HOW TO REPORT TAX SCAM EMAILS: COMPLETE GUIDE TO PROTECTING YOURSELF AND FIGHTING BACK

By Ṣọ Email Security15 min read

Learn exactly how to report tax scam emails to the IRS, FTC, and FBI. Step-by-step guide with official reporting channels, detection checklist, and prevention strategies backed by 2024 federal data.

tax scamphishingIRS scamemail securityfraud reportingidentity theftcybersecuritybusiness email compromisesmishinggovernment impersonation

How to Report Tax Scam Emails: Complete Guide to Protecting Yourself and Fighting Back

What is the fastest way to report a tax scam email?

Report tax scam emails by forwarding them to phishing@irs.gov as an attachment with the subject line "IRS" or "Treasury" depending on the impersonated agency. Additionally, file a report at ReportFraud.ftc.gov to contribute to federal fraud databases and receive customized recovery guidance. If you lost money or shared sensitive information, also submit a complaint to the FBI's Internet Crime Complaint Center at IC3.gov. These three reporting channels work together to help federal agencies track patterns, shut down fraudulent operations, and potentially recover stolen funds.

What is a tax scam email?

A tax scam email is a fraudulent electronic message designed to impersonate the Internal Revenue Service, state tax agencies, the U.S. Treasury Department, or legitimate tax software companies with the intent to steal personal information, financial data, or money from recipients.

The IRS officially defines phishing as "an email sent by fraudsters claiming to come from the IRS that lures victims into the scam with a variety of ruses such as enticing victims with a phony tax refund or frightening them with false legal or criminal charges for tax fraud."

Tax scam emails fall under the broader category of government impersonation fraud and represent one of the most prevalent forms of cyber-enabled crime reported to federal agencies. These attacks exploit the authority and urgency associated with tax obligations to override recipients' normal skepticism.

Key characteristics of tax scam emails include:

  • Unsolicited contact claiming to be from the IRS or Treasury Department
  • Requests for personal information such as Social Security numbers, bank account details, or login credentials
  • Threats of arrest, deportation, license revocation, or legal action
  • Promises of unexpected refunds or stimulus payments
  • Demands for immediate payment via unusual methods like gift cards, wire transfers, or cryptocurrency
  • Links to spoofed websites designed to harvest credentials or install malware

Tax scam emails differ from legitimate IRS communications in one fundamental way: the IRS does not initiate contact with taxpayers via email, text message, or social media to request personal or financial information. Any unsolicited electronic message claiming to be from the IRS and demanding immediate action or sensitive data is fraudulent by definition.

Why does reporting tax scam emails matter?

Reporting tax scam emails serves purposes far beyond individual protection. Each report submitted to federal agencies contributes to pattern recognition, criminal investigations, domain takedowns, and public awareness campaigns that protect millions of Americans.

The scale of the problem

The financial impact of tax-related and phishing fraud has reached unprecedented levels. According to official federal data:

FBI Internet Crime Complaint Center (IC3) 2024 Annual Report:

  • Total reported cybercrime losses reached $16.6 billion in 2024, representing a 33% increase from 2023
  • Phishing and spoofing was the most reported crime type with over 193,000 complaints
  • The average loss per cybercrime incident increased from $14,197 to $19,372
  • The IC3 received 859,532 total complaints in 2024
  • Cyber-enabled fraud accounted for 83% of all reported losses ($13.7 billion)

Federal Trade Commission (FTC) 2024 Data:

  • Consumer fraud losses totaled $12.5 billion in 2024
  • The FTC received nearly 850,000 imposter scam reports
  • Government impersonation scams resulted in $2.95 billion in losses
  • Email was identified as the top method scammers used to contact victims

IRS-Specific Threats:

  • The IRS placed phishing and smishing scams as the number one threat on its 2025 Dirty Dozen list
  • Tax professionals face targeted "new client" spear phishing campaigns that compromise client databases
  • W-2 phishing scams targeting businesses continue to expose thousands of employee records annually

Why your report makes a difference

Every report submitted to federal agencies creates actionable intelligence. The IRS uses phishing reports to identify and shut down fraudulent domains, often within hours of receiving complaints. The FTC aggregates reports to identify emerging scam patterns and issue public warnings. The FBI's IC3 data enables law enforcement to prioritize investigations and coordinate international takedown operations.

