Intuit on Tuesday warned its customers to be on alert for identity theft scams after a breach at a major marketing firm put millions of email addresses in hackers' hands.
Although the maker of the popular TurboTax tax preparation program and the Quicken personal financial software was not among the more than 50 companies whose customer data was stolen, it cautioned users nonetheless.
"Intuit is not an Epsilon customer so the information you have entrusted with Intuit is not affected," the company said in an alert published Tuesday on its site. "However, Epsilon serves many large organizations including banks, insurance companies and retailers [and] you may have received one or more notices from companies you do business with who are clients of Epsilon."
Irving, Texas-based Epsilon Interactive acknowledged last week that attackers made off with customer email addresses and names, but the company has not shared much more information than that. Others sources, including the IDG News service, however, have confirmed that dozens of companies have notified their customers that their information may have been filched.
The popularity of tax-related cons may have prompted Intuit's move, said Ed Cohen, vice president of corporate development at SonicWall, a San Jose-based network security company.
It's certainly the right time of the year for tax scams.
"There's actually little correlation between the volume [of tax-oriented schemes] and April 15," said Cohen, talking about the traditional tax-filing deadline in the U.S. "We actually see more of an uptick after the 15th, in the May or June time frame, with fake refund notifications."
In years past, criminals have pumped out messages about tax refunds to dupe people into divulging personal information, like their online bank account usernames and passwords, or their credit card numbers. Cohen expects the same this year.
The Internal Revenue Service regularly warns U.S. taxpayers about those and other scams.
"We'll find out more in the days and weeks ahead, but this does appear scary," said Cohen about the Epsilon breach. "[Criminals] not only have email addresses, but also names, which puts the advantage in the hands of scammers."
With both, scammers can craft more convincing emails that not only appear to come from the customer's bank or favorite retailer, but also identify the recipient by name.
"The economics are such that they need only a very, very small percentage of people to fall for a phishing attack to make money," Cohen said.
And that's not hard: According to data from SonicWall's online phishing quiz, people incorrectly identify fake and legitimate emails 22% of the time.
Sign up for CIO Asia eNewsletters.