My cousin Mark called me on a Tuesday afternoon in late February. He sounded shaken. He works in IT and knows what a phishing email looks like. He is not the family member I'd expect to fall for a scam.
"Pare, somebody just called me and it sounded exactly like Tito Boy. He said the IRS was holding my refund and he wanted me to verify my Social on a portal he was sending. I almost did it."
It wasn't Tito Boy. It was a 14-second voice sample, probably scraped from a Facebook video, run through an AI cloning tool, then dialed in over a spoofed Detroit number. Mark hung up because the "portal" link came in over text and the URL was irs-refund-2026-verify.com, which his work spam filter had already flagged. Saved him. But he stayed shaken for a week, and so did I. Because the next person to get that call might be my mom, and my mom does not have a spam filter.
Why This Year's Wave Is Hitting Different
The IRS Dirty Dozen list for 2026 leads with IRS impersonation by email and text — phishing and smishing — and singles out artificial intelligence for making those forgeries far more convincing. The Treasury Inspector General for Tax Administration (TIGTA) and the BBB Scam Tracker have both been flagging a sharp multi-year rise in tax-impersonation reports, and the share involving cloned voices or QR codes is climbing fastest. The trend line is the part I keep thinking about. More volume, better forgeries, every year.
What changed is the toolkit, not the goal. Cheap voice cloning. QR codes that bypass the "don't click suspicious links" reflex you've spent ten years building. Texts that look like a bank notification, not a Nigerian prince. Granted, the old fake-agent-threatens-jail call still works on someone every day. But the 2026 wave is layered. A scammer might text you a QR code, then call with what sounds like a real agent's voice. Two channels, one con.
The AI Voice Clone Variant
The call sounds like this, in the version Mark almost fell for.
A real-sounding voice says something close to: "This is Agent Diane Reyes with the IRS Refund Verification Unit. We have your 2025 return on file and there is a discrepancy holding your refund of [some specific dollar amount]. To release it, please verify your information at the secure portal we'll text to this line."
Three details make it work. The dollar amount is plausible, usually $1,400 to $4,800. The badge number sounds official. The voice has pauses, a cough, the cadence of a real person. One reader sent me a recording where the "agent" sighed before reading her name.
Red flags are loud if you know to listen. IRS does not call about refunds. There is no "Refund Verification Unit." No portal gets sent over text. The voice is convincing enough that people stop checking and start cooperating. Deeper dive on the cloning itself: AI voice cloning scams and how to protect your family. The whole kit is 14 seconds of audio, a free trial of an online tool, and a spoofed phone number.
The QR Code Postcard Variant
This one is sneaky and I almost didn't catch it the first time I saw it.
A postcard or letter shows up in the mail. It looks official. IRS-style typography, a return address in Austin or Kansas City, language about "refund verification under the 2026 reporting update." In the corner: a QR code with the instruction "Scan to confirm your identity." Some versions of this come as a text instead, or pop up in an email, but the printed-mail version is the one fooling people, because we've all been trained to trust paper.
My mother got one in March. She brought it to me with her glasses pushed up on her forehead and said, "Anak, do I scan this?" I took the postcard. The return address city was right but the ZIP code was off by one digit. The QR code, when I scanned it on a sandboxed phone, led to irs-refund-portal-2026.net, which is not a real IRS domain. The IRS only uses irs.gov. The page mimicked the IRS login screen down to the eagle.
The lesson my mother took away wasn't "don't scan QR codes." It was "call Anak before you scan anything." Which I'll take, honestly. Mark's almost-mistake and her almost-mistake happened in the same six-week window. Not coincidence. Saturation.
A note on the printed version. The IRS does send real letters, with real notice numbers (CP2000, LT11, CP501) that you can look up on irs.gov. Real notices never include a QR code as the only way to respond. They tell you what they want and give you a phone number and mailing address on the letter. If mail asks you to scan to verify, it isn't the IRS. Bring it to a family member, a tax preparer, or the IRS taxpayer line first.
