IRS QR Code Scam: What It Is and What to Do
You received a letter, text, or email that appears to be from the IRS — and it contains a QR code. Before you scan anything else: the real IRS never initiates contact this way. Here's how the scam works and what to do if you already scanned it.
The IRS does not send QR codes
This is the most important thing to understand: the IRS does not initiate contact with taxpayers via QR codes — ever. It does not send QR codes in letters requesting identity verification, in texts about unpaid balances, or in emails linking to your account. If you received any of those, it is a scam regardless of how official it looks.
The IRS contacts taxpayers by mail through the U.S. Postal Service for official notices. When it does send a letter, that letter will contain a phone number and a direct URL to irs.gov — not a QR code. Any QR code in a message that claims to be the IRS was put there by an attacker.
The three variants of the IRS QR code scam
Attackers run this scam through three channels, each convincing in its own way.
The letter variant is the most sophisticated. It arrives as a printed letter on what looks like official IRS letterhead, often mimicking a real notice type — CP2000 (underreported income), CP3219A (statutory notice of deficiency), or a generic "Account Review Required" letter. The letter includes a fake case number, a fake IRS employee name, and a QR code to "access your account and respond." The code leads to a cloned irs.gov login page that captures your credentials.
The text variant typically claims the IRS has flagged an unpaid balance or that a refund is waiting for you. The message is brief and urgent, and the QR code takes you to a fake payment portal or identity verification form requesting your Social Security number.
The email variant often impersonates IRS e-Services, IRS Free File, or a tax preparation partner. The QR code in the email bypasses spam filters that would catch a plain link — which is exactly why quishing attacks have become so common. All three variants ultimately collect Social Security numbers, tax credentials, or payment card details.
What to do if you scanned it
Your response depends on what you did after scanning.
If you only scanned and didn't enter anything: Your risk is low. Close the page, do not return to it, and report the scam to the IRS.
If you entered your Social Security number, tax account credentials, or payment information, act immediately:
- Report to the IRS. Forward phishing emails to phishing@irs.gov. For a fake letter or text, report it at irs.gov/identity-theft-fraud-scams.
- File IRS Form 14039. This Identity Theft Affidavit flags your account with the IRS so that fraudulent returns filed in your name are caught. Download it at irs.gov/form14039.
- Place a fraud alert with the credit bureaus. Contact Equifax, Experian, or TransUnion — one call triggers an alert at all three. This makes it harder for an attacker to open new accounts in your name.
- Report to the FTC. File a report at reportfraud.ftc.gov. The FTC uses these reports to build cases against fraud networks.
- Contact your bank or card issuer if you entered payment information. Ask them to monitor for unauthorized transactions and dispute any charges that appear.
For a broader checklist of recovery steps after any suspicious scan, see what to do if you scanned a suspicious QR code.
How to avoid the scam next time
The simplest rule: if a message claims to be from the IRS and contains a QR code, it is not from the IRS. But here is how to protect yourself more broadly:
- Check QR codes with QRsafer before opening them. QRsafer checks the destination URL against threat intelligence databases and shows you a Safe, Risky, or Dangerous verdict before your browser loads anything. A cloned IRS login page will not pass a threat check.
- Look up your IRS account directly. If you receive any message claiming there is an issue with your taxes, go to irs.gov/account yourself — do not follow any link or scan any code from the message.
- Call the IRS to verify. The IRS general assistance line is 1-800-829-1040. If a letter is real, an IRS representative can confirm it. If it is fake, you just avoided the scam.
This same tactic — a message with a QR code impersonating a trusted institution — is also used by bank QR code scammers. The defense is the same in both cases: never follow a QR code to log in to a sensitive account.
Frequently asked questions
Does the IRS ever send QR codes?
The IRS does not initiate contact with taxpayers via QR codes. It will never send a text, email, or unsolicited letter containing a QR code asking you to verify your identity, make a payment, or log in to your account. Any QR code claiming to be from the IRS is a scam.
What does an IRS QR code scam look like?
It arrives as a letter mimicking an IRS notice (like CP2000), a text about an unpaid balance or refund, or an email impersonating IRS e-Services or Free File. All three variants include a QR code that leads to a phishing page collecting your Social Security number, tax credentials, or payment card details.
What should I do if I scanned a QR code claiming to be from the IRS?
If you didn't enter anything, report the scam to phishing@irs.gov and move on. If you entered personal or financial information, report to the IRS, file IRS Form 14039 (Identity Theft Affidavit), place a fraud alert with the credit bureaus, and report to the FTC at reportfraud.ftc.gov. Contact your bank immediately if you entered payment details.
Check any QR code before it opens
QRsafer scans a QR code and shows you whether the destination is safe before your browser loads it. Free on iOS and Android.