In 2024, the FBI's Recovery Asset Team successfully froze over $561.6 million in stolen funds through timely victim reports. This recovery was only possible because victims reported quickly and provided detailed information about the fraudulent transactions.

The IRS states that reports sent to phishing@irs.gov directly enable their cybersecurity teams to "alert service providers to help shut down the fraudulent sites, email addresses, etc." Without citizen reports, many fraudulent operations would continue undetected for months.

How does a tax scam email attack work?

Tax scam email attacks follow predictable patterns that exploit human psychology, technical limitations, and the inherent trust people place in government communications. Understanding the attack sequence helps recipients recognize threats before falling victim.

Step 1: Target selection and intelligence gathering

Attackers identify potential victims through multiple channels:

  • Data breaches: Stolen databases containing names, email addresses, and partial tax information
  • Social media reconnaissance: LinkedIn profiles revealing employment status, job titles, and company affiliations
  • Public records: Property ownership, business registrations, and court filings
  • Previous phishing campaigns: Email addresses that responded to earlier scams

Tax professionals, small business owners, and individuals who have recently experienced life changes (marriage, home purchase, job change) face elevated targeting risk.

Step 2: Campaign preparation

Attackers construct convincing materials:

  • Domain registration: Creating lookalike domains such as "irs-refund.com" or "irs.gov.taxrefund.net"
  • Email template design: Copying IRS letterhead, logos, and formatting conventions
  • Landing page creation: Building fake IRS login portals or form submission pages
  • Malware payload preparation: Embedding malicious attachments or links

Sophisticated campaigns may register domains weeks in advance to establish apparent legitimacy and avoid newly-registered domain filters.

Step 3: Message deployment

The attack email is sent with carefully crafted elements:

  • Sender spoofing: Making the "From" address appear to be from irs.gov or a legitimate organization
  • Subject line urgency: "Immediate Action Required" or "Your Tax Refund Has Been Approved"
  • Body content: Official-looking text with specific dollar amounts, deadlines, or case numbers
  • Call to action: Links to fake portals or instructions to call fraudulent phone numbers

Messages typically create urgency through threats (legal action, arrest, deportation) or incentives (unexpected refunds, stimulus payments).

Step 4: Victim engagement

When recipients interact with the scam:

  • Credential harvesting: Fake login pages capture usernames, passwords, and security questions
  • Personal information collection: Forms request Social Security numbers, bank account details, and dates of birth
  • Malware installation: Attachments or downloads install keyloggers, ransomware, or remote access tools
  • Payment extraction: Victims are directed to send money via gift cards, wire transfers, or cryptocurrency

Step 5: Exploitation and monetization

Stolen information is weaponized:

  • Fraudulent tax returns: Filed before the legitimate taxpayer, diverting refunds to attacker-controlled accounts
  • Identity theft: Opening credit accounts, obtaining loans, or committing other fraud using victim identities
  • Account takeover: Accessing bank accounts, email accounts, or other financial services
  • Secondary attacks: Using compromised email accounts to target the victim's contacts
  • Dark web sales: Selling complete identity packages to other criminals

Step 6: Discovery

Victims typically discover the fraud through:

  • IRS rejection of legitimate tax returns due to duplicate filings
  • Unexpected IRS correspondence about returns they didn't file
  • Bank notifications about unauthorized transactions
  • Credit monitoring alerts about new accounts
  • Contact from the real IRS about discrepancies

The delay between attack and discovery—often weeks or months—significantly complicates recovery and reduces the likelihood of fund recovery.

What does a real tax scam attack look like?

Case study: the "new client" tax professional attack (2024)

The IRS documented a sophisticated spear phishing campaign in Tax Tip 2024-06 that specifically targeted tax preparation professionals across the United States.

The attack setup:

Tax professionals received emails from individuals claiming to be prospective new clients seeking tax preparation services. The emails appeared legitimate, expressing interest in engaging the professional's services and referencing specific tax situations that would require professional assistance.

