A recent phishing campaign attempted to lure Intuit users into providing their account credentials to scammers with a claim that their Quickbooks account was suspended.
The email featured Intuit branding and a prominent button asking users to “Complete Verification” to have their account status reviewed. Impersonating Intuit, the scammers said in the email they were “unable to verify some information” on the user’s account.
So far this year, Intuit has released
Phishing remains by far the most common type of internet crime, according to
Technical remedies to some aspects of phishing exist, including email authentication standards known as
However, these technical remedies have their own weaknesses and do not address the use of legitimate-looking email addresses. For example, two phishing campaigns in April came from a domain name that includes the word Intuit — intuit-solution.com, which is now registered on many anti-spam lists. Although Intuit has implemented anti-spoofing standards, these efforts do not impact domains it does not control.
Indeed, Intuit does not own or control intuit-solution.com, according to a company spokeswoman.
Intuit, like many other companies, lets customers verify that an email or other message is legitimate by signing into their Intuit account and
Erich Kron, security awareness advocate at the security training company Knowbe4, said customers ought to use this method to verify the legitimacy of emails that ask for personal information or credentials or evoke a sense of urgency.
“Whenever a person receives a phone call, text message or email that has such an urgent message, people should log into the associated website directly rather than following the provided link,” Kron said. “If there is a problem with the account or application, it will be noted in the user’s dashboard.”
For consumers and businesses looking to fight back against phishing attacks, multiple lines of defense exist. In cases where a person has divulged credentials to a phisher, multifactor authentication can provide a safety net. In cases where a person has downloaded an attachment from a phishing email, antivirus software can help. Intuit
Companies also provide email defense services that are designed to prevent phishing and other scam emails from making it to potential victim inboxes in the first place. These companies include SpamTitan, Proofpoint, Avanan, and larger firms including Microsoft and Cisco.
While email providers such as Google and Yahoo provide spam filtering and phishing reporting as part of their standard services, email defense companies differentiate themselves with an advanced focus on phishing using different techniques.
One email defense company, Cloudflare Area 1 Security, crawls billions of web pages each month, which the company says helps it detect email campaigns impersonating legitimate branding and login pages.
Even as computers learn to read, write, see and even draw, teaching a computer to read and detect phishing emails remains difficult. According to John Graham-Cumming, chief technology officer at Cloudflare, this is because of a limitation of machine learning.
“The difference here is you have an active adversary who is changing the landscape,” Graham-Cumming said. “That is what makes this much more complicated. You have an adversary who is actively changing what they do, and quite often testing against your system to see how they can break it.”