Intuit released two warnings this week about different types of phishing emails being sent to their customers.
In two separate security notices on Tuesday and Wednesday, the company said it has received reports from customers about two kinds of phishing emails they were getting.
Intuit urged recipients not to click on any of the links or attachments, not to reply to the email, and to delete the email. If you have already clicked on a link in the email or downloaded a file from the email, the company said you should delete the download, scan your system with an “up-to-date anti-virus program,” and change your passwords.
“Intuit has recently received reports from customers that they have received emails similar to the one below. This email did not come from Intuit. The sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit’s brands authorized by Intuit,” Intuit explained.
The earlier warning shared a copy of another type of phishing email customers received.
Erich Kron, security awareness advocate at KnowBe4, said these attacks typically tend to ramp up during tax season. The attacks generally attempt to trick people into logging into their accounts on a fake website, allowing crooks to steal the user’s credentials.
Kron suggested that anyone who has received these types of emails should go directly to the official website and log into their account, where any notifications or issues with the account would be made obvious, as opposed to clicking on links straight from emails.
“In addition, on any website where you were entering a username and password, you should check the URL bar to ensure you are at the legitimate organization’s website,” Kron said.
Tripwire’s Tim Erlin added that phishing continues to be a popular means of attack because it continues to work. It only takes one user to click in order for the phishing campaign to be effective for the attacker, Erlin said, noting that it’s very difficult for an organization to prevent phishing attempts because they don’t require any compromise of infrastructure that organization controls.
“While we try to addressing phishing with technological solutions, the problem remains a primarily human one,” he explained.
The IRS released a similar warning last week, reminding taxpayers “to be aware that criminals continue to make aggressive calls posing as IRS agents in hopes of stealing taxpayer money or personal information.”