Key Takeaways
- Internal Revenue Service (IRS) QR codes in tax notices improve access to digital services but increase phishing and identity theft risks when taxpayers share sensitive data online.
- Taxpayers should verify notices through their IRS Online Account, confirm IRS.gov web addresses and use multi-factor authentication (MFA) before providing information.
- Identity Protection PIN (IP PIN) enrollment, credit freezes and rapid reporting through the Federal Trade Commission (FTC) and IRS help reduce tax fraud exposure.
The IRS continues to modernize and adapt to the digital world, but modernization also brings new digital data risks. As part of the transition from paper checks to electronic payments and refunds outlined in Executive Order 14247, the IRS began issuing the CP53E notice to more than a million taxpayers. The notice requested that taxpayers update direct deposit information, regardless of whether they were due a refund for the current filing year.
This caused confusion, in part because the notices contained QR codes linking to the IRS website for updating direct deposit information – even as the IRS continues to warn taxpayers about scammers seeking tax data. The National Taxpayer Advocate addressed the confusion and the IRS issued FAQs regarding the CP53E. But this situation highlights a broader ongoing issue with the use of QR codes in IRS notices: they may offer convenience, but they also create new concerns for taxpayers.
IRS Use of QR Codes
With modernization efforts come risks for taxpayers. Beginning in 2020, the IRS started including QR codes on its various notices. The intention was to give taxpayers ease of access to IRS online resources via their mobile devices. Over time, the use of QR codes has expanded across a broader range of notices.
Here are some examples of notices where you’ll find the IRS QR Codes, including those that link to the IRS Document Upload Tool (DUT):
IRS Notice | Purpose of Notice | What the QR Code is Used For |
CP14 Series | Balance due notice | To submit payment or set up a payment plan |
CP59 | Notice of unfiled tax return | To respond regarding the missing tax return or upload the return |
Letter 5071C | Notice of suspected identity theft | To verify taxpayer identity so the return processing can continue |
CP53E | Direct deposit of refund information request | To update banking information or verify accuracy of existing information |
CP501/CP503/CP504 | Balance due reminder notices | To review account balance or set up payment plan |
CP05A Notice | Notice of income tax return review | To access the DUT to securely upload information |
CP75/CP75A Notices | Exam-related notices | To access the DUT to securely upload requested information |
The Risks of QR Codes in Tax Notices
The IRS regularly warns taxpayers to be aware of potential phishing attacks via email, text or phone calls that appear to come from the IRS, especially those requesting login credentials, payment or verification through links or QR codes. Here is the rule that matters most: The IRS does not start contact by email, text or social media to ask for personal or financial information. It reaches out first by mail. If a message comes any other way and asks for your login, your bank details or a payment, treat it as fraud.
While QR codes can be extremely helpful, they give opportunity to bad actors to create fictitious notices to retrieve personal information. When providing personal or financial data or making any payments online, it’s preferable to enter the IRS website on your own and review your account prior to submitting any information or payments. The safest move is to skip the QR code. But, if you are limited to a mobile device and use a QR code, follow IRS guidance in validating: (1) that the address begins in “https” and/or a lock icon to ensure the connection is encrypted and (2) the domain just before the first slash is “irs.gov”. Scammers register lookalikes, such as “irs-gov.com” and “irs.gov.account-verify.com”.
Additionally, it’s best practice to have identity protection in place. Below are several steps you can take to protect your identity:
- Check that a notice is real before you act. Fake paper letters and fake QR codes are both circulating. Sign in to your IRS Online Account on your own to see if the balance or request actually exists. If you need to call, use the number on IRS.gov, not the one printed on the notice.
- Use strong passwords and multi-factor authentication (MFA) for your IRS online account or ID.me login.
- Never provide personal information in response to an IRS notice without first verifying the legitimacy of the source.
- Only share sensitive or personal data through a verified secure IRS portal accessed directly through IRS.gov.
- Be aware that no one can update your bank information for you with the IRS. For a CP53E, the IRS says plainly that its own employees cannot change your bank account details. The only way to do it is to sign in to your own IRS Online Account. It cannot be done by phone, email or text. So, anyone who calls, emails or texts offering to “verify” or “fix” your direct deposit is claiming a power no real IRS employee has. That is a scam.
If you have encountered a security issue and are navigating identity verification or identity theft procedures with the IRS, consider the following as well:
- Get an IRS Identity Protection PIN (IP PIN). It is a six-digit number known only to you and the IRS, and it stops anyone else from filing a return under your Social Security number. Any taxpayer who can verify their identity can now get one and the IRS is pushing everyone to do it. Sign up through your IRS Online Account. You get a new PIN each January.
- Put a security freeze on your credit with all three bureaus: Equifax, Experian and TransUnion. A freeze blocks anyone who already has your data from opening new credit in your name. It is free to set and free to lift.
While these steps can help to mitigate risk, it’s equally important to understand the potential consequences of compromising your personal information. A data breach may result in IRS identity verification delays, refund holds, significant documentation requirements and a time-consuming resolution process which can be avoided by taking a more cautious approach. If your information is exposed, move fast. Report it at IdentityTheft.gov to get a Federal Trade Commission recovery plan. File Form 14039, the Identity Theft Affidavit, with the IRS. Then request an IP PIN to protect future IRS filings.
Contact Us
If you have questions about how IRS QR codes may affect you or if you have been a victim of identity theft, our team can help. If you have any questions, please contact your PKF O’Connor Davies client service team or:
Kelly Morrison-Lee
Managing Director
kmorrisonlee@pkfod.com | 240.937.3952
Shira Sussman
Manager
sbaum@pkfod.com | 201.639.5765