News Stay informed about the latest enterprise technology news and product updates.

Online tax firm seeks exemption from hackers

As the tax season kicks into gear, cybercriminals are targeting online tax filing. is fighting back and sharing its security strategy.

Security has been a priority at since it launched 10 years ago, but with phishers targeting online tax filing, the company went on the offensive.

The Oxnard, Calif.-based company is making it a priority to educate its customers about how not to be victimized by phishing through a variety of methods, including emails and during its filing process, as well as with technology. puts an emphasis on educating customers about the importance of securing their tax returns. For example, it recommends that users not store tax documents in PDF files on their computers. Other messages warn users not to open email attachments, and remind them that the company will never send attachments via email. The company also launched an email-validation service that sends customers a validation code so that company's emails arrive legitimately in their inboxes instead of a spam file.

Email scams

The IRS warns, beware of these email scams around tax time:
In one scheme, phishers try to trick people into divulging their personal and financial information on a phony tax rebate claim form.

In another phishing scam, bogus emails notify recipients, often with a personal salutation, that their tax return will be audited, and directs them to a link with a form to fill out.

A third email attack targets businesses and accountants by instructing them to download information on tax law changes; the IRS believes clicking on the links will download malware.  

Last year, the IRS warned of websites pretending to be members of the Free File Alliance, a partnership between 19 online tax preparation companies and the IRS.

"Proactively educating consumers about why they should be careful and how they should conduct themselves online is something the whole Internet industry should be doing," said Timur Taluy, CEO at

The educational efforts complement the company's back-end security, which he declined to describe but said in general it includes a combination of automated and human-supervised monitoring systems. The company's network and servers are designed to promote security, as are internal controls and procedures for employees and data access.

On the technology side, the company deployed Extended Validation (EV) SSL certificates from VeriSign Inc. The offering turns Internet Explorer 7 users' address bar green, signaling to customers that they are dealing with a legitimate site, not a phony one used by criminals to steal data.

"We're being vigilant on the technology side," Taluy said, "but also more importantly, in educating consumers and EV SSL is part of that process."

It's a bit early to gauge customer response to the EV SSL certificates, Taluy said, but the green address bar appears to be grabbing their attention and letting them know they're dealing with a trusted site. He added that the EV SSL also helps to differentiate from the 18 other online tax preparation companies listed in the Free File Alliance on the IRS's website.

"When it comes to taxes," Taluy said, "people want it easy, they want it inexpensive, and they want to make sure their information is secure." He added, EV SSL helps build trust with users, which is essential to its business and in the financial services industry in general.

Right now only IE7 users can see the visual assurances that EV SSL provides. Mozilla Foundation has said Firefox 3 will support EV SSL by the time it reaches general availability, said Tim Callan, VeriSign vice president of SSL marketing. Studies by other VeriSign EV SSL certificate customers have shown that customers "really do respond in a measured way to the presence of the green bars," he said.

In addition to a green address bar, browsers with support for EV SSL also display the name of the organization that owns the site and the name of the certificate issuer to the right of the URL. uses its filing process to advise customers to look for the green address bar.

The combination of education and technology is key, since there are plenty of opportunities for attackers to exploit confusion in the tax-filing process. For example, after a taxpayer files a return, the IRS will sometimes respond with a request for additional information. The company tells users if they receive an email from the IRS asking for more information, they should make sure when they log on to the site to look for the green address bar and other security information provided by the EV SSL certificate, to ensure they are accessing a valid site. (See sidebar for IRS and other tax-related scams.)

Taluy said is considering adding ScanAlert's Hacker Safe website security-certification service. ScanAlert, which was bought by McAfee Inc. last fall, provides a vulnerability-assessment service and certifies websites with its Hacker Safe trust mark. The company already participates in the Better Business Bureau's BBBOnLine Privacy Seal Program.

Dig Deeper on Spam, phishing and social engineering attacks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.