IRS "Tax Refund" Scam Text & Email: how the phishing attack works and how to spot it

Why tax season is peak scam season

Between January and April every year, roughly 150 million Americans file federal tax returns. Each of those filers is, for several weeks, actively thinking about refunds, payments, identity verification, and IRS notices. The mental backdrop primes the entire population to react to anything that looks government-shaped. Scammers know this, and they piggyback on the attention with high-volume, low-effort phishing campaigns timed precisely to filing season.

The IRS issues a new "Dirty Dozen" advisory every January for exactly this reason. The 2026 list includes refund-themed text and email phishing as one of the top recurring threats. Fox Business, Purdue University consumer education, Greater Iowa Credit Union, and dozens of state attorney general offices have all published parallel warnings in early 2026. The volume of campaigns spikes within days of the IRS opening filing season, peaks around the April deadline, and then tapers off until next January - though stragglers run year-round because some victims never check whether the message was timely.

Filing season also creates a second window of vulnerability after the deadline. People who already filed are waiting on refunds. People who owe are anxious about payment processing. Both groups are predisposed to click any IRS-looking message that promises resolution. The scammers exploit both states with different message variants, which is why the campaigns continue through April and into May.

The 6 message variants in active rotation

The exact wording shifts, but the underlying templates are stable. If your incoming text or email matches one of these patterns, treat it as a scam by default and do not engage.

Variant 1: Your refund has been approved

The most common version. "IRS: Your federal tax refund of $1,847.32 has been approved. Click here to verify identity and confirm direct deposit details: [link]." The dollar amount looks like a plausible real refund. The "verify identity" framing makes the click feel like routine bureaucracy. The fake page collects a full identity profile and bank routing/account numbers under the cover of "direct deposit setup."

Variant 2: Tax payment overdue / pay immediately

"IRS: Our records show outstanding tax liability of $2,341.18. Failure to remit payment within 24 hours will result in an arrest warrant being issued to your local sheriff. Pay now: [link]." Aggressive, fear-driven framing aimed at users who are uncertain whether they actually owe. The real IRS never threatens immediate arrest, never demands payment by gift card or wire, and never gives 24-hour deadlines by text. Any urgency language in an IRS-shaped message is itself the giveaway.

Variant 3: IRS notice CP-Number

"IRS Notice CP53E: Direct deposit refund could not be processed. Review notice details and update banking information at: [link]." Variants cycle through real notice numbers - CP14, CP53E, CP501, CP503, CP504, LT11. Scammers picked these specific codes because they are common enough that some users have actually received them in the past, which makes the fake version feel familiar. Real CP notices are mailed via US Postal Service. They are never sent by text, email, or SMS link.

Variant 4: Stimulus / Economic Impact Payment

"IRS: You qualify for a $1,400 Economic Impact Payment. Confirm eligibility and banking info at: [link]." Recycled COVID-era bait that still works because some recipients remember real stimulus payments and assume a new round is plausible. The IRS does occasionally issue automatic payments under various programs, but never via clickable links in unsolicited messages. Stimulus-themed phishing has persisted continuously since 2020 and shows no sign of stopping.

Variant 5: Suspicious tax filing in your name

"IRS Security Alert: A federal tax return has been filed using your Social Security number. If you did not file this return, verify your identity immediately at: [link]." This is the most psychologically effective variant because it inverts the user's relationship to the threat. The user is told they are already a victim of identity theft, and clicking is framed as the protective action. In reality, clicking is the identity theft - the page harvests the SSN and other identity data, which the scammer then uses to actually file a fraudulent return.

Variant 6: QR code on a fake IRS letter

Increasingly, scammers mail physical letters that look like real IRS correspondence and include a QR code "for faster identity verification." Scanning the QR code on a phone opens a phishing page in the mobile browser, bypassing every desktop-based defense the user has. The IRS does NOT use QR codes in any legitimate communication, in any direction, for any purpose. A QR code on an "IRS letter" is by itself sufficient evidence the letter is fake.

What the destination page actually does

Every variant ends at a landing page styled to look like irs.gov. The branding is exact - the IRS eagle seal, the dark blue header, the white sans-serif title face, the small-print legal footer. Most fake pages even include a working search bar (that does nothing) and a privacy policy link (that loads a fake document). The visual mimicry passes a 5-second eye test for almost everyone, and crucially, it looks even more convincing on a phone screen where the URL bar is small or hidden.

