![Figure [1] : Filing tax forms online](https://wpsites.ucalgary.ca/isec-601-f21/wp-content/uploads/sites/115/2022/02/hi-taxform-ipad-hands-852-8col.jpg)
In many parts of the world, tax season has arrived, and millions of people in the United States and Canada are preparing to file their taxes. We are all aware of the importance of filing taxes. I’m sure we can all recall the disappointment on our faces when we received our first pay checks and discovered that a significant portion had gone to taxes. The only way to recover a portion of our hard-earned money back is by submitting our taxes either through an accountant or solely by yourself with the help of popular tax filing apps such as TurboTax, TaxtAct etc and wait for a refund.
1.1 What is TurboTax? What info goes in there?
The world is digital now. No one wants to pay a hefty fee to an accountant to submit their tax files to Canada Revenue Agency (CRA). Over the years many online tax filing websites and apps have been built so that filing tax is self-explanatory and free of any charge. One such software is known as TurboTax owned by the parent company Intuit.According to TurboTax, more than 5 million Canadians use their software to get their maximum tax refund, every single year.
Almost every possible personal detail that you can think of, goes into your tax file. When you file your taxes, you declare anything from your name to confidential information like your SIN and income. At this point, TurboTax might know you better than yourself.
You might be wondering, then is my data safe with TurboTax? Let’s find out!
1.2 TurboTax phishing scam: Background
Recently the parent company of TurboTax, Intuit has started to warn their customers about a new phishing scam that uses a fake link to the Intuit website. The scammer’s goal behind the phishing fraud is yet unknown to Intuit. However, they believe the scammers are attempting to get TurboTax users to give their Intuit login and password. It’s just the tip of the iceberg, Intuit also controls the QuickBooks accounting software and the Mint personal finance app, both of which may be accessed with the Intuit password. If the scammers gain access to the consumers’ Intuit accounts, the amount of sensitive data they can access is unimaginable. Ranging from identity theft to stealing the tax refund, the options are endless. The phoney Intuit website even tricks you to download malware-infected TurboTax software.
1.3 The phishing emails
According to two Intuit security notices released online this week, the fraud takes the disguise of an email message with subject lines like “Critical: Action Required” or “Critical: Suspension.” The emails appear to be from “Intuit Accountants,” but in reality, they were sent from other email servers that were maybe hacked.
The emails warn:
“We have temporarily disabled your account due to inactivity. It is compulsory that you restore your access within next 24 hours. “
The messages direct users to certain URLs in order to “restore your access,” and the visible links provided — intuit.com/Pro/Update.asp and proconnect.intuit.com/Pro/Update — are indeed part of the Intuit.com domain.
Neither address, however, leads anywhere. It’s safe to assume that the fraudsters set up the links to appear to be from Intuit, but they actually go to other websites impersonating as Intuit pages.
1.4 Precautions
Scammers are everywhere. That does not mean you have to live in fear everyday, of getting scammed. Here are some tips you can follow to stay safe:
- Learn about phishing techniques: Every day, new phishing techniques are invented. It’s nearly impossible to avoid becoming a victim of a scam if you don’t understand how it works.
- Rethink what are you clicking: When you’re on a trusted website, it’s fine to click on links. However, clicking on links in random emails and instant messages isn’t such a good idea.
- Never Give Out Personal Information: If you’re unsure, go to the company’s main website, get their phone number, and call them. Most phishing emails will drive you to a page that requires you to enter financial or personal information.
- Delete suspicious email: This will prevent your system from being infected with malware or being routed to a phishing landing page
- Use Antivirus Software: By blocking attacks, firewall security restricts access to dangerous files. Antivirus software examines all files that arrive on your computer over the Internet and prevents any harm.
Even though “Prevention is better than cure” but it is also true that “To err is human”. Mistakes happen. Perhaps while you are reading this blog, you realize “OMG, I fell this scam.”.
According to Intuit, here is what you should do now:
- Delete any downloaded file on your computer from that link
- Use an anti-malware software to scan the computer thoroughly
- Change your passwords
Despite the fact that phishing has been around for over two decades, it remains a problem for two reasons: it is simple to carry out – even by one-person operations – and it succeeds because there are still lots of individuals on the internet who are unaware of the threats they face. These scams will continue, but it is our obligation to spread awareness so that no one falls victim.
References:
- https://www.tomsguide.com/news/intuit-turbotax-phishing-scam
- https://www.bleepingcomputer.com/news/security/intuit-warns-of-phishing-emails-threatening-to-delete-accounts/
- https://www.phishing.org/10-ways-to-avoid-phishing-scams
- https://money.cnn.com/2015/02/10/pf/taxes/turbotax-fraud/
- https://www.cbc.ca/news/business/taxes/filing-online-a-guide-to-the-latest-tax-software-1.1285455
- https://turbotax.intuit.ca/personal-tax-software/cra/ty15/windows.jsp
Hi! This was a very interesting topic to talk about! Scammers are getting smarter everyday to trick us into giving their informations etc. These disguising emails are also getting harder to determine if they are real or not, so we fall for them alot! Seing incidents like this makes me harder to trust online apps, as well as making me more precautious. Us people should always be precautious before entering a unknown website or an email cause everything now these days can be a scam! Thanks for the information.
