New IRS Notices Seeking Bank Data for Refunds Spark Widespread Confusion and Scam Warnings

WASHINGTON — A recent wave of official notices from the Internal Revenue Service asking taxpayers for their bank account information has triggered widespread confusion and prompted warnings from tax professionals about a parallel rise in sophisticated scams. The letters, which include the CP35E and other notices, are being sent to hundreds of thousands of taxpayers who are owed a refund but for whom the agency lacks direct deposit details. The notices instruct recipients to provide their banking information online within 30 days to receive their refund electronically. Those who do not comply may face delays or eventually receive a paper check. This initiative is part of a broader federal mandate, stemming from a presidential executive order, aimed at phasing out paper checks across all government agencies to improve efficiency and security. However, the rollout has created a ripe environment for fraudsters, who are issuing nearly identical-looking letters to trick taxpayers into revealing sensitive financial data. The similarities between the legitimate IRS communications and the fraudulent ones are so convincing that even seasoned accountants and tax attorneys have reported difficulty telling them apart. Scammers often include QR codes in their fake letters, a feature that security experts universally warn against using. “It’s never worth scanning them because it is the prime way that a scammer is going to try to kind of access your information,” Jess LeDonne, a tax attorney with the Bonadio Group, told Atlanta’s WSB-TV. “The information the agency is trying to get is your banking information. I mean, it is truly a goldmine for scammers.” The IRS is sending these legitimate requests for several reasons. A taxpayer may have failed to include direct deposit information when filing their return, or the banking information provided may have been incorrect, leading the financial institution to reject the transfer. According to the Treasury’s Bureau of the Fiscal Service, financial institutions may post IRS refunds based solely on the account number provided, making accuracy on the tax return essential to prevent misdirected payments. For small and mid-sized businesses, the stakes are particularly high. A delayed or misdirected tax refund can disrupt cash flow and impact working capital needed for payroll, inventory, or operational expenses. The administrative burden of verifying the legitimacy of an IRS notice adds another layer of complexity for busy business owners. One taxpayer who received a suspicious letter noted that the primary red flag was that she wasn't expecting a refund in the first place, a critical detail that prompted her to seek professional advice rather than respond. This highlights a key verification step for any business or individual: confirming whether a refund is actually due by checking their account on the official IRS website. The correct and most secure procedure for responding to a legitimate notice is to bypass any links or QR codes in the letter and go directly to the IRS website. Taxpayers should log into their Individual Online Account at IRS.gov to verify the notice and securely submit their banking information. According to the IRS, its employees will not ask for direct deposit information over the phone or in person for security reasons. The agency has stated that beginning in 2026, taxpayers who receive a CP53E notice will be able to update their bank account information directly through their online account. The current notices are part of the transition toward this more streamlined, digital-first process. However, the IRS also clarifies that if a specific notice like the CP53E has not been issued for a taxpayer's account, they cannot change their banking information after their return has been filed and posted. In our experience, any new communication process from the IRS creates an immediate opportunity for fraudsters. While the agency's goal of moving away from paper checks is a logical step toward efficiency, the execution has unfortunately introduced a new and significant security risk for business owners. The primary danger lies in the convincing nature of the fake notices, especially those using QR codes, which can lead directly to malicious sites designed to steal banking credentials. Our advice to clients is unequivocal: never click a link, scan a code, or call a number from an unexpected notice. The only safe path is to independently verify the communication by logging into your official account at IRS.gov or by consulting a trusted advisor. This is precisely the kind of issue where professional tax preparation and compliance services become critical, not just for filing but for navigating official communications and avoiding costly mistakes. We help our clients verify these notices and manage their IRS correspondence securely. Business owners facing this or similar issues can contact C&S Finance Group LLC at csfinancegroup.com for guidance. As the IRS continues its multi-year transition to fully electronic refunds, business owners and individual taxpayers should anticipate further communications regarding direct deposit. The key takeaway from the current situation is the heightened need for vigilance. Verifying all unsolicited IRS correspondence through official channels is no longer just good practice but an essential defense against financial fraud.