The page asks the user to enter, in sequence:

1. Full name (for identity profile)
2. Social Security number (the centerpiece of the harvest - sells for $1-$8 raw, much more in a complete identity package)
3. Date of birth (paired with SSN unlocks credit applications, tax returns, government IDs)
4. Street address, city, state, ZIP (for identity completion and credit-bureau matching)
5. Bank routing number and account number (sold as ACH-debit credentials, sometimes also used for direct theft)
6. Credit card number, expiration, CVV (in variants that ask for a "small processing fee")
7. Driver's license photo upload (in higher-value variants - sufficient to bypass many KYC verification systems on financial services)

The harvested package - SSN, DOB, full name, address, bank info, drivers license image - is a complete identity-theft kit. It sells on dark-web markets typically within hours for $30-$150 depending on completeness. But the more lucrative attack path is filing a fraudulent tax return in the victim's name the following filing season, claiming a real refund of several thousand dollars, and redirecting it to a mule bank account before the actual taxpayer files. By the time the victim files and learns the IRS already issued a refund to someone else, the money is gone and recovery takes 6-18 months of paperwork.

Some variants also drop a tracking cookie or fingerprint that marks the user for follow-up phishing. The victim later receives "Bank of America fraud alert" texts, "Social Security suspension" calls, and "credit monitoring service" emails, all targeted using the profile built on the first page.

Why IRS phishing URLs almost look convincing

The destination URLs follow a few predictable patterns. Recognizing them is half the battle.

Pattern 1: IRS keyword on a non-.gov TLD

Real IRS is on irs.gov. Every legitimate IRS web property is a subdomain of irs.gov - no exceptions, no shorter URL, no "IRS portal" on a separate domain. Any URL that contains "irs" but is not on the .gov TLD is a scam. Examples in active rotation:

• irs-refund[.]com
• irs-payment[.]xyz
• irs-verify[.]top
• irs-tax-portal[.]com
• irs[.]refund-claim[.]com

The .gov TLD is restricted to verified US government entities. Scammers cannot register a .gov domain, so they default to .com, .xyz, .top, .online, and similar consumer TLDs. The TLD itself is the most reliable single signal.

Pattern 2: IRS in a subdomain on a free hosting provider

Examples:

• irs-refund[.]vercel[.]app
• irs-tax[.]netlify[.]app
• irs-verify[.]pages[.]dev
• irs[.]github[.]io

Free hosting platforms like Vercel, Netlify, Cloudflare Pages, and GitHub Pages take minutes to set up and provide automatic HTTPS. Attackers spin up a fresh subdomain, push the fake page, and start sending texts within an hour. The hosting providers shut down reported phishing within hours, but the campaign already ran during that window.

Pattern 3: Lookalike government TLDs

Examples:

• irs[.]gov-portal[.]com
• irs-treasury[.]gov-us[.]com
• irs-gov[.]net
• treasury-irs[.]online

The trick here is putting "gov" somewhere in the URL but not as the actual TLD. irs.gov-portal.com looks like an IRS .gov subdomain at a glance, but the actual TLD is .com and gov-portal.com is a private registration. Mobile browsers truncate long URLs, so the relevant part - the real TLD on the right - is often hidden until you scroll the address bar.

Pattern 4: URL shorteners hiding the destination

Examples:

• bit.ly/irs-refund-2026
• tinyurl.com/irs-verify
• t.ly/IRSpayment
• rb.gy/irs-tax-refund

Shorteners are appealing to scammers because the user cannot tell from the message text where the link actually leads. Hovering on a phone is hard, and SMS preview does not unwrap shorteners. The destination is hidden until you click - and the click is the entire attack.

How real IRS communication works

The simplest defense is knowing what real IRS contact looks like. Memorize these facts:

• The IRS first contact is ALWAYS by US Mail. Physical letter, delivered by US Postal Service to your address on file. If you have not received a physical letter, an "IRS" text or email about that supposed issue is fake.
• The IRS never initiates contact via text, email, social media, or unsolicited phone call. This is the single most important rule. The IRS itself publishes this guidance on irs.gov. There are no exceptions.
• The IRS never demands payment via gift cards, wire transfer, cryptocurrency, or prepaid debit cards. Real tax payments go through irs.gov/payments or by check mailed to specific IRS service center addresses. Any other payment method, demanded by phone or text, is a scam.
• The IRS never threatens immediate arrest, deportation, or license revocation. Real IRS collection processes involve multiple mailed notices, formal appeals rights, and months of due process. Anyone threatening immediate consequences by phone is an impersonator.
• The IRS does NOT use QR codes in any legitimate communication. A QR code on an "IRS letter" or in an "IRS email" is automatic evidence of fraud.
• Real CP notices are mailed, never emailed or texted. If you receive a text claiming "IRS Notice CP53E," it is fake by definition - the entire CP notice system runs by physical mail.