The payload:

The supposed new client indicated they had tax documents ready to share and included either:

  • A link to "view their tax information" hosted on a third-party file sharing service
  • An attachment claimed to contain prior year returns or W-2 forms

The compromise:

When tax professionals clicked the links or opened the attachments:

  • Malware was installed on their systems, often without visible indication
  • Attackers gained access to the professional's email account credentials
  • Some variants installed keyloggers capturing all subsequent input
  • Remote access tools provided persistent access to the compromised systems

The cascade effect:

With access to the tax professional's systems, attackers:

  • Downloaded client databases containing Social Security numbers, addresses, and financial information for hundreds or thousands of taxpayers
  • Used the professional's legitimate email account to send secondary phishing attacks to existing clients
  • Filed fraudulent tax returns using stolen client information before legitimate returns were submitted
  • In some cases, sent fraudulent invoices to clients from the legitimate business email address

The impact:

This single attack vector compromised not just individual tax professionals but potentially thousands of their clients. The legitimate professional's email account with its established trust relationship and valid authentication records became the perfect vehicle for secondary attacks that bypassed traditional security measures.

IRS response:

The IRS urged tax professionals to:

  • Report such attempts to phishing@irs.gov with "Spearphishing" in the subject line
  • Contact their IRS Stakeholder Liaison if they experienced a security breach
  • Immediately notify affected clients if data was compromised
  • Report data loss incidents to dataloss@irs.gov

This case illustrates how modern tax scams target intermediaries to maximize their reach and exploit established trust relationships.

How can you identify a tax scam email?

Use this comprehensive checklist to evaluate any tax-related email. The presence of even one red flag warrants extreme caution; multiple indicators confirm the message is fraudulent.

Sender verification checklist

  • Non-government domain: Email originates from a domain other than .gov (e.g., irs-refund.com, irs.org, irs-gov.net)
  • Misspelled domain: Sender address contains typos or character substitutions (e.g., lRS.gov using lowercase L)
  • Mismatched reply address: The reply-to address differs from the displayed sender address
  • Generic sender name: Display name shows "IRS" or "Internal Revenue Service" without specific department identification
  • Free email provider: Message comes from Gmail, Yahoo, Outlook, or other consumer email services

Content red flags checklist

  • Immediate action demands: Message requires response within hours or days with threats of consequences
  • Arrest or legal threats: Claims you will be arrested, prosecuted, or face criminal charges
  • Deportation threats: Warnings about immigration consequences for non-compliance
  • License revocation: Threats to suspend driver's license, business license, or professional credentials
  • Unexpected refund claims: Promises of refunds you didn't request or weren't expecting
  • Stimulus payment offers: Unsolicited offers related to economic impact payments or tax credits
  • Requests for sensitive data: Asks for Social Security numbers, bank account information, or passwords via email
  • Unusual payment demands: Requests payment via gift cards, wire transfers, cryptocurrency, or prepaid debit cards
  • Grammatical errors: Obvious spelling mistakes, awkward phrasing, or inconsistent formatting
  • Generic greetings: "Dear Taxpayer" or "Dear Customer" instead of your actual name

Technical indicator checklist

  • Suspicious links: Embedded URLs point to non-.gov websites when you hover over them (don't click)
  • Shortened URLs: Links use URL shorteners like bit.ly, tinyurl, or similar services
  • Unusual attachments: Files with extensions like .exe, .zip, .scr, .js, or password-protected archives
  • Embedded forms: Email contains fillable forms requesting sensitive information
  • Mismatched certificates: Links claim to be secure but don't show valid HTTPS indicators

Contextual warning signs checklist

  • Unsolicited contact: You didn't initiate communication with the IRS or request information
  • No prior correspondence: First contact about an issue without previous written notice via postal mail
  • Pressure tactics: Emphasis on immediate action with dire consequences for delay
  • Secrecy requests: Instructions not to discuss the matter with family, accountants, or attorneys
  • Callback numbers: Provided phone numbers that don't match official IRS contact information (800-829-1040)

The cardinal rule

The IRS will never:

  • Initiate contact via email, text, or social media to request personal or financial information
  • Demand immediate payment without opportunity to question or appeal
  • Require a specific payment method such as gift cards, wire transfers, or cryptocurrency
  • Threaten arrest, deportation, or license revocation for non-payment
  • Send unsolicited emails about refunds, stimulus payments, or tax credits

Any communication violating these principles is fraudulent regardless of how authentic it appears.

