Skip to main content

A dastardly new phishing scam is targeting tax software users

Person Doing Taxes
(Image credit: Shutterstock)

QuickBooks users are being attacked by an unknown threat actor phishing for sensitive personal information, the software’s maker has warned. 

According to a BleepingComputer report, a number of users reached out to Intuit, the maker of the tax software (opens in new tab), and alerted the company to a phishing email campaign that tries to scare people into giving away sensitive information. Subsequently, Intuit issued a warning to all users, detailing the campaign.

Apparently, victims will receive an email pretending to be from Intuit, which warns that the company has conducted an account review has not been able to verify some important information.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.

For that reason, the email claims, the account has been put on hold until the information can be verified. As you might expect, the email comes with a “Complete Verification” button, which appears to serve up a data verification form.

Defending from phishing

In reality, the button likely redirects the victim to a phishing landing page, where any and all data submitted is transferred directly to the attackers.

As usual, QuickBooks users are advised not to open any links or run any email attachments coming from unverified sources. Any such emails that they receive should be deleted immediately, while those that have already opened up the emails should delete any files they might have downloaded, scan their systems with antivirus software and change their QuickBooks passwords.

Phishing attacks are a common occurrence, but can usually be spotted relatively easily. The domain from which the email is sent is usually not the same domain the legitimate company uses, and sometimes, the company’s name is misspelled or features a substitute character (a zero instead of the letter o, for example). 

Given that people are often reckless, overworked or hasty, phishing campaigns are regularly quite successful.

Via BleepingComputer (opens in new tab)

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.