IRS & Tax-Season Phishing Scams

Fake refund notices, balance-due threats, and tax-preparer impersonation surging around the April filing deadline

Published April 13, 2026 | By the OpenEFA Security Team

Phishing Smishing High Severity ✓ Actively Blocked by OpenEFA

Overview

Every April, phishing campaigns impersonating the Internal Revenue Service (IRS) surge around the tax-filing deadline. Attackers exploit the pressure of tax season to trick victims into surrendering bank details, Social Security numbers, driver's license numbers, and tax-preparer login credentials. Campaigns arrive via email, SMS, and phone, and often combine multiple channels for credibility.

OpenEFA is actively detecting and quarantining the email variants of these campaigns.

Known Campaign Variants

Variant A: "Unclaimed Refund" Email

Victims receive an email claiming the IRS has identified an unclaimed refund and asking them to "verify" their direct-deposit information. The landing page collects bank routing number, account number, SSN, and date of birth.

Typical subjects: Your IRS refund notice, Action required — tax refund pending, Unclaimed Federal Tax Refund

Variant B: Fake CP-Series Notice

Emails impersonating real IRS letter formats (CP14, CP2000, CP501, CP504) claiming an unpaid balance with a short deadline and threats of wage garnishment, asset seizure, or legal action. Real IRS notices are sent via USPS mail, never initiated by email.

Typical subjects: IRS Notice CP2000 — Response Required, Final Balance Due Notice, Tax Lien Warning

Variant C: Tax-Preparer Impersonation

Emails pretending to be TurboTax, H&R Block, Jackson Hewitt, or a recipient's real tax preparer, attempting to steal login credentials or get the victim to "upload" their W-2, 1099, or completed 1040 to an attacker-controlled portal. Filed returns can be hijacked to redirect refunds.

Typical subjects: Your tax return is ready for review, Action needed to complete your filing, Verify your TurboTax account

Variant D: "IRS Agent" SMS/Call-Back Scam

SMS variant directs recipients to call a provided number where a fake "IRS agent" demands immediate payment via gift card, prepaid debit card, wire transfer, or cryptocurrency. Threats include arrest, deportation, or license suspension. This is a pure social-engineering variant designed to bypass email filters entirely.

Typical messages: IRS: Your tax refund is pending. Call 1-XXX..., IRS Final Warning — legal action pending

Common Characteristics

All variants share the same attack pattern:

  • Urgency — "Respond within 24 hours", "Final notice", "Immediate action required"
  • Threats — arrest warrants, asset seizure, deportation, wage garnishment, license suspension (none of which are how the real IRS operates)
  • Lookalike domainsirs-refund[.]com, irs.gov.xyz, treasury-refund[.]net, or typo-squats of legitimate tax-prep brands
  • Unusual payment demands — gift cards, prepaid debit cards, wire transfer, cryptocurrency (the real IRS accepts only Direct Pay, EFTPS, checks, or cards processed through authorized payment processors on irs.gov)
  • PII requests — SSN, DOB, DL number, bank routing details (the real IRS already has your SSN and DOB on file)

Red Flags to Watch For

  1. Any email or SMS from "the IRS" — The IRS initiates contact via USPS mail. They do not email or text taxpayers first, ever.
  2. Gift card or crypto payment demands — The IRS never accepts payment in iTunes cards, Google Play cards, Amazon gift cards, Bitcoin, or wire transfers to personal accounts.
  3. Non-.gov domains — Legitimate IRS links are at irs.gov. Watch for lookalikes using .com, .xyz, .net, or extra words (irs-portal.com, tax-refund-irs.net).
  4. Threats of arrest or deportation — The IRS follows due process with written notices, appeals windows, and court proceedings. Phone and email threats of immediate arrest are scams.
  5. Requests to "verify" SSN, DL, or bank details — The IRS already has this information. Any email asking you to confirm it is a credential-harvesting attempt.
  6. Unexpected refund offers — An unsolicited "you have an unclaimed refund" message is a classic lure; real refunds follow your filed return.
  7. Bad grammar and formatting — Genuine IRS correspondence is professionally edited. Awkward phrasing, unusual capitalization, or broken formatting are giveaways.

What You Should Do

  • Do not click any links in the message, and do not open attached tax forms or "IRS letter" PDFs
  • Do not reply or call any phone number in the message
  • Do not provide PII or bank details via email or SMS, ever
  • Verify independently — Log in at irs.gov/account directly, or call the official IRS line at 1-800-829-1040
  • Forward phishing emails to phishing@irs.gov, then delete
  • Report SMS scams by forwarding to 7726 (SPAM) and reporting to the FTC at reportfraud.ftc.gov
  • Report impersonation to the Treasury Inspector General (TIGTA) at tigta.gov

How OpenEFA Protects You

OpenEFA's email security platform detects and quarantines IRS and tax-season phishing emails using multiple layers of analysis:

  • URL Reputation — Identifies lookalike IRS, Treasury, and tax-prep domains
  • NLP Content Analysis — Detects urgency language, balance-due threats, and refund-lure patterns
  • Domain Authentication — Verifies SPF, DKIM, and DMARC to catch spoofed @irs.gov senders
  • Brand Impersonation Detection — Flags emails impersonating the IRS, Treasury, and major tax-prep providers
  • Seasonal Campaign Signals — Recognizes the tax-season phishing surge across our protected network

OpenEFA catches the email side of these attacks. SMS and phone variants bypass email filters entirely — awareness and independent verification are your best defense against those channels.

References

OpenEFA publishes security advisories when we identify significant phishing campaigns affecting our customers and the broader community. Bookmark this page or follow us for updates.

OpenEFA® is an AI-powered email security platform by Quantum Logic Systems, LLC. Learn more at openefa.com.

← Back to Security Advisories