Fraudulent QR Code Mailings Hit Taxpayers

A surge in fraudulent QR code mailings—known as “quishing”—is drawing scrutiny from federal investigators as millions of taxpayers receive official-looking letters during filing season. Authorities say scammers are using these mail-based schemes to impersonate the IRS and trick recipients into scanning malicious codes that can lead to identity theft and financial loss.

Federal Authorities Investigate Surge in QR Code Scam Letters

Investigators with the U.S. Postal Inspection Service and federal partners are tracking a steady rise in mail-based fraud involving QR codes, often referred to as "quishing." The scheme marks a shift from traditional phishing emails to physical mail, allowing scammers to bypass digital filters and reach households directly.

Officials say these operations are becoming more sophisticated, with fraudulent IRS notices that appear authentic at first glance. The use of printed materials adds credibility, making recipients more likely to trust the message and follow instructions without verifying the source.

Fake IRS Letters Use QR Codes to Lure Victims

Many of the fraudulent mailings closely resemble official IRS correspondence, featuring logos, formatting, and references to tax forms or refund status updates. Some letters instruct taxpayers to scan a QR code to resolve a balance due, verify identity information, or claim a pending refund.

In documented cases, the letters included fabricated notice numbers and references to nonexistent IRS departments. Once scanned, the QR codes redirect users to phishing portals designed to collect Social Security numbers, banking information, and login credentials.

IRS QR Code Scam Emerges as Tax Season Threat

The IRS has identified QR code scams as a major concern during the current filing season, warning taxpayers to remain cautious when receiving unsolicited mail. While the agency has introduced QR codes in limited official notices, those codes link only to verified IRS.gov pages and not to third-party sites.

Authorities stress that scammers are exploiting confusion around these legitimate uses to make fake IRS letters appear more credible. The timing during tax season increases the likelihood that recipients will act quickly without verifying the authenticity of the communication.

How Quishing Scams Steal Personal and Financial Data

QR codes hide their destination, making it difficult for users to confirm where they lead before scanning. This lack of transparency allows scammers to direct victims to spoofed websites that closely mimic IRS or financial institution portals.

Victims may unknowingly enter sensitive information on these sites, which scammers can use for identity theft or fraudulent tax filings. In some cases, scanning the code may also expose devices to malware designed to capture stored data or login credentials.

Taxpayers Face Higher Risk During Filing Season

Security experts say the timing of fraudulent QR code mailings is intentional, as millions of taxpayers expect correspondence related to their tax return or refund status between January and April. This expectation lowers skepticism and makes individuals more likely to trust official-looking letters.

The pressure to resolve tax issues quickly can also drive recipients to scan QR codes without verifying the source. Scammers rely on this urgency, often including language that suggests immediate action is required to avoid penalties or delays.

Older Adults and Small Businesses Among Key Targets

Older adults are among the most vulnerable groups, particularly those less familiar with QR code technology. Many rely on physical mail for official communication, making them more susceptible to convincing mail-based fraud schemes.

Small business owners also face increased risk due to the volume of tax-related correspondence they receive. Fraudulent notices referencing payroll taxes, estimated payments, or compliance issues can blend into routine business communications, making them harder to detect.

Officials Explain How to Spot a Fake IRS Notice

Federal agencies emphasize that understanding how the IRS communicates can help taxpayers avoid falling victim to scams. The IRS typically initiates contact through official letters, but those notices follow strict formatting and identification standards that can be verified.

Taxpayers are encouraged to review any unexpected communication carefully and avoid taking immediate action based on instructions in the letter. Verifying details through official IRS channels is a critical step before responding.

Real IRS Letters Follow Strict Notice Number Formats

Authentic IRS notices include a letter or notice number, often labeled with a “CP” or “LTR” designation. These identifiers can be cross-checked through official IRS resources to confirm whether the document is legitimate.

Fraudulent letters often include incorrect or nonexistent notice numbers, which can be a clear warning sign. Officials also note that the IRS does not direct taxpayers to external payment portals through QR codes or request sensitive data in that manner.

Fraudulent QR Code Mailings Lead to Identity Theft Risks

The consequences of interacting with a fraudulent QR code mailing can be severe, particularly when sensitive information is involved. Victims may unknowingly provide data that allows scammers to access financial accounts or file fraudulent tax returns.

Identity theft resulting from these scams can take months or even years to resolve, especially if multiple accounts are compromised. The financial and administrative burden can be significant for affected individuals.

A Single Scan Can Trigger Long-Term Financial Damage

Experts warn that even a brief interaction, such as scanning a QR code, can expose users to risk if it leads to a malicious site. Once hackers enter personal or financial data, they can use it immediately or sell it to other criminal networks.

In some cases, malware installed through these links can access stored information on mobile devices, expanding the scope of the damage. This makes prevention and early detection critical in limiting exposure.

Agencies Urge Public to Verify Before Taking Action

Federal authorities advise taxpayers to verify any unexpected IRS communication before responding, especially if it involves QR codes or requests for sensitive information. Logging into an official IRS account or contacting the agency directly can help confirm whether a notice is legitimate.

Reporting suspected scams also plays an important role in preventing further fraud. Agencies encourage individuals to forward suspicious letters and phishing attempts to appropriate authorities to support ongoing investigations.

Officials Encourage Vigilance as Scams Evolve

As scammers continue to refine their tactics, officials stress the importance of staying informed about emerging threats, such as quishing. Public awareness remains one of the most effective defenses against mail-based fraud schemes.

Taxpayers are urged to approach unexpected communications with caution and rely on verified sources when dealing with tax-related matters. Taking a moment to confirm authenticity can prevent significant financial and personal harm.

Sources

• U.S. Postal Inspection Service – Quishing Scam Alert
• IRS Dirty Dozen Tax Scams 2026
• IRS – Ways to Tell If the IRS Is Reaching Out

‍By William Mc Lee, Editor-in-Chief & Tax Expert—Get Tax Relief Now