2026 tax season scams: the seven active TurboTax, H&R Block, and IRS variants Americans will see between January and April

The 2024 IRS Dirty Dozen list (released by the Internal Revenue Service in spring 2024) called out tax-themed phishing, smishing, and impersonation as a persistent top-tier threat. The FTC Consumer Sentinel Network Data 2024 (published February 2025) recorded more than 1.1 million identity-theft reports, with tax-related identity theft consistently among the top categories. The FBI Internet Crime Report 2024 (April 2025) logged 859,532 complaints and $16.6 billion in reported losses, a 33 percent year-over-year jump. The Treasury Inspector General for Tax Administration (TIGTA) has tracked the IRS impersonation phone scam for over a decade and continues to log new variants every filing season. The pattern repeats because it works. Here are the seven variants you will see this year.

Fake TurboTax "Account Locked" email

This one peaks the week before the April filing deadline. The email arrives styled to look like TurboTax, complete with the Intuit blue header and a small Intuit footer. Subject line is usually one of three: "Your TurboTax account has been locked," "Suspicious sign-in detected on your TurboTax account," or "Action required to file your return."

The body says someone tried to access your TurboTax account from an unfamiliar device or location. To unlock the account before the deadline, click the "Verify identity" or "Restore access" button. The link goes to a lookalike sign-in page on a domain like turbotax-secure-login.com, intuit-verify.help, or turbotax-account-unlock.co. The page accepts your Intuit username and password, often asks for the last four of your SSN as "additional verification," and may also request your bank account and routing numbers as part of a fake "verify refund destination" step.

Real Intuit communication for account security uses the senders @intuit.com and links only to intuit.com or turbotax.intuit.com. There is no turbotax-secure-login.com. The hyphenated lookalike and the non-intuit.com TLD are the entire tell. If you are unsure, close the email, open a fresh browser tab, type turbotax.intuit.com manually, and sign in directly. Any real lock notice will appear in your actual account dashboard.

Fake H&R Block "Your refund is being held" SMS

This one borrows the customs-fee model from the FedEx and DHL parcel scams. The text reads something like: "H&R Block: Your federal refund of $1,847 is currently on hold. A $1.99 processing fee is required to release the deposit. Pay here: hrblock-refund-release.com/r/8K2J9F." Or a variant: "HRB: Refund deposit failed. Resubmit your bank info: hrblock-deposit-verify.help."

The link leads to a page that asks for the small "processing fee" via card. The real harvest is not the $1.99. It is the full card number, CVV, expiry, ZIP code, and (often in a "verify identity" step) the full SSN. The card data is batched and sold on darknet markets within a few weeks. The SSN goes into separate identity-theft bundles that get used months later to file fraudulent returns under your name.

H&R Block does not text customers to release refunds. The IRS, not H&R Block, deposits federal refunds, and the IRS never charges a "release fee." Real H&R Block messaging comes from @hrblock.com domains and from short codes registered to the company. If you get a text claiming a refund is being held, do not click. Sign in directly at hrblock.com or call the local office where you filed.

IRS refund pending email to a fake irs.gov lookalike

The email arrives styled with the IRS eagle logo and US Treasury imagery. Subject line is often "IRS: Refund Notification 2026" or "Your refund of $2,431.00 is ready to be issued." The body claims the refund is pending final identity verification and provides a link to irs-tax-refund.us, irs-gov-online.com, irs-treasury-portal.help, or similar.

The destination page mimics IRS.gov closely. A fake "Get My Refund" form asks for full name, SSN, date of birth, prior-year AGI, current address, bank account number, and routing number. Some variants also ask for a copy of your driver's license uploaded as an image. The result is a complete identity-theft kit handed to the attacker, plus direct bank credentials for ACH abuse.

The real IRS uses exactly one domain: irs.gov. There is no irs.us, no irs-online.com, no irs-treasury-portal.help. The IRS also does not initiate contact about refunds by email. The agency sends paper mail first. If a refund really has an issue, you will see a letter (CP series notice) in your mailbox and a status update in your IRS online account at irs.gov/account. Anything else is phishing. Forward the email to phishing@irs.gov and delete it.

