Tax prep tools lag in DMARC implementation, advocacy group says

With tax season underway, a cybersecurity advocacy group is warning that vendors of popular tax preparation tools may be unprepared to protect users from phishing scams.

Four out of the eight most popular tax preparation software products don’t employ basic protections against email spoofing, according to testing by the cybersecurity nonprofit Global Cyber Alliance.

GCA tested the domains of the popular programs to check what settings they employ under the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol. DMARC is an industry standard designed to detect and prevent email spoofing.

GCA’s findings, released last week, are as follows:

  • Reject: Liberty Tax
  • Quarantine: Credit Karma, Jackson Hewitt and Tax Slayer
  • None: Free Tax USA and Turbo Tax
  • No policy: H&R Block and TaxAct

DMARC has three levels of protection against emails that try to hijack a particular domain. If an organization employs the “reject” policy — the highest setting — a spoofed email will never be delivered to a victim. “Quarantine” means that emails that fail to meet authentication standards end up in a target’s spam folder. DMARC can also be set to “none,” and spoofed emails will be delivered normally, but the domain owner can monitor and detect such activity.

An organization may have DMARC set to “none” in order to simply monitor how its domain is being used, but that offers potential targets no protection from phishing.

“It’s not doing anything in terms of benefiting the organization or even the consumers that are using that particular product,” Shehzad Mirza, GCA’s director of operations, told CyberScoop.

DMARC is a two-way street; a consumer’s inbox has to also be configured in order to benefit from its protection. Mirza says that’s largely already in place for consumer inboxes.

“The problem is that the organization has to implement DMARC policies at a high level in order to allow consumers to have that benefit,” he said.

Tax season is prime time for scammers looking to fool people into handing over personal and financial information. The Internal Revenue Service earlier this month added phishing schemes to its “Dirty Dozen” list of the most threatening tax scams. In 2017, the IRS launched an educational campaign to prevent tax professionals from being duped.

GCA says that their findings are concerning because taxpayers are used to plugging sensitive information into tax software. That makes the vendors’ domain a prime vessel for a phishing attempt.

“This is when people expect to get those types of emails,” Mirza said. “[Scammers] are just going to be looking for that one or two people that are going to … reply back and supply them with whatever tax information, social security numbers, maybe bank routing numbers and credit card information.

“The very nature of a consumer’s relationship with a tax provider makes it seem legitimate to receive emails that may ask for additional personal information, putting consumers at great risk from phishing scams that appear to involve tax providers,” GCA CEO and President Philip Reitinger said in a press release. “Companies need to provide the maximum protections. There appears to be a hole in the protections provided by some of the leading tax software providers – a hole that could be fixed by deployment of DMARC at its strongest level.”