IRS Direct File impersonation — email spoofs IRS Direct File / Free File Fillable Forms claiming e-file rejected or refund held, harvesting SSN + bank account for tax-refund fraud. IRS Dirty Dozen 2026; TIGTA 2026; 24M Direct File user pool.

Email impersonating the IRS Direct File program — the IRS's free direct federal tax-filing service launched nationwide on January 27, 2026 — with identity-verification or return-review panic language pointing at a non-irs.gov domain. Attackers registered 40+ lookalike domains within days of the program's launch according to Cofense's February 2026 report; SANS Internet Stormcast documented the domain-registration surge; BleepingComputer reported active campaigns targeting early filers. The IRS's actual Direct File service is hosted exclusively at directfile.irs.gov — the IRS never initiates contact by email and communicates about filing issues exclusively by physical mail. Any email claiming "your Direct File return has been flagged," "verify your identity to release your refund," or "re-submit your return" with a link to a non-irs.gov domain is phishing by definition. Distinct from fake-irs-refund-hold-lure (refund-hold narrative without Direct File branding) and irs-post-deadline-efile-amended-return-phishing (amended-return narrative).