Hackers spoof fintech apps as tax season approaches

The annual tax season is inevitably the cue for a spate of attacks impersonating official sites or popular accounting software.

In a new twist for this year researchers at email security firm Avanan have uncovered attacks spoofing fintech apps such as Stash and Public to steal credentials and give users a false sense of security that they've compiled the right tax documents.

The phishing emails use convincing-looking templates to claim that tax documents are ready and you need to log into your account to view them.

As Jeremy Fuchs, cybersecurity researcher/analyst at Avanan writes on the company’s blog, "It's a clever strategy, as fintech apps represent a huge amount of users to scam. According to one study, 88 percent of Americans use some form of fintech, up from 58 percent in 2020. Think about this: More Americans use Fintech than streaming services (78 percent) and social media (72 percent)."

The apps are most popular with millennials but baby boomer adoption of fintech is growing fast. Also since most of these services are geared towards mobile users they may catch users off-guard and cause them to forget about normal precautions.

To guard against the attacks users are advised to check URLs before clicking on tax-related emails, and log in directly to the financial institution rather than clicking an email link. Business users are encouraged to reach out to IT if unsure if an email is legitimate or not.

You can read more and see examples of the attacks on the Avanan blog.

Photo Credit: Vitalii Vodolazskyi / Shutterstock