How do you report a tax scam email step by step?

Follow this comprehensive protocol to maximize the investigative value of your report and protect yourself from further harm.

Step 1: Do not engage

Before doing anything else:

  • Do not click any links in the suspicious email
  • Do not open any attachments
  • Do not reply to the message
  • Do not call any phone numbers provided in the email
  • Do not forward the email to colleagues or friends (except for reporting purposes)

Engagement of any kind, even to tell scammers you know it's fake confirms your email address is active and monitored, likely resulting in increased targeting.

Step 2: Preserve the evidence

The email contains technical data crucial for investigation:

  • Take screenshots of the email including full headers if visible
  • Note the exact sender email address (not just the display name)
  • Record any URLs by hovering over links (without clicking)
  • Save the email in its original format if possible

Step 3: Report to the IRS

Primary reporting address: phishing@irs.gov

Best practices for IRS reporting:

  1. Save as attachment (preferred method):

    • Save the suspicious email as a file (.eml or .msg format)
    • Create a new email to phishing@irs.gov
    • Attach the saved email file
    • This preserves header data critical for investigation

  2. Forward as attachment (alternative method):

    • Use your email client's "Forward as Attachment" option if available
    • This maintains more technical data than simple forwarding

  3. Standard forward (minimum acceptable):

    • Forward the email directly to phishing@irs.gov
    • Note: This strips important header information but still provides value

Subject line guidance:

  • Use "IRS" for IRS impersonation scams
  • Use "Treasury" for Treasury Department impersonation
  • Use "W-2 scam" for W-2 data theft attempts
  • Use "Spearphishing" for targeted attacks on tax professionals
  • Use "W8-BEN" for fake tax exemption document scams

Step 4: Report to the Federal Trade Commission

Reporting portal: ReportFraud.ftc.gov

The FTC report serves multiple purposes:

  • Contributes to national fraud tracking databases
  • Enables pattern recognition across millions of complaints
  • Triggers customized recovery guidance based on your specific situation
  • Supports law enforcement investigations and prosecutions

Information to include:

  • Type of scam encountered
  • How you were contacted
  • What information or money (if any) you provided
  • Any identifying information about the scammer

Step 5: Report to the Anti-Phishing Working Group

Reporting address: reportphishing@apwg.org

The APWG is an international coalition of industry, government, and law enforcement that:

  • Maintains global phishing databases
  • Coordinates takedown efforts across jurisdictions
  • Shares threat intelligence with security vendors
  • Helps browsers and email providers block known threats

Forward the phishing email as an attachment to this address.

Step 6: Report to FBI IC3 (If Financial Loss Occurred)

Reporting portal: IC3.gov

File an IC3 complaint if:

  • You sent money to scammers
  • You provided banking information that was subsequently misused
  • You experienced identity theft as a result of the scam
  • You shared Social Security numbers or other sensitive data

Include in your IC3 report:

  • Detailed timeline of events
  • All communication records with scammers
  • Transaction receipts, wire transfer confirmations, or gift card information
  • Any cryptocurrency wallet addresses used
  • Screenshots and documentation

The IC3 report enables:

  • FBI investigation prioritization
  • Potential fund recovery through the Recovery Asset Team
  • Connection to related cases across jurisdictions
  • Statistical tracking for resource allocation

Step 7: Report to Treasury Inspector General for Tax Administration

Reporting portal: TIGTA.gov Phone: 1-800-366-4484

TIGTA specifically investigates IRS impersonation and tax administration fraud. Report to TIGTA if:

  • Someone impersonated an IRS employee
  • You received threats related to tax obligations
  • You were pressured to make payments to avoid IRS action

Step 8: Notify your email provider

Report the message as phishing through your email client:

  • Gmail: Click the three dots menu → "Report phishing"
  • Outlook: Select the message → "Report" → "Report phishing"
  • Yahoo: Click "Spam" → "Report a phishing scam"
  • Apple Mail: Forward to reportphishing@apple.com

This helps email providers improve their filtering systems.

