Fraudulent Tax Emails Are Again Making the Rounds Trying to Steal Your Money and Information
Image:

Fraudulent Tax Emails Are Again Making the Rounds Trying to Steal Your Money and Information

Don't fall for fraudulent emails with malware that claim to be coming from the IRS or other state and federal government agencies

August 7, 2025

Tax-related phishing never really stops; it simply shifts tactics as cybercriminals chase fresh victims. During the 2025 filing season the IRS logged more than eighty thousand email, text and social-media fraud reports, a twenty-eight percent jump over 2024. The rise traces to three trends. First, large language models now let scammers draft nearly perfect English, eliminating the telltale broken grammar that once flagged obvious fraud. Second, leaked government forms circulating on dark-web forums provide authentic visual templates that make fake attachments and landing pages look official. Third, millions of taxpayers who created online IRS accounts in 2023 and 2024 are now attractive targets because criminals can attempt credential-stuffing attacks against those portals. Below is an updated, plain-language guide to recognizing and refusing these scams, keeping personal data locked down and reporting incidents to the proper channels.

The IRS will not email sensitive documents

The Internal Revenue Service still communicates initial contact by U.S. Mail, not by email, text or social media direct message. Follow-up calls happen only after a letter and always include a case or badge number that matches the written notice. The agency never sends Word documents, spreadsheets or PDF attachments unless you specifically request transcripts through your secure account and retrieve them yourself. If a message arrives bearing a file labeled “tax_statement_2024.docm,” “W2_update.zip” or “Account_Suspension.pdf,” delete it immediately. Do not preview it in a webmail panel; modern malware can execute through embedded macros as soon as the preview renders.

New red flags to spot in 2025

  1. Improved spelling paired with outdated references.

    2. Chatbot writing tools produce clean sentences, but scammers often recycle old deadlines or cite defunct IRS programs. Any email referencing the Economic Impact Payments of 2020 or urging you to apply for a 2021 advanced child tax credit in 2025 is suspect.

  2. QR code lure.

    3. Several complaints this summer involved letters mailed in plain white envelopes that display a QR code and direct recipients to “verify your IRS profile to avoid seizure.” Scanning takes users to a spoofed login page that captures credentials. The real IRS uses only secure.gov domains and will never hide a website behind a QR code.

  3. Fake multi-factor authentication prompts.

    4. If you have an IRS online account, you receive a one-time passcode by text, voice call or authenticator app. Phishers now send emails that mimic this flow: “Someone attempted to log in; enter the 6-digit code below to cancel the request.” If you comply, you are in fact confirming an attacker’s login attempt. Remember that legitimate multi-factor prompts come only after you initiate a login.

  4. Voice phishing follow-ups.

    5. After sending mass email blasts, crooks often robocall the same list within hours. The recording warns of “outstanding tax liens filed with your county clerk” and asks you to press one. Any tax debt notice would first appear by certified mail, not by anonymous robocall.

  5. Attachment types that your tax software never uses.

    6. Most consumer tax products export documents as PDF, not as Microsoft Word files or ISO disk images. Malware analysts at the Cybersecurity and Infrastructure Security Agency report a spike in phishing kits that distribute malicious ISO files because many filters still overlook them.

Practical steps to keep your identity and devices safe

  • Use an Identity Protection PIN. The IRS allows any taxpayer to request a six-digit IP PIN that must be entered on electronic and paper returns. A criminal cannot successfully file under your Social Security number without that code.
  • Enable two-step verification on tax software accounts. H&R Block, TurboTax and most online preparers now support app-based authentication. This single setting blocks ninety percent of credential-stuffing attacks.
  • Patch Microsoft Office and remove unused macros. The “Follina” vulnerability exploited in 2023 is still a favorite entry point. Disable Office macros entirely unless your work duties require them.
  • Configure mail rules to flag external sender domains. Enterprise email suites such as Microsoft 365 and Google Workspace offer banners that mark messages originating outside your organization. Activate the feature on personal domains when possible.
  • Verify domain spellings. Fraudsters swap similar characters like “r” and “n” to spoof “irs.gov” as “irn.gov.” Hover your mouse over every hyperlink before clicking.
  • Keep endpoint protection software active. Current commercial antivirus products detect most known malware but only if real-time protection is on. Schedule daily definition updates and weekly full scans.
  • Back up data offline. Ransomware campaigns often launch after an initial tax-themed phish. Store backups on an external drive disconnected from the network except during the backup process.

North Carolina residents: what to do if you are targeted

If you live in North Carolina and receive a suspicious federal or state tax message, forward the email in its entirety to phishing@irs.gov and then delete it. For state-specific schemes, the NC Department of Revenue asks that you redirect the message to fraudreport@ncdor.gov. If malware may have executed, contact the NC Department of Justice Consumer Protection Division at 1-877-5-NO-SCAM to freeze your credit and obtain free identity-theft resources. While these phone lines are North Carolina focused, the advice on freezing credit files and monitoring accounts applies nationwide.

How to report and assist investigations

Reporting takes only a minute and increases the odds that filters will block the same email for others. Attach the phishing email as a file, do not forward it inline, so headers remain intact. Besides the IRS and state channels, you may also submit complaints to the Treasury Inspector General for Tax Administration through the TIGTA website and to the Federal Trade Commission at ReportFraud.ftc.gov. Investigators correlate the