IRS impersonation phone call demanding gift cards

This is the classic that has run continuously since at least 2013. TIGTA tracks it under "IRS impersonation telephone scams" and reports new spikes every filing season. The call is often robocalled at first, then escalated to a live operator if you press 1. The caller claims to be an IRS agent (sometimes giving a fake badge number) and says you owe back taxes. Payment must be made today by gift card (iTunes, Google Play, Steam, Amazon, Target). If you do not pay immediately, the caller threatens arrest, deportation, license suspension, or wage garnishment within the hour.

Sometimes the call uses spoofed caller ID to display "IRS" or a real IRS phone number. Sometimes the script switches to demanding wire transfer or cryptocurrency. The constant is urgency plus an irreversible payment method (gift cards, wire, crypto) that no legitimate tax collector ever uses.

The IRS does not call to demand immediate payment. The IRS does not threaten arrest by phone. The IRS does not accept gift cards as payment under any circumstance, ever. If the call uses any of these signals, hang up. Report to TIGTA at tigta.gov (use the "IRS Impersonation Scam Reporting" form) and to the FTC at reportfraud.ftc.gov. If you are uncertain about a real tax bill, call the IRS directly at 1-800-829-1040 using a number you look up yourself, not one the caller gave you.

Fake "Your 1099 from [employer or platform]" phishing email with malicious attachment

This one targets gig workers, freelancers, and anyone who received a real 1099-NEC, 1099-K, 1099-MISC, or 1099-INT in the past. The email arrives in late January or February with a subject like "Your 2025 1099 from Uber is ready," "Your DoorDash 1099-NEC is attached," "Important: 1099-K from PayPal," or "Your 1099-MISC from Upwork available for download."

The body is short. It says your tax document is attached. The attachment is usually a PDF or a Microsoft Word document with a name like 1099-NEC-2025.pdf.html, Uber_1099_Final.doc, or DoorDash_Tax_Form.zip. Opening it either executes a credential-harvesting form (the HTML variant), pulls a remote payload (the doc variant with macros), or unpacks a malware binary (the zip variant). Common payloads in 2024 and 2025 included infostealers like Lumma, RedLine, and Vidar, which scrape browser passwords, crypto wallets, and session cookies within minutes.

Real 1099 distribution from major platforms (Uber, DoorDash, Lyft, PayPal, Venmo, Coinbase, Upwork) happens inside the tax dashboard on the platform itself, accessed through your existing login. The platform may send an email saying the document is ready, but the document is downloaded from inside the platform, not from an email attachment. If you get a 1099 email with an attached file, do not open it. Sign in directly at the platform and download the document from the tax section. Forward suspicious emails to phishing@irs.gov and to the impersonated platform's abuse address.

Stimulus or refund status SMS pointing to gov-lookalike domains

This one resurges every time there is real news about tax credits, refund timing, or stimulus discussions in Congress. The text reads: "IRS: You have an unclaimed $1,400 economic impact payment. Verify eligibility: irs-stimulus-claim.us/v/3K9F" or "US Treasury: Your refund status has been updated. Check at gov-refund-status.com/r/8J2L."

The destination is a lookalike of either IRS.gov or the Treasury site. The form asks for SSN, date of birth, bank routing and account number, and sometimes driver's license image. Some variants chain into a fake "small verification fee" card form. The data feeds identity-theft bundles and ACH-fraud kits sold separately.

The real IRS never texts unsolicited about refunds or stimulus payments. There has been no new federal stimulus program authorized in 2026, and any "unclaimed stimulus" message in 2026 is phishing. Refund status is checked at irs.gov/refunds or in the IRS2Go mobile app, both of which require your own SSN and filing details entered by you, not a link in a text. Forward the text to 7726 (the wireless industry's spam reporting code) and to phishing@irs.gov.

