Intuit releases security notice warning of phishing emails ahead of tax season

Intuit released two warnings this week about different types of phishing emails they have discovered being sent to their customers. 

In two separate security notices on Tuesday and Wednesday, the company said it has received reports from customers about two kinds of phishing emails they were getting. 

They urged recipients not to click on any of the links or attachments, not to reply to the email and to delete the email. If you have already clicked on a link in the email or downloaded a file from the email, they said you should delete the download, scan your system with an “up-to-date anti-virus program” and change your passwords. 

“Intuit has recently received reports from customers that they have received emails similar to the one below. This email did not come from Intuit. The sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit’s brands authorized by Intuit,” Intuit explained. 

The earlier warning shared a copy of another type of phishing email customers were seeing. 

Erich Kron, security awareness advocate at KnowBe4, said these attacks typically tend to ramp up during tax season and generally attempt to trick people into logging into their accounts on a fake website, allowing them to steal the user’s credentials.  

Kron suggested anyone who has received these emails should go directly to the website and log into the account, where any notifications or issues with the account would be made obvious, as opposed to clicking on links in emails. 

“In addition, on any website where you were entering a username and password, you should check the URL bar to ensure you are at the legitimate organization’s website,” Kron said. 

Tripwire’s Tim Erlin added that phishing continues to be a popular means of attack because it continues to work. It only takes one user to click in order for the phishing campaign to be effective for the attacker, Erlin said, noting that it’s very difficult for an organization to prevent phishing attempts because they don’t require any compromise of infrastructure that organization controls. 

“While we try to addressing phishing with technological solutions, the problem remains a primarily human one,” he explained.

The IRS sent out a similar warning last week, reminding taxpayers “to be aware that criminals continue to make aggressive calls posing as IRS agents in hopes of stealing taxpayer money or personal information.”