The 10-second check that catches every variant

You do not need to memorize every URL pattern. Use this short routine instead:

1. Do not click the link. If a text, email, or social media message claims to be from the IRS, the first action is to not click anything in the message. The link is the entire attack.
2. Open a fresh browser tab and type irs.gov directly. Do not search for "IRS" - search results can include scam ads at the top that look like sponsored official listings. Type the address into the bar. Bookmark it for future use.
3. Log into your IRS online account at irs.gov/payments/your-online-account. Real refund status, payment history, and notices are all visible there. If your "approved refund" is real, it will show in the account. If the account shows nothing matching the message, the message is fake.
4. For specific notice number questions, call the IRS at 800-829-1040. Verify the phone number on irs.gov itself - do not Google the number, because tech-support scammers run fake "IRS support" listings. Real IRS staff can confirm whether any notice was actually issued in your name.
5. Report the phishing attempt. Forward suspicious IRS-themed emails to phishing@irs.gov. Report scams to the Treasury Inspector General for Tax Administration at tigta.gov. For text-based phishing, also forward to 7726 (the universal SMS spam shortcode).

If you want a second opinion on a specific link, paste it into the SafeBrowz URL checker. The checker unwraps URL shorteners, checks domain age (most IRS phishing destinations are less than 30 days old), runs the URL through community blacklists, and returns a verdict in a few seconds. No login required.

What to do if you already clicked or entered information

If you clicked the link and the page opened, but you did not enter anything, you are probably fine. The page itself usually cannot install malware unless you also downloaded something. Close the tab, clear browser cookies for that domain, and move on. If you were prompted to download a file, do not run it; if you already ran it, treat the device as compromised and run a full antivirus scan.

If you entered a Social Security number:

• Place a security freeze with all three credit bureaus immediately - Equifax, Experian, TransUnion. Each freeze is free and blocks new credit accounts from being opened in your name. You can lift the freeze temporarily when you legitimately apply for credit.
• File an identity theft report at identitytheft.gov. The FTC's recovery plan walks you through every step.
• File IRS Form 14039, the Identity Theft Affidavit, available at irs.gov. This formally notifies the IRS that your SSN has been compromised so they can flag any future return filed under it.
• Sign up for an IRS Identity Protection PIN (IP PIN) for future tax seasons. The IP PIN is a six-digit code required to file a return under your SSN, blocking fraudulent filings even if the scammer has your SSN.

If you entered bank routing or account numbers:

• Call your bank's fraud line immediately. The phone number is on the back of your debit card or on your most recent statement - do not search for it online, because fake "bank support" listings are common.
• The bank will usually freeze or close the compromised account and reopen a new one with fresh numbers. ACH-debit fraud takes longer to dispute than card fraud, so speed matters.
• Monitor the account daily for at least 90 days for unauthorized debits.

If you entered credit card information:

• Call your card issuer's 24/7 fraud line (number on the back of the card). Cancel and reissue the card on the same call.
• Review transaction history for unauthorized charges. Dispute anything suspicious within 60 days under the Fair Credit Billing Act.
• If the new card has not arrived yet, most issuers can add the replacement card to Apple Pay or Google Pay digitally so you can pay urgent bills while the physical card ships.

Finally, check your IRS account at irs.gov/payments/your-online-account in the weeks ahead for any return that may have been filed in your name. If one appears that you did not file, contact the IRS Identity Protection Specialized Unit at 800-908-4490.

Why IRS phishing keeps working

The scam works because of three specific psychological levers, not because victims are careless.

Lever 1: Fear of government. Americans are conditioned from childhood to respond promptly to anything that looks government-shaped, especially the IRS. The IRS has the authority to levy bank accounts, garnish wages, and impose criminal penalties. That conditioning becomes a liability when scammers wear the IRS mask - victims react before they evaluate, exactly the response the scam needs.

Lever 2: Refund anticipation. The variants that promise a refund have a pre-built positive expectation working in their favor. The user already wants the refund to be real. A message confirming it feels like welcome news rather than a suspicious solicitation. Confirmation bias does most of the scammer's work.