The Text Message Variant
The SMS version is the highest-volume scam right now. A handful of phrasings keep showing up in BBB Scam Tracker submissions:
- "Updated 2026 IRS rules require verification of your refund. Click here within 24 hours: [link]"
- "IRS Notice: Your $2,847 refund is pending. Confirm identity: [link]"
- "Final notice from IRS: 2026 deposit requires re-verification. [link]"
Lookalike domains do the heavy lifting. gov-refund.com. irs-gov-refund.com. irsrefund2026.us. The IRS uses one domain, irs.gov, and they do not text. Full checklist: how to tell if a text message is a scam.
Is "gov-refund.com" (or Any "Gov-Refund" Site) a Real Government Page?
Short answer: no. I get asked this one by name, because the texts and postcards keep funneling people to domains like gov-refund.com, irs-gov-refund.com, or gov-refund-2026.net. None of them are the IRS, and none of them are an official government site. There is exactly one official IRS web address: irs.gov. The only government tool for checking a refund lives at irs.gov/refunds — the "Where's My Refund?" page. Any address that bolts "gov-refund," "irs-refund," or a year like "2026" onto a .com, .net, or .us is a lookalike built to harvest your Social Security number and bank login. Real federal sites end in .gov, never .com.
If you landed here because a text or a scanned QR code sent you to a "gov-refund" page and something felt off — trust that feeling. Don't type anything in. Close the tab. The real refund tracker is irs.gov/refunds, and the IRS will never text you or mail you a QR code to "verify" a refund. Then run the two-minute checklist at the end of this article.
The One Rule That Catches Every Version
If you remember nothing else from this article, remember this.
The IRS does not initiate contact by email, text message, social media, or phone. They mail you. Always. First contact about anything (refund, audit, balance due, identity verification) comes as a letter through the United States Postal Service, with a notice number you can look up on irs.gov.
That is the IRS's own published rule. It's at irs.gov/help/tax-scams/recognize-tax-scams-and-fraud. I have it bookmarked because every time a relative gets one of these calls, I send them the link instead of trying to explain it from scratch over the phone.
The rule cuts through every variant. AI voice clone? IRS doesn't call. QR code postcard with the eagle seal? IRS doesn't ask you to scan anything to verify your identity. Text about updated 2026 rules? IRS doesn't text. Email saying your refund is pending? Not from the IRS. The agency is bureaucratic in exactly the way that protects you here. They send a letter, you get the letter, you respond by mail or by calling the official number on the letter. The protection is the slowness. You can't be tricked into a five-minute decision by an agency that takes six weeks to write back.
There are tiny edge cases. An IRS revenue officer making an in-person visit will sometimes call to schedule, but only after you've already received written notice. A tax court appearance might involve scheduling calls. A debt collector working on the IRS's behalf can call, but only for tax debt that's already been escalated through the mail repeatedly. None of these situations apply to the "your refund is on hold, scan this code" scenario any of these scams use.
The other thing the rule does is take the pressure off you in real time. You don't have to figure out whether the voice on the phone sounds real, or whether the QR code looks legit, or whether the text URL is one digit off from irs.gov. You just have to remember the rule. If they're contacting me first by phone, text, email, or social media, it's not the IRS. Period.
In any case, if you're not 100% sure, hang up and call the IRS yourself at the number on your last paper notice. Or at the official taxpayer line, which I'll get to next.
The Numbers to Actually Call
Write these down. Tape them to the fridge if you have to. My mom has them in her phone under "IRS REAL" and "IRS FRAUD," all caps so she can find them in a panic.
