You receive an email from your tax software provider: "There's been some unusual activity on your account," it reads. "Please click on this link to reset your password."
On the website, you log in, unwittingly providing criminals access to a trove of personal data, including your Social Security number, bank account information, address and salary.
That's because that email and website didn't actually belong to your tax software provider but to a so-called "phisher," who used your log in information to break into your real account. Such attacks are on the rise — recently, the IRS warned of a "phishing epidemic."
Now a new report by Global Cyber Alliance, a cyber-security research firm based in New York and London, found that some of the most popular tax software providers don't use enough email protections to secure communications with customers.
Those include: FreeTaxUSA, TurboTax, H&R Block and TaxAct.
To be sure, the report determined the safety of these providers based on just one criterion — whether or not they use a highly secure method known as DMARC (Domain-based Message Authentication, Reporting & Conformance), which weeds out phony emails from phishers.
FreeTaxUSA and TurboTax have the DMARC protocol in place, but neither are using it to block fake emails, and H&R Block and TaxAct are not using the method at all, the report said.
It found that Liberty Tax was the only one of the top tax software providers (based on a PC Magazine ranking of tax software) that uses DMARC to reject phishing emails.
Almost half of taxpayers who file federal income taxes use tax prep software, according to personal finance website NerdWallet. In 2016, one in 131 emails contained malware, the highest rate in 5 years, according to Symantec, a digital security company.
"One of the best ways to stop phishing is to deploy DMARC," said Philip Reitinger, president and CEO of Global Cyber Alliance.
The tax software companies disagree.
The report's method was narrow and cannot come to a conclusion about a company's security, said Matt Gause, of FreeTaxUSA.
"The Global Cyber Alliance report only tells part of the security story," Gause said, describing the other protective measures it takes.
He said those include DomainKeys Identified Mail or "DKIM," which verifies email senders and Sender Policy Framework or "SPF," which prevents sender address forgery. It's also in the process of updating its DMARC protocol, Gause said.
A spokeswoman for TurboTax echoed that message.
"TurboTax takes the security of our customers and their data seriously," said Lisa Greene-Lewis, senior communications manager at TurboTax. "We leverage DMARC and an array of security protocols and best practices while engaging with our customers."
Tom Collins, vice president of corporate communications at H&R Block, said it takes the protection of emails very seriously.
"We continue to assess the threat and available tools in the ongoing effort to combat phishing attacks," Collins said.
TaxAct did not respond to a request for comment.
Although DMARC is not the only way to block these attacks, it's a very good one, said Giovanni Di Crescenzo, an adjunct professor at the New York University Tandon School of Engineering who researches phishing.
"The number of attacks are rising and consumers should chose the service that provides the highest level of security," Di Crescenzo said.
A quick glance at the email address might have you believe it's legitimate, but if you scroll over it with your mouse, you'll see that the address is completely different — and suspicious.
Same goes for any website an email directs you to: double check the URL and look for any warning signs, for example, the TurboTax website you're looking at is not in fact TurboTax's website.
Another popular phishing method is to get you to click on a link in the email, which then installs malware that could potentially give hackers free reign to your computer.
Try not to click on any links within an email, said Engin Kirda, professor at the College of Computer and Information Science at Northeastern University.
"If you can avoid this, you will be much safer against attacks," Kirda said.
If you have to click: Do it on a smartphone, which are still less targeted by hackers than traditional desktop, he said.
The Global Cyber Alliance recommends never emailing personal or sensitive information.
Your tax software provider typically should only require you to input such data by logging directly into your account.
Install a "Domain Name System" (DNS) security solution that will help to block malicious website links should a phishing email make it to your inbox, says the Global Cyber Alliance.
"DNS is a great way for people to protect themselves," Reitinger said.
Should you suspect you've been attacked, make sure your credit score is protected by freezing it at Equifax, Transunion and Experian.
"This does cost something like $5, but it is totally worth it," Kirda said. "Attackers cannot access it."
You should also change your password immediately.
"Be vigilant," Kirda said. "Always monitor all your bank accounts and credit and contact the authorities as soon as you spot something suspicious."
Phishing is not the only tax scam. People need to be aware of the risks from these fake returns and others schemes, which are increasingly on the rise.