Intuit phish says “we have put a temporary hold on your account”

Intuit phish says “we have put a temporary hold on your account”

Intuit released a warning about a phishing emailbeing sent to its customers. The phishing emails tell recipients that their account has been put on hold, and try to trick users into “validating their account” to release it again.

Intuit

Intuit Inc. is an American business software company that specializes in financial software. Intuit’s products include the tax preparation application TurboTax, personal finance app Mint, the small business accounting program QuickBooks, the credit monitoring service Credit Karma, and email marketing platform Mailchimp.

The example email for this campaign claims to come from the QuickBooks Team.

The email

Intuit has recently received reports from customers that they have received emails similar to the one below. The email explains to the receiver that their account is temporarily on hold, and what they need to do to remediate that situation.

sir0077283_spoof-600x308
Image of phishing email courtesy of Intuit

The email reads:

Dear Customer,We’re writing to let you know that, after conducting a review of your business, we have been unable to verify some information on your account. For that reason, we have put a temporary hold on your account.What you can doIf you believe that we’ve made a mistake, we’d like to remedy the situation as quickly as possible. To help us effectively revisit your account, please complete the below verification form:”[large green button that is definitely not going to Intuit]Once verification has been completed, we will re-view your account within 24-48 hours.We’re sorry that we can no longer offer our services to you, and we wish you the best of luck with your business.QuickBooks Support

The “Complete Verification” button in the phishing email will likely redirect recipients to a phishing site designed to harvest personal information, or infect victims with malware.

Needless to say, this email did not come from Intuit.

Intuit wants you to know that “the sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit’s brands authorized by Intuit.”

Clues

Some details of the email are clues that you are not dealing with Intuit.

  • The actual email address of the sender (vcn @ fucaxcapital[.]com) does not belong to Intuit.
  • Hovering over the button would show you that it doesn’t got to an intuit.com URL.

Some details offer softer clues that you should be suspicious:

  • Phishing emails want urgent action—this one wants you to act “as quickly as possible”.
  • It’s unlikely that Intuit would address you “Dear Customer” in a case like this.
  • Intuit normally asks you to sign in to its website rather than sending emails with clickable buttons.

What you really should do

In the security notice, Intuit advises customers who received one of these phishing messages not to click any embedded links or open any attachments. We suggest that you delete the suspicious email from your inbox, if you have it, to avoid falling into the trap at a later point.

QuickBooks users who have already opened attachments or clicked links after receiving one of these phishing emails should:

  1. Change their passwords.
  2. Delete any downloaded files immediately.
  3. Scan their systems using an up-to-date anti-malware solution.

Businesses can find some more tips to deal with phishing attempts in our article Businesses: It’s time to implement an anti-phishing plan.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.