam. The email version directs victims to "resolve" the discrepancy by entering SSN and financial details.
4. QR Code IRS Emails
Subject lines: "Scan to Access Your IRS Account" or "IRS Secure Document - QR Verification Required"
A newer variant that embeds QR codes instead of links. When scanned, the code opens a fake IRS.gov login page on the victim's phone. This bypasses many email security filters that scan URLs but cannot analyze QR code destinations.
5. Fake E-File Confirmation
Subject lines: "E-File Confirmation: Your Return Has Been Received" or "Tax Return Processing Error - Resubmit"
Sent during peak filing season (January through April), these emails either confirm a return the victim did not file (prompting panic) or claim an error requiring resubmission with personal details.
6. Fake Tax Transcript Requests
Subject lines: "Your IRS Tax Transcript Is Available" or "Download Your Account Transcript"
Victims who click the link download malware disguised as a PDF transcript. The malware (typically Emotet or TrickBot variants) then harvests credentials from the victim's computer.
7. Economic Impact Payment Fraud
Subject lines: "Additional Stimulus Payment Available" or "Claim Your Recovery Rebate Credit"
Even years after the last stimulus payment, scammers continue referencing "unclaimed" payments. These emails persist because millions of Americans did receive legitimate stimulus checks, making the premise believable.
How to Verify Any IRS Communication
The IRS has strict communication rules. Memorize these five facts:
- The IRS initiates contact by postal mail only. Every legitimate IRS communication begins with a letter.
- IRS.gov is the only real IRS website. Any domain like irs-refund.com, irs-gov.org, or irs-online.us is fake.
- The IRS will never ask for credit card, debit card, or gift card payments.
- The IRS will never threaten arrest or deportation. Only scammers do this.
- The IRS will never demand immediate payment. Legitimate IRS notices include appeals rights and payment timelines.
For verifying whether an email domain has been flagged in phishing campaigns, our guide on how to read email headers explains how to trace the actual sending server behind a spoofed address.
Common IRS Phishing Email Subject Lines
These subject lines appeared in phishing campaigns tracked during the 2025 and 2026 tax seasons:
| Subject Line | Scam Type |
|---|---|
| "IRS Tax Refund Notification" | Credential harvest |
| "You Have a New Message from the IRS" | Malware download |
| "Tax Account Transcript Available" | Malware download |
| "Notice of Tax Refund - Case #[random]" | Credential harvest |
| "Your E-File Has Been Rejected" | Credential harvest |
| "IRS Alert: Unusual Activity on Your Tax Account" | Credential harvest |
| "Important Tax Return Document" | Malware attachment |
| "Form 1099 Discrepancy Detected" | Credential harvest |
| "Update Your IRS Online Account" | Credential harvest |
| "Recovery Rebate Credit Eligibility" | Financial theft |
Real IRS Communication Channels
| Channel | Used by IRS? | Details |
|---|---|---|
| Postal mail | Yes | Primary and initial contact method |
| IRS.gov | Yes | Online account, refund status, transcripts |
| Phone (initiated by IRS) | Rare | Only after multiple postal notices |
| Never | The IRS does not send unsolicited emails | |
| Text message | Never | The IRS does not text taxpayers |
| Social media DM | Never | The IRS posts publicly but never DMs |
| In-person visit | Very rare | Revenue officers carry two forms of ID |
How to Report IRS Phishing Emails
The IRS has a dedicated reporting process:
- Forward the email to phishing@irs.gov. Do not alter the subject line.
- Do not click any links or open any attachments.
- Delete the email from your inbox after forwarding.
- If you are a tax professional who received W-2 phishing, also report to the IRS at dataloss@irs.gov.
- File a complaint with the Treasury Inspector General at tigta.gov.
- Report to the FTC at reportfraud.ftc.gov.
If you already responded to an IRS phishing email and provided personal information, file Form 14039 (Identity Theft Affidavit) with the IRS and visit IdentityTheft.gov to create a recovery plan.
Tax Season Phishing by the Numbers
- $5.5 billion in fraudulent tax claims identified by IRS Criminal Investigation in 2025
- 2,676 investigations initiated by IRS CI in fiscal year 2025
- 80.6% conviction rate for IRS CI prosecutions
- 75% of identity theft tax fraud involves stolen SSNs from data breaches
- 4 million CP2000 notices sent annually (all by postal mail)
- January through April is peak phishing season, with volume doubling compared to off-season
FAQ
The IRS emailed me about my refund. Is it real?
No. The IRS never sends unsolicited emails about refunds, account status, or tax issues. Check your refund status directly at IRS.gov/refunds using the "Where's My Refund?" tool.
I received an email with a QR code claiming to be from the IRS. What should I do?
Do not scan the QR code. Forward the entire email to phishing@irs.gov and delete it. QR code phishing is a growing tactic because QR codes can bypass email security filters that would normally catch malicious URLs.
How do I know if someone filed a tax return using my identity?
Signs include: receiving a letter from the IRS about a return you did not file, being unable to e-file because a return has already been filed with your SSN, or receiving an IRS notice about income from an employer you do not work for. If any of these occur, file Form 14039 immediately.
Can I get in trouble for not responding to a real IRS notice?
Legitimate IRS notices sent by postal mail do have response deadlines, typically 30 to 60 days. Ignoring real notices can result in penalties. However, the IRS always sends at least one follow-up letter before taking action. If you are unsure, call the IRS directly at 1-800-829-1040. Never use a phone number from an email.
Are tax preparation software emails (TurboTax, H&R Block) also scams?
Not necessarily, but verify carefully. Real tax software companies may email you about your account. Check the sender domain closely, and our guide on how to spot phishing emails covers the 10 elements to verify. When in doubt, log in to your account directly by typing the URL instead of clicking any link.
Received a suspicious IRS email? Run it through ScamVerify's email checker to verify sender domains and detect phishing patterns.
