PHISHING ALERT: Fake QuickBooks Email

Fake QuickBooks email example

Several of our staff members recently received emails that claimed to be from QuickBooks and wanted us to follow a sign-in link, presumably so that we could enter our credit card information to ‘subscribe’ to QuickBooks. The email was designed to look very genuine and as you can see by enlarging this image, many of the logos and buttons were copied directly from an email actually sent by QuickBooks in order to make the message look credible and induce the viewer to click on the ‘Sign In’ link.

On the Internet, a fake message claiming to be from a company you trust such as Intuit is called a “phishing” email. Phishing is a criminal activity that attempts to fraudulently obtain sensitive information, usually by inducing you to click on a link that leads to a website designed to steal your information. The website will use pictures, buttons and links taken from the website of the company the email claims to be from – in this case, Intuit – and will often be almost indistinguishable from the real website of the spoofed company. The scam encourages you to enter your social security number, driver’s license, credit card information, or bank account information into a form on the website so the phishing thieves can steal your identity, run up your credit card or empty out your bank account.

Here are some steps you can take to protect yourself from phishing attacks:

  • Hover over links before clicking. As you can see in the image above, the Sign In link does not go to the Intuit website – it is a redirection to the phishing website. Hovering over each link in a suspicious email to confirm that it actually goes where you expect it to go – in this case to Intuit.com – is a quick way check a link before clicking on it.
  • Verify the link’s authenticity with a link checker. There are a number of reputable websites that will check a link for malicious content – Norton’s Safe Web lets you check a link without the need to install their software. This site is especially useful if you have followed a link to a website that just doesn’t ‘feel right’ to you. Better safe than sorry – before entering any information on the website, take a minute and check the link to be sure it is legitimate.
  • Don’t send sensitive information in an email. As a general rule, never send credit card information, account passwords, or extensive personal information in an email unless you verify that the recipient is who they claim to be. Many companies have policies that state they will never solicit such information from customers by email.
  • Report phishing emails.Most large companies have a web page dedicated to helping you identify legitimate communications from them – for example, Intuit has a page outlining its email policies which include never asking you for your account information or password in an email. You will usually find an email address on this page where you can send the suspicious email so that the company being spoofed can take steps to shut down the fraudulent website. You can also report any phishing email to the FTC or their Anti-Phishing Working Group.
  • Knowledge is Power. Learn more about how to identify phishing websites by taking a short quiz from OpenDNS to see how well you can tell the difference between real and fake websites. Thieves are getting more sophisticated every day and you might be surprised by how hard it can be to tell the difference!

Phishing is extremely widespread because of the ease with which unsuspecting people share personal information. Phishers can only find you if you respond – we hope these tips will help you decide whether or not to click on a link in an email message. If you have any doubts at all about the authenticity of a message, delete it. It is always better to err on the side of safety.

Additional Information

Indiana University’s Phishing Knowledge Base
Phishing Information from the Department of Homeland Security
10 Tips for Spotting a Phishing Email