Step 9: Protect your identity (if information was shared)

If you clicked links, opened attachments, or provided any information:

Immediate actions:

  1. Visit IdentityTheft.gov to create a personalized recovery plan
  2. Place a fraud alert with one of the three credit bureaus (they notify the others):
    • Equifax: 1-800-525-6285
    • Experian: 1-888-397-3742
    • TransUnion: 1-800-680-7289
  3. Consider a credit freeze for stronger protection
  4. Change passwords for any accounts that may be compromised
  5. Enable two-factor authentication where available
  6. Monitor bank and credit card statements for unauthorized activity

If you shared your Social Security number:

  • Request an IRS Identity Protection PIN at IRS.gov
  • Review your Social Security statement at ssa.gov for accuracy
  • Consider IRS Form 14039, Identity Theft Affidavit, if you suspect tax-related identity theft

What should you do if you fell for a tax scam?

Immediate, systematic action can minimize damage and improve recovery prospects. Time is critical—especially for financial fraud.

Immediate response (first 24 hours)

For financial losses:

  1. Contact your bank immediately

    • Report the fraudulent transaction
    • Request a hold or reversal if possible
    • Ask about fraud protection policies
    • Change online banking credentials

  2. For wire transfers:

    • Contact your bank's wire transfer department immediately
    • Request a SWIFT recall if international
    • File an IC3 complaint noting the wire transfer details
    • The FBI's Financial Fraud Kill Chain can sometimes freeze funds in transit

  3. For gift card payments:

    • Contact the gift card issuer immediately with card numbers
    • Report to the retailer where cards were purchased
    • Provide transaction details to IC3
    • Note: Recovery is rare but possible if reported quickly

  4. For cryptocurrency:

    • Document all wallet addresses involved
    • Report to the cryptocurrency exchange if applicable
    • File detailed IC3 report with blockchain transaction IDs
    • Contact local FBI field office for significant losses

Identity protection response

If you shared personal information:

  1. Credit bureau actions:

    • Place initial fraud alerts (free, lasts one year)
    • Consider credit freeze (prevents new account opening)
    • Request free credit reports from all three bureaus
    • Review reports carefully for unauthorized accounts

  2. IRS-specific protections:

    • Request IP PIN at IRS.gov/ippin
    • File Form 14039 if you suspect tax identity theft
    • Respond promptly to any IRS letters
    • Consider filing taxes early in future years

  3. Account security:

    • Change passwords on all sensitive accounts
    • Enable two-factor authentication everywhere possible
    • Review connected apps and revoke suspicious access
    • Update security questions with new answers

Documentation for recovery

Create a comprehensive incident file:

  • Timeline of all events with dates and times
  • Copies of all scam communications
  • Records of all reports filed (confirmation numbers, case IDs)
  • Receipts for any money sent
  • Screenshots of any fraudulent websites visited
  • List of all information potentially compromised
  • Contact log for all recovery communications

This documentation supports:

  • Law enforcement investigations
  • Insurance claims
  • Disputes with financial institutions
  • IRS identity theft resolution
  • Potential civil litigation

Emotional and practical support

Fraud victimization causes real psychological harm. Consider:

  • AARP Fraud Watch Network Helpline: 877-908-3360 (free for anyone, not just AARP members)
  • Identity Theft Resource Center: 888-400-5530
  • Local victim assistance programs through your district attorney's office

You are not alone, and falling for a scam does not reflect personal failure—these attacks are designed by professionals to manipulate human psychology.

Frequently Asked Questions about tax scam email reporting

Does the IRS ever contact taxpayers by email?

The IRS does not initiate contact with taxpayers via email, text message, or social media to request personal or financial information. The only exception is if you have explicitly opted in to receive certain notifications through an IRS online account that you created. Any unsolicited email claiming to be from the IRS that requests sensitive information or payment is fraudulent. The IRS initiates most contacts through postal mail and will never demand immediate payment or threaten arrest via electronic communication.

What happens after i report a phishing email to the IRS?