Identity theft via stolen W-2: refund redirected before you file

This one is the quiet and expensive variant. The victim does not get a phishing email at all. The attacker has already obtained the victim's W-2 information (through an employer data breach, an HR phishing attack, a stolen mailbox, or a prior data leak that included SSN and employer details) and uses it to file a fraudulent federal tax return early in the season, usually in late January or early February, before the real taxpayer files.

The fraudulent return claims a large refund and routes it to an account the attacker controls (often a prepaid debit card, a money-mule bank account, or a fintech account opened with a synthetic identity). By the time the real victim sits down with TurboTax or H&R Block in March or April and tries to file, the IRS rejects the return with code IND-510 or similar, saying a return has already been filed under that SSN.

The IRS Identity Theft Affidavit (Form 14039) is the formal recovery path. File it as soon as you suspect tax-related identity theft. Pair it with an Identity Protection PIN (IP PIN) which the IRS now offers to any taxpayer who requests one at irs.gov/ippin. The IP PIN is a six-digit code that must accompany your real return; a fraudulent return without the PIN gets rejected automatically. Also request a free wage and income transcript at irs.gov/transcripts to see what was reported in your name; freeze your credit at the three bureaus (Equifax, Experian, TransUnion); and file at identitytheft.gov for the FTC recovery plan and at ic3.gov for the FBI report.

How real IRS communication actually works

This is the single most useful thing to memorize. Every variant above fails this test.

• First contact is paper mail. The IRS sends a physical letter (CP, LT, or 5071C series notice) to the address on file before any other contact. No texts. No emails. No social media. No phone calls demanding payment.
• Secure messages go through your IRS online account. Sign in at irs.gov/account to see real notices, payment history, and any refund issues. The dashboard is the source of truth.
• The only IRS domain is irs.gov. Not .us, not .com, not .help, not .online. Any other TLD is fake.
• The IRS does not accept gift cards. Period. Real payment options are direct debit, IRS Direct Pay at irs.gov/payments, EFTPS, card via approved processor, check, or money order. Anything else is the scam.
• The IRS does not threaten arrest by phone. Real collection escalates through written notices over months and years, not a sixty-second phone call.
• Refunds are checked at irs.gov/refunds or in IRS2Go. No SMS link is ever the right path.

Real TurboTax and H&R Block sender domains

If a tax-prep email is real, it comes from one of these. Anything else with the brand name in it is a lookalike.

• TurboTax / Intuit: @intuit.com, @turbotax.intuit.com. Real links go to intuit.com or turbotax.intuit.com. Not turbotax-secure.com, not intuit-verify.help, not turbotax-account-unlock.co.
• H&R Block: @hrblock.com, @emails.hrblock.com. Real links go to hrblock.com. Not hrblock-refund.com, not hrblock-deposit-verify.help.
• IRS: irs.gov only. The IRS does not initiate contact by email at all. Any email "from the IRS" is either a real CP-series notice scanned by a tax-prep service you authorized, or it is phishing.
• Cash App Taxes (formerly Credit Karma Tax): @cash.app. Real links go to cash.app/taxes.
• TaxSlayer: @taxslayer.com. Real links go to taxslayer.com.
• TaxAct: @taxact.com. Real links go to taxact.com.

If you cannot remember the right domain, the safer move is always the same. Close the email. Open a fresh browser tab. Type the brand into the address bar yourself. Sign in directly. Any real notice will appear in your dashboard.

