Skip to main content

TurboTax phishing scam may be out to steal your refund — what to do

Turbox hack
(Image credit: Shutterstock)

It's tax-preparation season in much of the world, and in the U.S. and Canada, millions of people are firing up their TurboTax tax-preparation software to get started on their returns. 

However, TurboTax maker Intuit is warning customers of a new phishing scam that uses Intuit's name and a fake link to the Inuit website. 

Intuit didn't know the motive for the scam, but said that phishing scams in general aim to "lure individuals into revealing personal information or expose them to downloads of malware that will infect their computer." 

It's possible that the criminals behind this want your Intuit username and password to hijack your account and steal any tax refunds you may be owed. Malware pretending to be Intuit software might have the same goal.

Intuit also owns the QuickBooks accounting software and the Mint personal-finance app, and a purloined password would also open up those accounts.

What the Intuit phishing emails say

The scam comes in the form of an email message with subject lines like "Critical: Action Required" or "Critical: Suspension," according to two Intuit security notices posted online this week. The emails say they come from "Intuit Accountants," but were in fact sent from other email servers that may have been hacked.

"We have temporarily disabled your account due to inactivity," the messages warn. "It is compulsory that you restore your access within next 24 hours. This is a result of a recent security upgrade on our server and database, to fight against vulnerability and account theft as we begin the new tax season."

As usual, there are small grammatical and spelling mistakes that hint this might be a phishing email. There shouldn't be a comma in the last sentence and "vulnerability" should be plural — mistakes that a huge corporation with professional copywriters would be unlikely to make. 

One version of the message uses the British, but not North American, spelling "apologise," while another version drops the "a" before "recent security upgrade," as a Russian speaker would.

The messages urge recipients to visit a specific webpages "to restore your access," and the visible links given — intuit.com/Pro/Update.asp and proconnect.intuit.com/Pro/Update — are indeed part of the Intuit.com domain.

But in fact, neither address leads anywhere. It's pretty certain that the crooks set up the links to show one address, but actually go to other websites pretending to be Intuit pages.

How you can avoid this phishing scam, and what to do if you fall for it

"This email did not come from Intuit," the company security notices say. "The sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit's brands authorized by Intuit. Please don't click on any links or attachments, or reply to the email."

If you do click on the link or download something from it, Intuit warns that you need to take immediate action.

"Delete the download immediately," the company says. "Scan your system using an up-to-date anti-virus program [and] change your passwords."

We at Tom's Guide always recommend that all computer users, whether on a PC or Mac, use one of the best antivirus programs and one of the best password managers. But if you're savvy enough not to click on the links in the Intuit phishing emails, then your password is probably safe.

This story was earlier reported by Bleeping Computer

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.