- IRS taxpayer line: 800-829-1040. Monday through Friday, 7 AM to 7 PM local time. The main number for refund and account questions. Hold times are not great. Budget 30 to 60 minutes
- IRS Identity Theft Unit: 800-908-4490. If you think your Social Security number has been used to file a return, this is the line. Also where you request an Identity Protection PIN if your identity has already been compromised
- TIGTA fraud reporting: 800-366-4484. TIGTA is the Treasury Inspector General for Tax Administration. If you got a scam call, this is who investigates it. They also take reports at tigta.gov
- FTC fraud reporting: ReportFraud.ftc.gov. Online complaint form, takes about ten minutes. Worth filing even if you didn't lose money, because it feeds the FTC's pattern data
If you actually paid a scammer with a gift card, wire transfer, or crypto, the money is almost certainly gone. The window to claw it back is hours, not days. Call your bank first, then file at IC3.gov (the FBI's internet crime center) and ReportFraud.ftc.gov. Move fast.
One thing about that taxpayer line. The agents have heard the AI voice scenario hundreds of times. Say "I think I just got a fake IRS call" and they will pull up your account and tell you what's actually going on. The scam works by isolating you. The real number breaks the isolation.
Get an IP PIN Before Tax Season Next Year
The thing I wish more seniors knew about. The IRS runs a free program called the Identity Protection PIN, or IP PIN. A six-digit number that has to be on your tax return for it to be accepted. If a scammer files a fake return in your name, it gets rejected automatically without your IP PIN.
Sign up at irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin (or search "IRS Get an IP PIN"). You'll verify your identity through ID.me, which takes about 15 minutes and a phone with a working camera. The IP PIN refreshes every January.
I set this up for myself two years ago and for both parents last year. My dad's enrollment took 25 minutes because the ID.me selfie kept failing the lighting check. We ended up doing it on the back porch in afternoon sun. My mom's took eight. Tax-related identity theft is a slog to unwind, and the IP PIN cuts the risk close to zero. Pair it with two-step verification on your important accounts for email, banking, anything tax-related, and most of the attack surface closes. If you're using public Wi-Fi for any of this, a VPN is worth the few dollars a month.
What to Do If You Already Engaged
Maybe you're reading this because you already clicked. Already gave information. Already scanned the code.
It's not your fault. These scams are designed by professionals to defeat smart people. Mark almost fell for it. My mom almost fell for it.
Then, in order:
- If you gave a Social Security number or bank info: Call the IRS Identity Theft Unit at 800-908-4490. File an Identity Theft Affidavit (Form 14039); the IRS links it from irs.gov/identity-theft-central. Place a fraud alert with one of the three credit bureaus (Equifax, Experian, or TransUnion; calling one triggers all three). Consider a credit freeze, which is free and locks down new credit applications
- If you sent money: Call your bank or the payment service immediately. If it was a gift card, call the card's issuer (Apple, Target, Google). Sometimes they can void the card if it hasn't been redeemed yet. File at IC3.gov
- If you only clicked a link: Run a malware scan. I use Malwarebytes (free version is fine). Change the passwords on any account you might have logged into recently. If you used the same password elsewhere, change those too. A password manager makes this less painful
- In every case: Report the scam at TIGTA's site, tigta.gov, and at ReportFraud.ftc.gov. Even if you didn't lose anything. Your report helps build the pattern data that protects the next person
The medical scams and tax scams travel in the same circles, by the way. If you got hit with one, you're more likely to get the other. I wrote about how to spot the 2026 Medicare scam wave. Same playbook, different agency. Worth reading.
What Worked at My Mom's Kitchen Table
After the postcard incident, my mom and I made one rule. Anything that asks her to verify, click, scan, or pay something to a government agency, she takes a photo and sends it to me before she does anything. We have a WhatsApp thread for it. She calls it her "check-with-Anak" thread.
Three weeks ago she sent me a screenshot of a text claiming her Medicare card had been deactivated. Scam. She deleted it. Five minutes total versus the hours of credit-bureau calls if she'd clicked.
If you have an aging parent, set up the same channel. Whatever app they already use. The rule doesn't have to be sophisticated. It just has to be one they actually use.
No Anak to text? The IRS taxpayer line at 800-829-1040 is staffed by humans who would rather take a five-minute "is this real?" call than help you unwind identity theft six months from now. They've heard every version. They will not judge you.
Not the year to figure it out alone.
