IRS Phishing Used to Enable SIM-Swap Identity Theft
IRS-branded phishing pages harvest the personal details fraudsters need — name, SSN fragment, date of birth, and mobile number — to perform a SIM-swap attack that intercepts two-factor codes for banking and irs.gov accounts.
Part of: SIM Swap Scams
Last reviewed: 8 June 2026
IRS phishing campaigns have traditionally focused on stealing payment-card details or direct bank-transfer information. A more sophisticated variant harvests identity-level data — SSN, date of birth, current address, and mobile carrier — under the pretext of verifying eligibility for a tax refund or resolving an account hold.
This data is then used to execute a SIM-swap: the attacker calls the victim's mobile carrier, impersonates the account holder, and transfers the phone number to an attacker-controlled SIM. Once the number is ported, the attacker uses it to receive SMS two-factor codes and reset passwords on banking apps, email accounts, and the victim's actual irs.gov account.
Because tax season generates high anxiety about IRS correspondence, victims may provide more personal data to an apparently legitimate IRS verification page than they would to any other phishing campaign.
How this scam works on the IRS brand
A convincing phishing email, styled with IRS header graphics and correct footer text, claims the recipient's refund is pending but requires identity verification before disbursement. The verification form requests full name, date of birth, partial SSN (the last four digits), current address, and mobile number including carrier.
Days later, the attacker uses these details to port the mobile number. The victim's phone goes silent. Within hours, the attacker logs into banking apps, resets passwords using SMS codes, and drains accessible accounts. They may also access the irs.gov account to change the direct-deposit details for any pending tax refund.
The timing is often calculated for tax season, when the volume of legitimate IRS activity makes a refund-verification request plausible to more recipients.
Common red flags
- IRS refund page asks for your mobile carrier name — the IRS does not collect this
- Verification form requests full date of birth and mobile number alongside partial SSN
- Your phone loses signal unexpectedly after completing an IRS identity-verification form
- Banking apps send login or password-reset notifications you did not initiate
- IRS account at irs.gov shows a direct-deposit change you did not make
- Tax refund expected in your bank account does not arrive on the projected date
- Verification page URL is not irs.gov
How to protect yourself
- Access IRS services only at irs.gov — never via email or SMS links
- Set a SIM-lock PIN with your mobile carrier requiring verbal confirmation before any number transfer
- Use an authenticator app rather than SMS for two-factor authentication on banking and email accounts
- If your phone loses signal after engaging with an IRS link, call your carrier from another device immediately
- Check your IRS account at irs.gov for direct-deposit changes if you suspect a breach
- Place a credit freeze with Equifax, Experian, and TransUnion if SSN details were submitted
- File Form 14039 (IRS Identity Theft Affidavit) if your tax account is compromised
How to report it
- Report IRS identity theft at identitytheft.gov
- Forward phishing emails to [email protected]
- Report to TIGTA at 800-366-4484 or tigta.gov
- Contact your mobile carrier fraud team immediately if a SIM-swap is suspected
- Report to the FTC at reportfraud.ftc.gov
Frequently asked questions
Why does an IRS phishing page need to know my mobile carrier?
It does not — the real IRS has no reason to ask for your carrier. A phishing page that collects this information is harvesting what an attacker needs to impersonate you to the carrier and perform a SIM-swap. This is a clear red flag.
Can a SIM-swap affect my actual irs.gov account?
Yes. If your irs.gov account uses SMS-based two-factor authentication, a SIM-swap allows the attacker to receive your login verification codes. They can then access the account, view your tax records, and change direct-deposit details for any pending refund.
How long does it take to reverse a SIM-swap?
Carriers can typically reverse a SIM-swap within a few hours once fraud is confirmed, but damage to linked financial accounts may have already occurred. Report to the carrier, banks, and IRS simultaneously as soon as you suspect the swap.