Phishing is a very common scamming mechanism now, and I can see how a tax filing software would be a very high reward target! Thanks for bringing this to our attention. One thing I hadn’t thought of before is scammers using hyperlinks that have the text value of a legitimate website, but the link to an illegitimate one. That’s scary to think about. I suppose one could be safe from this by hovering over the link and then inspecting the address (in the bottom right corner of the browser in chrome).
Interesting topic!
This really sucks trying to get your taxes done but instead getting scammed. The first time I was filing my taxes, I wasn’t aware of this scam but later I understood that Scammers will occasionally send emails posing as legitimate tax preparers. Turbo Tax did come with a solution stating that If you receive a suspicious email from TurboTax, please forward it to spoof@intuit.com so that they can investigate. And also their Online Security Center also has the most up-to-date information on any phishing scams we’re aware of. But most people are not aware of this they end up getting scammed.
It’s good timing for this article! With tax season around the corner it’s important to be aware of potential scams. I will definitely be double checking before signing into turbotax this year. Your precautionary tips are a helpful reminder as well. I find manually going to websites and looking for what emails are talking about, rather than hitting hot links, has helped me avoid any potential scams like this!
This is an interesting topic to talk about because with the upcoming tax season people must be looking for ways to file taxes and personally last year I went to an accountant and filed taxes and I did pay him some amount of money but I was kind of worried that he had access to all of my information and data and this year I planned to file my taxes through a software but after seeing this I would rather pay an accountant and file my taxes rather than entering my information like my SIN and other important documents in a software but with the necessary precautions we may be able to prevent scams like these and also keep up-to-date information about the phishing scams and double check before clicking on any links.
Nice post! I know that phishing scams have been around for a while, so much so that I am always surprised when I see a new one pop up. It is unfortunate that a lot of people still are unaware of the precautions that can prevents these sorts of scams, especially double-checking the domain name of the email address sent. However, in this case it seems as though the attackers “spoofed” or mimicked the domain address of Intuit, which is interesting. I also always wonder how “popular” these types of scams are, and how many people they end up getting data from.
Thanks for writing about this post. I believe there are many students like me who are new in Canada and are about to file their tax returns for the first time. Personally before this post I was still trying to figure out how to properly file my tax returns, do it myself or pay an accountant. I did not know their are apps for this kind of stuff, which in my opinion makes life easy. So yes now I know how to file my tax returns by myself but the fear of getting scammed is stopping me from using Turbo Tax. I plan to explore more about these kind of apps and how much safe they are so if you have any other suggestions please let me know. Great post!!
This reminds me of a new term I just picked up from other blogs, man-in-the-middle attacks. Most phishing sites take advantage of this, placing themselves between the two, by intercepting one party’s communications in order to fake and send emails, messages, on behalf of that party. This situation requires sufficient vigilance on the part of the user. There are usually very small differences in domain names. Tax information theft and use is a very serious problem, will bring a large number of personal information leakage and even direct financial loss.
This is a very good post, phishing scams are indeed one of the favorite tactics of scammers. The principle of this tactic is not that superb. Most people get scammed because they believe in the authenticity of the links and emails at some point in time. In order to solve this problem, we need to consider two things, one is whether people have a way to verify the authenticity of the information from other places, and the other is whether the information obtained from other places is credible. In fact, both of these things are very difficult to achieve. So the best approach is to be skeptical of all links so as to minimize the damage.
This is a very interesting and important post! As the tax season is approaching, I will be much more careful as this is my first time in life filing my taxes and yeah I feel it is better to go to an accountant and get the work done rather than doing it myself and getting entangled with these scammers. I have got some phishing emails before. And the tips in this post are so good and important and can help in reality. Nice Post!
As if filing taxes wasn’t arduous enough already. Thanks for letting us know that there are phishing attacks centered around tax information, I hadn’t thought about that but it totally makes sense as there is a boatload of information to be taken from those forms! I’ll be sure to follow the given tips to make sure that whatever software I use, even if I’m doing taxes myself, isn’t a scam. I believe last year I used Intuit software, so it is good to know that it is an established target I should be taking care with!
Nowadays, e-mail phishing scams are getting more and more realistic. I often have to do a double take after receiving emails I did not expect because they look so legitimate. This is an important article to read now that tax season is here and many individuals are using Turbo Tax and won’t think twice to open an e-mail from them.
