Tax related phishing scams

WARNING: Phishing attacks likely for Tax-Related Service Providers!

DMARC, phishing

According to a study by the Global Cyber Alliance, some of the top tax-related services providers don’t secure their domains with DMARC, leaving them open to phishing attacks. Fraudmarc examines the email security scores of many top tax related service providers.

Email Authentication and Tax-Related Companies

DMARC has been around for almost a decade, and although it is the most effective way to block phishing attacks, it’s not widely used. This is particularly alarming in the case of tax-related service companies since people frequently provide personal and sensitive information to these companies. Attacker can easily impersonate companies that don’t use DMARC. If an attacker sends an email “from” one of these companies, it could be indistinguishable from the company’s legitimate emails.

The Global Cyber Alliance study looked at 8 tax filing software providers: H&R Block, TaxAct, Turbo Tax, Free Tax USA, Credit Karma, Jackson Hewitt, Tax Slayer, and Liberty Tax. The results were shocking, so Fraudmarc examined several more companies based on the ads from a simple google search: E-File, My Free Taxes, eTax, eSmart Tax, and the IRS. The infographic shows our findings.

Some of these companies dispute the claim they are not secure and suggest that they use other forms of security. However, we would like to know what security is better at blocking phishing than DMARC.

To be fair, DMARC can be difficult to implement since getting the setting wrong can interrupt the domain’s email flow. However, companies like Fraudmarc giveaway many free tools to make implementation easier, which leaves no excuse to not use it.

How to protect yourself from phishing attacks

We hope more companies’ security policies will soon improve, but consumers can also take steps to protect themselves.

1. Use Caution When Opening and Responding to Emails:

  • You should always hover over the “from” address to make sure it is actually from the person it claims. This trick can be used for links in emails as well since malicious links are common in phishing emails.
  • It is better to avoid clicking links in emails due to the threat of malware.
  • Don’t send personal or sensitive information in emails. Log in to the appropriate account and enter it directly.
  • Phone numbers are as bad as links. Don’t call numbers in emails. Look up the number yourself.

2. Get a Security Program:

You can use a free DNS application to help block malicious sites. For more information about DNS, check out our What is DNS info page. The Global Cyber Alliance recommends OpenDNS or Quad9.net.

3. Beware of Cousin Domains:

Cousin domains are look-alike domains. Attackers purchase cousin domains to send email, and customers don’t usually notice the difference or think it relates to the actual domain. Example.com looks very similar to examp1e.com, and example.info. Watch out for these types of tricks—DMARC won’t stop them!

4. Respond Quickly If You Think You Were Phished:

  • Freeze your accounts with the credit bureaus.
  • Change your passwords immediately.
  • Monitor your bank accounts and credit cards and call immediately if you notice suspicious activity.  

What is an Email Security Score?

Before examining how most tax-related service providers implement DMARC, it’s helpful to understand a little bit about how DMARC and SPF work. This will help in understanding what’s wrong with the way the companies mentioned in the study are implementing it. Fraudmarc assigns email security scores based on the configuration of the domain’s SPF and DMARC policies. Find out more about Fraudmarc’s Email Security Scores and how to interpret them on our post, Understanding Fraudmarc’s Email Security Scores.  Using information about DMARC and SPF configuration, each domain’s security can be evaluated to determine its effectiveness.

Menu