TurboTax phishing scam with Excel attachment makes the rounds

Register now

A new TurboTax phishing scam is going around, and cybersecurity experts are warning taxpayers to be vigilant this tax season to protect themselves against cybercrime.

The scam was discovered by cybersecurity managed services provider Trustwave, when the phishing email hit one of the company’s spam “honeypots” — dummy email addresses and domains designed to attract cybercriminals.

The email has the subject line, “Your TurboTax case is open,” and the body of the message says that the taxpayer’s tax return is in danger of being rejected unless they take further action. The email asks the recipient to open an attachment, which is in the form of an Excel file. When the recipient opens the malicious Excel sheet, a security warning is presented to the unsuspecting end-user, and then a plain text lure instructs the user to enable macros. A macro is an action or a set of actions that Excel uses to automate tasks. According to Trustwave, presenting users with a plain text instruction is a common social engineering tactic used by hackers to trick people into taking an action that usually leads to data theft or device compromise.

Once the user follows this instruction, malicious code is released onto their computer, grabbing sensitive banking and other details and sending it back to the cybercriminal’s control server.

While phishing scams are common and occur throughout the year, tax season is one of the peak times when these types of scams proliferate, said Karl Sigler, senior security research manager at Trustwave. But in general, scammers will take advantage of any societal trend — election time and the current coronavirus concern are other examples. But because tax season involves money, it’s a particularly dangerous time, as through information or identity theft, cybercriminals can grab either actual tax return money or individuals’ banking details.

Despite increasing public education around phishing and other email scams, vulnerable people still do fall prey to common tricks.

“We are surprised at what people will open and click on,” Sigler said. “People can get caught up in this quickly. If you’re dependent on that tax return coming in, that’s a really good hook to get people to open an attachment.”

Sigler noted that phishing scams are getting harder to spot. Criminals are getting better at disguising domain names and writing convincing emails. He advised individuals do the following to make sure they don't fall victim to a phishing scam:

  • Hover your mouse over any link within an email. Often, on the bottom right hand corner, a link will appear that shows the actual link to which you will be directed, which may be different than what shows in the email.
  • When you receive a suspicious email, go directly to the company’s website to see whether it has made an announcement there about what the email says.
  • Better yet — call the company in question, and directly ask whether they sent out an email like the one you received.

And organizations, Sigler said, should at the very least have a spam protection filter in place to prevent phishing emails from reaching individual inboxes in the first place.

“I liken phishing scams to getting a taxi,” Sigler said. “When you approach a taxi line, you might see many drivers trying to get your attention. Don’t let the taxi pick you — you pick your taxi by organizing one in advance.”

Preparedness is key.

For reprint and licensing requests for this article, click here.
Cyber attacks Cyber security Tax returns Tax preparation Phishing