Lever 3: Tax complexity. The US tax code runs thousands of pages. Most filers have no real model of what "real" IRS correspondence looks like, what notice numbers mean, or what verification flows are legitimate. In that information vacuum, any IRS-shaped message is plausible. The complexity of the real system is the cover under which the fake one operates.

How SafeBrowz catches the destination page

SafeBrowz runs as a browser extension on Chrome, Firefox, and Edge. The moment an IRS phishing link is opened in the browser - whether tapped from a text, clicked from an email, or resolved from a QR code scan - the three-layer detection model kicks in.

Layer 1 - Local checks (offline, instant). Bundled rules running inside the extension. They look for known IRS phishing URL patterns (irs as a keyword on a non-irs.gov TLD), suspicious TLDs (.xyz, .top, .online, .click), free-hosting destinations (*.vercel.app, *.netlify.app, *.pages.dev), and government-impersonation lookalikes (irs-gov, treasury-irs, gov-portal, irs.gov-us.com). The check completes in milliseconds without any network call.

Layer 2 - API checks (community + shortener unwrap + domain age). If the URL slips past local checks, SafeBrowz queries Google Safe Browsing, a community-reported scam URL list, and a domain age lookup. URL shorteners (bit.ly, tinyurl.com, t.ly, rb.gy, and any path-pattern-detected shortener) are unwrapped server-side so the verdict runs against the real destination instead of the shortener interstitial. This is particularly important for QR-code-delivered phishing, where the QR scan often resolves through a shortener chain before landing on the final phishing page. Domain age under 30 days, suspicious WHOIS data, or a Google Safe Browsing hit pushes the verdict to danger.

Layer 3 - AI deep scan (content + brand impersonation). The fetched page content is analyzed by a content-aware model that detects government-brand impersonation in 100+ languages. If the page renders the IRS eagle seal, the Department of Treasury wordmark, or text like "Tax refund verification" or "IRS identity check" on a domain that is not irs.gov or treasury.gov, the page is flagged as government impersonation. The same layer catches Social Security Administration, USCIS, state DMV, and court-summons phishing the same way.

For users who do not want to install an extension, the same engine is exposed at the free public URL checker. Paste any link from a suspicious IRS-themed message, get a verdict in seconds, no login. For wallet and security apps that want to integrate, the same detection is available as an API at api.safebrowz.com/v1/detect at $0.001 USDC per call.

For tax preparers and accountants

If you operate a tax practice, your clients receive forgeries of IRS messages and many of them route through you for verification. A short checklist for client education:

• Educate clients on real IRS communication patterns at intake. A one-paragraph reminder in the engagement letter ("The IRS never texts or emails you. We will never ask you to confirm refund details by clicking a link.") saves hours of panicked phone calls.
• Encourage every client to enroll in the IRS Identity Protection PIN program. The IP PIN blocks fraudulent returns from being filed under their SSN, which is the most damaging downstream attack from this phishing campaign.
• Recognize the "Dirty Dozen" patterns yourself. Familiarity with the recurring variants helps you answer client questions confidently and avoid clicking forwarded scam emails as you triage them.
• Forward client-received phishing examples to phishing@irs.gov on the client's behalf if helpful. Reports feed IRS Criminal Investigation and may help shut down active campaigns.

The bigger picture

IRS phishing is one specific case of a broader pattern: government-impersonation phishing rises every year because government authority is the highest-trust mask available in the impersonation toolkit. The same operational template - urgency + official branding + verification link - targets the Social Security Administration ("your SSN has been suspended"), USCIS ("your green card application requires action"), state DMVs ("unpaid toll, license suspension pending"), court systems ("federal subpoena, click to view"), and Medicare ("benefits review required"). The brand changes. The damage shape stays the same.

The defense is one rule: real government agencies do not initiate contact by text, email, social media, or unsolicited phone call. Real contact is by physical mail, on letterhead, with phone numbers you can independently verify at the agency's .gov site. Everything else is impersonation until proven otherwise. Tools like the SafeBrowz extension and URL checker exist because human discipline is not actually consistent enough to defend against a daily, year-round, multi-billion-message phishing volume - especially during tax season when the cognitive load on every taxpayer is already maxed out.

Block IRS phishing destinations automatically

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge that detects IRS, Social Security, USCIS, state DMV, and other government-impersonation phishing the moment the page loads. The core protection is free forever. Premium adds unlimited daily AI scans and drainer JavaScript detection for $14.99 per year - or hold 10 million $SAFEBROWZ tokens on Base for unlimited Premium access. No install required to check a single link - the free public URL checker handles one-off cases.