Red flags shared across all seven variants

• Urgency with a deadline measured in hours. "Verify within 24 hours or lose your refund," "Pay within the hour or face arrest," "Action required before midnight."
• A link or attachment instead of an instruction to sign in directly. Real notices say "sign in at irs.gov/account" or "log in to your TurboTax account." Fake notices push a one-click link.
• A hyphenated lookalike domain. Real brands rarely use hyphens or extra words. irs-tax-refund.us, turbotax-secure-login.com, hrblock-refund-release.com are all lookalikes.
• A non-standard TLD. IRS uses only .gov. Intuit and H&R Block use only .com. Any .us, .help, .co, .shop, .online for these brands is phishing.
• Request for SSN, bank routing, or driver's license image on a single page. Real tax workflows never bundle all of this into one external form. The legitimate process happens inside the prep software you already trust.
• Gift cards, wire transfer, cryptocurrency, or "processing fee" as the payment method. Federal tax payments use IRS Direct Pay, EFTPS, card processors, or check. Nothing else.
• Threats of arrest, deportation, or license suspension. Real IRS collection escalates over months in writing. It does not happen on a phone call.
• Misspellings or odd phrasing. "Your refund is currently been processed," "Verifity your account," "Internal Revneue Service" all show up in real campaigns.

The 10-second verification routine for any tax-related message

Run this on every email, text, or call before you act on it.

1. Pause for ten seconds. Urgency is the scam's main weapon. Slow down. Nothing tax-related is genuinely a sixty-second decision.
2. Look at the sender's full address (not just the display name). "IRS" as a display name with irs-notice@verify-portal.com as the actual address is phishing.
3. Look at the link without clicking. Hover on desktop, long-press on mobile. The real URL appears. If it is not irs.gov, intuit.com, or hrblock.com, treat it as fake.
4. Close the message and verify directly. Open a fresh browser tab. Type irs.gov/account, turbotax.intuit.com, or hrblock.com yourself. Sign in. If the issue is real, it will be in your dashboard.
5. If unsure, paste the URL into the free SafeBrowz URL safety check. Get a verdict in two seconds.

What to do if you already entered information on a fake site

If you read this and recognize a recent moment, here is the order of operations.

• If you entered card details: freeze the card immediately in your bank app. Order a replacement card. File chargebacks on any unfamiliar charges. In the US, Regulation E covers debit cards if reported within 60 days; credit cards are typically protected for longer under the Fair Credit Billing Act.
• If you entered SSN, date of birth, or bank routing details: file an IRS Identity Theft Affidavit at irs.gov/Form-14039. Request an IP PIN at irs.gov/ippin. Request a free wage and income transcript at irs.gov/transcripts to see what was reported in your name.
• Freeze your credit at all three bureaus: Equifax (equifax.com/personal/credit-report-services), Experian (experian.com/freeze), and TransUnion (transunion.com/credit-freeze). Each freeze is free and can be lifted in minutes when you need credit.
• File the FTC recovery plan at identitytheft.gov. It generates personalized recovery steps based on what was exposed and includes pre-filled affidavits.
• File at ic3.gov (FBI Internet Crime Complaint Center) so the case feeds federal investigations.
• If your TurboTax, H&R Block, or other prep account was compromised: sign in directly (do not use the link in the phishing email), change the password, enable two-factor authentication, and contact the provider's fraud line. TurboTax: 1-800-944-8596. H&R Block: 1-800-472-5625.
• If a fraudulent return was filed in your name: file your real return on paper (yes, paper) along with Form 14039. Mail it to the address on the form's instructions. Expect processing delays of months while the IRS works through the case. The IRS has a dedicated Identity Protection Specialized Unit at 1-800-908-4490.

How to report each variant

• Phishing emails impersonating IRS, TurboTax, or H&R Block: forward (with full headers) to phishing@irs.gov. Then delete.
• IRS impersonation phone calls: report at the TIGTA "IRS Impersonation Scam Reporting" form on tigta.gov. Also report to the FTC at reportfraud.ftc.gov.
• Phishing SMS: forward the text to 7726 (spells SPAM on a phone keypad) which routes it to your carrier. Then report at reportfraud.ftc.gov.
• Identity theft (SSN used to file fraudulent return): Form 14039 to the IRS plus the FTC recovery plan at identitytheft.gov.
• Generic fraud loss reporting: FBI IC3 at ic3.gov for any case involving financial loss or online activity.
• BBB Scam Tracker: file at bbb.org/scamtracker to add the case to the public Better Business Bureau database (useful for warning others in your area).