It seems like there needs to be a better way to verify people over the web as with people falling for this scam they seem to be failing to authenticate that the sender is actually TurboTax. Most online scammers seem to impersonate someone else and entice or threaten users to do as they wish. I remember in another post Zero-trust: rebuilding the broken kingdom, hackers got people to insert malicious USBs by posing as amazon or the government. It seems like although its reasonably safe when a company authenticates a users, it is very hard for a user to authenticate a company that is trying to contact them and thus fall into a scam like this. I liked how you talked about what the scammer wants from the user and how they achieve it and it really makes me think of the authentication topic we learned about.
It was a very enlightening post.
Since tax filing period is around the corner, you picked the perfect topic to write about. Every individual should know how to file their taxes on their own, but the fear of getting scammed stops an individual from learning, and instead leads to paying an accountant to file taxes. Phishing have become very common nowadays but it cannot stop us from doing our own work (filing taxes in this case). The precautions you have talked about can be very useful in preventing us from getting scammed.
Very informative post!
I like how this topic hits really close to home for most people since nowadays, almost everyone has received phishing messages of some sort. Just a couple days ago I received a text message claiming that the government was going to give me some money, and the scammers do a really good job of being convincing. I like how your post brings awareness to this problem since it is so common today, and especially around tax time. It is scary to think just how many people get scammed by fake emails. I’ll be sure to look out for those fake websites using your precaution tips when doing my taxes.
This post is actually really interesting in the case where again the topic comes up regarding the usage of the internet, “Put your information on the web at your own risk!” It is extremely concerning as those emails could be send to anyone at random and then disabling the access meaning further loss of credentials, personal information and finally the identity. I still would agree with the fact that paying an accountant and filing the taxes would be the ‘safest’ way to do so, as there would be very minimalistic chances of getting information spread to other third parties. Hackers are finding endless possibilities of spreading malware and this is one of them. As we are moving forward with a more digitalized world, our privacy and safety would definitely be a matter of concern. And it is completely upon us !
Thanks for the post! Great read.
With the tax season right around the corner, this post couldn’t have come at a better time.
Filling out online assessments for taxes requires a great extent of personal information as (you mentioned). And it is challenging enough as it is to fill out complicated tax forms and record business expenses etc. Throwing in phishing scams like this into the mix and you’ve got a dumpster fire.
Maybe it would make more sense for the less technologically inclined to go into a financial institution and have their taxes done by a professional that they can trust, eliminating any worry about scams like the ones you’ve mentioned.
Great read!
Very insightful post! But while this might not be directly related to information security and privacy, turbotax and other tax filing software are known to use tricks such as hiding links to their free service, to get people to pay for their software. You can find more information in this video: https://www.youtube.com/watch?v=7xQQkzWhMOc
It’s not surprising to me with how prevalent these phishing scams are when it comes to personal taxes. Most people I know get very stressed about taxes, so seeing any sort of email or message that has to do with taxes will likely get them immediately concerned. Additionally, since so much confidential personal information (SIN) is needed for taxes, phishing for tax information could be lucrative for hackers. I’m hoping in the future that the government can create an easier, more secure way for people to do their taxes, so they aren’t reliant on 3rd party programs that are conducive to phishing.
Hey, nice post Shahriar. It is scary think about when you mentioned TurboTax might know you better than yourself. Yes, it is the truth that we all want to do our daily task as easily as possible. One point I did not consider before is that scammers can trick you by creating illegitimate website that looks exactly like the original website. Also, it is a very nice reminder that you included some cool tips from getting scammed. So, in my opinion the best way to approach this problem would be to always be skeptical of all links to minimize the damage.
Thank you for sharing such an informative blog post. Scammers are getting very good these days at extracting private information with one of these techniques you mentioned being phishing. This shows how important it is to verify that the site you are on is actually legitimate before entering personal information. I like the tips you mentioned to avoid potential scams. The best way to approach scams is to verify websites, or not to click on suspicious links at all.
This was definitely a really interesting post. I personally have never filed taxes before in Canada since I am an international student who recently came to Calgary just a year ago. So, I will definitely keep this post in mind just to be safe in the future. There is no question that scammers try their best to find new and innovate ways to do their work. It is our job to make sure our private information is always safe. I have always steered clear from any suspicious links when I am on the internet.
Very interesting post!
The way that I protect myself from being scammed by phishing emails is always to check the senders’ e-mail addresses before I read the content in e-mails. If I think senders’ e-mail addresses are very weird, then I will not read the content in these e-mails. At the same time, I will try to contact the corresponding companies or the corresponding departments of the government, to identify if they truly tried to contact me by sending e-mails. This is similar to the points mentioned in your blog.
Up to now, I still cannot find a good way to identify if a website is a phishing website or not. I like using Google Chrome. Sometimes, even if I’m pretty sure that the website which I’m browsing is secure, Google Chrome still tells me it is insecure, and it will try to stop me from browsing this website. This really annoys me. Do you have any tips about how to identify phishing websites?
With tax season coming up, the urgency implied in the phishing emails, and the lack of technological literacy for a lot of older people, I can see a lot of people falling for this phishing scam. Here’s to hoping they also have some sort of anti-virus suite installed that offers anti-phishing as well.