When you report a phishing email to phishing@irs.gov, the IRS cybersecurity team analyzes the message to identify the fraudulent infrastructure involved. The IRS uses this information to contact service providers and request takedowns of fraudulent websites, email addresses, and domains. While you typically won't receive individual feedback on your report, each submission contributes to pattern recognition and helps protect other taxpayers. For reports involving data breaches or ongoing threats, the IRS may coordinate with law enforcement for investigation.

Can i get my money back if i paid a tax scammer?

Recovery depends on the payment method and how quickly you act. Wire transfers may be recoverable if reported within 24-72 hours through the FBI's Financial Fraud Kill Chain program. Credit card payments often have fraud protection that enables chargebacks. Gift card payments are rarely recoverable but should still be reported to the issuer. Cryptocurrency transactions are generally not reversible but should be documented for law enforcement. The FBI's Recovery Asset Team froze over $561 million in 2024, but only a fraction of total losses are recoverable. Report immediately regardless of payment method.

How do i know if my tax identity was stolen?

Signs of tax identity theft include: IRS rejection of your e-filed return due to a duplicate Social Security number, receiving a tax transcript or IRS letter about a return you didn't file, IRS records showing wages from an employer you never worked for, receiving a refund you didn't request, or being notified that an online account was created in your name. If you suspect tax identity theft, immediately file IRS Form 14039 (Identity Theft Affidavit), request an Identity Protection PIN, and monitor your IRS account and credit reports. The IRS has a dedicated Identity Protection Specialized Unit at 800-908-4490.

Should i report tax scam emails even if i didn't fall for them?

Yes, absolutely. Reporting tax scam emails you recognized as fraudulent provides valuable intelligence to federal agencies even when no harm occurred. Your report helps identify active phishing campaigns, enables faster domain takedowns, contributes to pattern recognition for emerging threats, and improves spam filtering for others. The IRS specifically requests that people forward suspicious emails to phishing@irs.gov regardless of whether they engaged with the scam. Each report makes the next attack less likely to succeed against someone else.

Executive summary: how to report tax scam emails

The Threat: Tax scam emails impersonate the IRS, Treasury Department, and tax software companies to steal personal information, financial data, and money. In 2024, phishing was the most reported cybercrime type with over 193,000 complaints, and total cybercrime losses reached $16.6 billion according to the FBI IC3.

The Critical Rule: The IRS never initiates contact via email, text, or social media to request personal or financial information. Any unsolicited electronic message demanding immediate action, threatening consequences, or requesting sensitive data is fraudulent.

How to Report:

  1. Forward the email to phishing@irs.gov (save as attachment for best results)
  2. File a report at ReportFraud.ftc.gov
  3. If money was lost, file a complaint at IC3.gov
  4. Report IRS impersonation to TIGTA.gov or 1-800-366-4484

Key Detection Signs:

  • Non-.gov sender domains
  • Urgent deadlines with threats
  • Requests for SSN, bank details, or passwords
  • Payment demands via gift cards, wire, or crypto
  • Unexpected refund or stimulus claims

If You Fell Victim:

  • Contact your bank immediately for financial losses
  • Visit IdentityTheft.gov for a recovery plan
  • Place fraud alerts with credit bureaus
  • Request an IRS Identity Protection PIN
  • Document everything for law enforcement

Why reporting matters: Every report helps federal agencies shut down fraudulent operations, freeze stolen funds, and protect other taxpayers. The FBI recovered over $561 million in 2024 through timely victim reports.

Official reporting contacts quick reference

AgencyContactPurpose
IRS Phishingphishing@irs.govReport fake IRS/Treasury emails
FTCReportFraud.ftc.govReport fraud, get recovery guidance
FBI IC3IC3.govReport cybercrime with financial loss
TIGTATIGTA.gov / 1-800-366-4484Report IRS impersonation
APWGreportphishing@apwg.orgReport phishing for global tracking
Identity TheftIdentityTheft.govCreate personalized recovery plan
IRS Direct1-800-829-1040Verify IRS communications
IRS Identity Theft1-800-908-4490Tax identity theft assistance

This article is provided for educational purposes by Ṣọ Email Security and does not constitute legal, tax, or financial advice. Statistics cited are from official federal agency reports as of the publication date. Always consult qualified professionals for your specific situation.

Last updated: February 4, 2026