SCAM ALERT: TurboTax Phishing Scam

It's fair to say that most of us dread doing our taxes every year, but there is another reason to loathe tax season. Every year during tax season people are barraged with email threats containing everything from phishing scams to Cryptlocker viruses. According to the IRS, there has been approximately a 400% surge in phishing and malware incidents in 2016 so far. (

Earlier this month we warned you about a phishing scam that requested W2s to be sent to an fake CEO email account (read the warning here). This week there is a new phishing scam that is specifically targeting TurboTax users.

TurboTax customers receive an email that asks them to log into their account. We have seen at least three different variations of this email asking the user to either verify their identity, reset their password and user name or opt out of having TurboTax send promotional material to their family and friends. If an unsuspecting victim clicks on the link it will take them to a TurboTax impostor website. When the user enters in basic information such as username and password, the hacker immediately receives access to an enormous amount of personal information, including their name, address, and social security number.

TurboTax has become aware of the phishing scams and Julie Miller, a spokesperson for Intuit, said “Intuit takes the security and privacy of our customers’ information very seriously. We’ve seen an increase in phishing and other email scams since the start of the tax season and we continue to alert and educate consumers about this growing problem. We post all known phishes to our online security center and urge consumers who receive a suspicious email not to open it and to report it immediately to This email address is being protected from spambots. You need JavaScript enabled to view it..”

In addition to reporting the scams, users need to proactively take appropriate measures to protect themselves from these threats.

You can protect yourself by understanding how phishing emails gain their information and learning about current threats will immediately be your first line of defense. Hilltop Consultants offers free security training to businesses, associations and nonprofits so that they can stay one step ahead of the criminals. Companies should also consider investing in tools such as Reflexion and OpenDNS. Reflexion recognizes current threats, and will block these emails from getting to your inbox in the first place and OpenDNS is able to spot malicious websites in real time and will not allow you or your employees to access these sites.

Please contact Hilltop Consultants today to learn more about how you can protect yourself against phishing scams and other similar IT security threats.