Skip to Content
Security & privacy

Popular tax software programs leave you at risk of ID theft and scams

Have you filed your taxes yet? The clock is ticking.

Typically, Tax Day is April 15. However, this year, special circumstances are giving you a couple extra days to file. Tax Day falls on Tuesday, April 17.

We need to be extra careful this tax season. That’s because popular tax software providers could be putting you at risk of identity theft and other scams.

Is your tax preparation company putting you at risk?

We’re always warning you of the latest phishing scams making the rounds. It’s when scammers send fraudulent emails that include malicious links trying to trick victims into clicking on them.

According to, there are over 100 billion spam emails sent every day. Yikes! More than 85 percent of all organizations have been targeted by phishing attacks and damages exceed $1 billion.

Now, security researchers at Global Cyber Alliance (GCA) are claiming that certain popular tax software providers don’t have enough email protections to secure communications with customers.

They include:

  • H&R Block
  • TurboTax
  • FreeTaxUSA
  • TaxAct

What’s happening is, these companies are not using the Domain-based Message Authentication, Reporting and Conformance (DMARC) email-validation system. It’s designed to detect and prevent email spoofing, or phishing scams. This could open the door for phishing emails to make their way into your inbox.

To be fair, TurboTax and FreeTaxUSA have DMARC in place but are not using it to block fraudulent emails. TaxAct and H&R Block don’t use the protocol at all according to GCA. It turns out that Liberty Tax is the only top tax software provider that uses DMARC to block phishing emails.

The companies in question have disputed the report. Their spokespeople told CNBC that they have other security protocols in place and GCA’s report only tells part of the story.

No matter which tax software provider you choose, it’s a good idea to be cautious. Especially with email communications.

How to report tax phishing scams

Since tax phishing scams are so rampant, the IRS is giving suggestions on how to handle them. First, you should know that the IRS does not initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN codes, passwords or similar access information for credit cards, banks or other financial accounts.

If you do happen to receive a tax phishing email, follow these steps:

  • Report all unsolicited email claiming to be from the IRS or an IRS-related function to
  • If you’ve experienced any monetary losses due to an IRS-related incident, report it to the Treasury Inspector General Administration (TIGTA) by clicking here and file a complaint with the Federal Trade Commission (FTC) through their Complaint Assistant by clicking here to make the info available to investigators.

Battling the dreaded phishing attack

In the event that a phishing email makes it into your inbox, here are some suggestions on how to avoid falling victim.

Be cautious with links

Do not follow web links in unsolicited email messages, it could be a phishing attack. Since it’s tax time, cybercriminals will be targeting Americans with phishing scams related to taxes and the IRS to try and rip them off.

That’s why you need to be able to recognize a phishing scam. One thing to watch for with phishing attacks are typos, criminals are typically careless with spelling and grammar. If you receive an email or notification from a reputable company, it should not contain typos. Take our phishing IQ test to see if you can spot a fake email.

Set up two-factor authentication 

Two-factor authentication, also known as two-step verification, means that to log in to your account, you need two ways to prove you are who you say you are. This adds an extra layer of security and should be used whenever a site makes it available. Click here to learn how to set up two-factor authentication.

Use unique passwords

Many people use the same password for multiple websites. Terrible mistake!

If your credentials are stolen from one site and you use the same username and/or password on others, it’s easy for the cybercriminal to get into each account. That’s why it’s important to have unique, strong passwords for every site. Click here to find out how to create hack-proof passwords.

Safeguard sensitive data

Unsuspecting people are mistakenly handing over sensitive information to scammers all too often. If you receive an unsolicited email, do not reply with personal information. You don’t want it to fall into the hands of criminals.

If a company that you do business with on a regular basis emails you and asks for personal information, type the company’s official web address into your browser and go there directly to be safe. If you receive an email from the tax professional you filed taxes through, take the time to call them at their verified number.

Have a question about tax scams or anything tech-related? Kim has your answer! Click here to send Kim a question, she may use it and answer it on her radio show.

Have a question about self-driving cars? Ask Kim! She’ll have your answer. Just click here. The Kim Komando Show is broadcast on over 450 stations. Click here to find the show time in your area.


According to the Free File Alliance, around 100 million Americans qualify to use the free filing software. But not all is rosy when it comes to filing your taxes. Tax-time scams and fraud are on the rise so if you’re planning to file your taxes online be wary of potential security and privacy issues.

Click here to learn the steps to take to protect yourself when you file this tax season.

cryptocurrency e-book hero

New eBook: ‘Cryptocurrency 101’

Don't want to lose your dough to crypto? Check out my new eBook, "Cryptocurrency 101." I walk you through buying, selling, mining and more!

Check it out