Last updated 2026-05-30

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1, Local detection: 60+ URL patterns and 550+ brand-specific signatures run directly in your browser. This is the layer that catches turbotax-secure-login.com, hrblock-refund-release.com, irs-tax-refund.us, irs-stimulus-claim.us, and similar hyphen-and-suffix variants at click time, before the credential form ever loads. Intuit, TurboTax, H&R Block, Cash App, the IRS, and hundreds of other brand signatures are baked into the extension.
• Layer 2, API checks: Google Safe Browsing, PhishTank, and URLhaus cross-references run server-side. Catches known phishing domains the moment they are reported anywhere in the world, including the throwaway tax-season lookalikes that get burned and replaced every few days.
• Layer 3, AI deep scan (Premium): Content analysis flags brand-new lookalike pages that no blocklist has seen yet. The fake TurboTax sign-in page that went live two hours ago, the new IRS refund clone that has not been reported anywhere. Works in over 100 languages, useful for Spanish-language tax phishing aimed at Latino communities.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

FAQ

Does the IRS ever call, text, or email you first?

No. The IRS initiates contact by physical mail, every time. A CP, LT, or 5071C series notice arrives at the address on your last return. Only after written notices are ignored do IRS employees, in some limited collection cases, follow up by phone, and even then they never demand gift cards, threaten arrest, or ask for bank details over the call. If your first contact is a text, email, or phone call demanding payment, it is phishing or a phone scam. Forward emails to phishing@irs.gov. Report calls to TIGTA at tigta.gov.

How do I know if a TurboTax email is real?

Real Intuit emails come from @intuit.com or @turbotax.intuit.com and link only to intuit.com or turbotax.intuit.com. There is no turbotax-secure.com, turbotax-verify.help, or intuit-account-unlock.co. The safest workflow is to ignore the email link entirely, open a fresh browser tab, type turbotax.intuit.com manually, and sign in directly. Any real account notice will be visible in your dashboard. If something is genuinely wrong, the in-app message is the source of truth.

What is IRS Form 14039 and when do I file it?

Form 14039 is the IRS Identity Theft Affidavit. File it when you believe your SSN was used to file a fraudulent tax return, or when the IRS rejects your real return because one was already filed under your SSN. You can submit it electronically through identitytheft.gov (which generates a pre-filled version) or mail it directly to the address on the form's instructions. Pair it with an IP PIN request at irs.gov/ippin so any future fraudulent returns are blocked automatically.

What is an IP PIN and how do I get one?

An Identity Protection PIN (IP PIN) is a six-digit number the IRS assigns you that must accompany your real tax return. A return filed under your SSN without the correct IP PIN is rejected automatically. Any taxpayer can request one (not just identity-theft victims) at irs.gov/ippin. The PIN changes every year and is communicated through your IRS online account. It is the single most effective protection against the W-2 identity-theft variant.

How do I report a fake H&R Block text message?

Forward the text to 7726 (the letters spell SPAM on a phone keypad), which routes it to your wireless carrier's spam reporting system. Also report at reportfraud.ftc.gov and consider forwarding the message details to H&R Block at security@hrblock.com (the standard inbox for brand abuse). Do not click the link first to "see what it is," and do not reply STOP since that confirms the number is active. Just forward, then delete.

I gave my SSN to a fake IRS site. What is the first thing I should do today?

Freeze your credit at all three bureaus first (Equifax, Experian, TransUnion). It is free and takes about ten minutes total. Then request an IRS IP PIN at irs.gov/ippin so any fraudulent tax filing under your SSN gets rejected. File Form 14039 (Identity Theft Affidavit) and complete the FTC recovery plan at identitytheft.gov, which generates personalized next steps based on what was exposed. Also file at ic3.gov. The faster the freezes and IP PIN are in place, the smaller the window for the attacker to use the data.