Tax Refund QR Code Scam: How to Spot It and What to Do

The IRS never asks you to claim a refund by QR code

When the IRS owes you a refund, it sends the money automatically — either as a check mailed to your address or as a direct deposit to the bank account you provided on your return. You do not need to verify your identity, click a link, or scan a QR code to receive it. The IRS does not send texts or emails about pending refunds, and it does not initiate phone calls about them either.

This makes the tax refund QR code scam especially deceptive: it uses the promise of money you may genuinely be expecting, which lowers your guard. The "refund" creates urgency — you want to act before you lose it — and the QR code makes the process feel official. Neither of those feelings should override this fact: a QR code claiming to release your refund was not put there by the IRS.

The two main variants of this scam

Attackers run this scam through two channels, and both spike between January and April — tax season — when refund anticipation is at its peak.

The mailed-letter variant is the more convincing of the two. It arrives as a printed letter on what appears to be IRS letterhead, often mimicking the look of a real IRS notice with a case number, a seal, and official-sounding language. The letter states that a refund has been held pending identity verification and instructs you to scan the enclosed QR code to confirm your information through a "secure IRS portal." That portal is a phishing page. It asks for your Social Security number, date of birth, and bank account details — exactly what an attacker needs to file a fraudulent return in your name and intercept your real refund.

State tax agencies are also impersonated this way. If you live in a state with an income tax, you may receive a letter mimicking your state's revenue department with a QR code for a "state refund portal." The mechanics are identical — the page harvests credentials and financial details.

The text and email variant is blunter but still effective. A text message arrives claiming the IRS has processed a refund of a specific dollar amount — often a realistic figure like $847 or $1,203 — and that you must scan the attached QR code to verify your direct deposit account before the funds expire. Emails follow the same pattern, sometimes impersonating the IRS e-Services portal or a tax preparation partner like H&R Block or TurboTax. Scammers use QR codes instead of plain links in these messages because QR codes bypass the URL-scanning filters that would flag a plain phishing link.

What to do if you scanned it

Your next steps depend on how far you went.

If you only scanned and did not enter any information: Close the page and do not return to it. Your risk is low, but you should still report the scam to the IRS so others are protected.

If you entered your Social Security number, date of birth, banking details, or IRS login credentials:

1. Report to the IRS immediately. Forward phishing emails to phishing@irs.gov. For a fake letter or text, report it at irs.gov/identity-theft-fraud-scams. This flags your account with the IRS.
2. File IRS Form 14039 (Identity Theft Affidavit). This document notifies the IRS that your information may have been compromised and causes the agency to apply additional screening to returns filed under your SSN. Download it at irs.gov/form14039.
3. Place a fraud alert with the credit bureaus. Call Equifax, Experian, or TransUnion — a single call triggers an alert at all three — to make it harder for an attacker to open new credit accounts in your name.
4. Contact your bank. If you entered account or routing numbers, call your bank and ask them to monitor for unauthorized transactions. Ask about freezing the account if you believe direct access is at risk.
5. Report to the FTC. File a report at reportfraud.ftc.gov. The FTC aggregates these reports to track fraud networks and warn other consumers.

How to check on your real refund

If you are expecting a federal refund and want to verify its status, go directly to irs.gov and use the "Where's My Refund?" tool — type that URL yourself rather than following any link or QR code. For state refunds, search for your state revenue department directly and navigate to their official refund tracker.

Neither the IRS nor any state tax agency will ask you to scan a QR code, click an emailed link, or call a number from a text to check on your refund status. Any step in a process that deviates from a direct visit to an official .gov website is a red flag worth stopping for.

For a complete guide on what the IRS does and does not do with QR codes, see the IRS QR code scam overview. If your Social Security number was exposed, the steps in the Social Security QR code scam guide cover additional protective measures worth taking.

Frequently asked questions