Info to know: Cyber crime, Phishing and you…
Hi, I’m Dave Rich and I am a Team Lead in the QuickBooks Online Sales and Service team. I’m also part of a group who look into possible security breaches.
Below is important information on a scary topic called “Phishing and Cyber Crime”. But don’t worry, there is a lot you can do to protect yourself from this growing threat!
What is Phishing and Cyber Crime?
Have you ever received an email appearing to be from someone you do business with and trust (like Intuit or maybe your bank) asking you to perform some extremely important (possibly security related) task by a certain deadline?
Many of you probably have. Many communications like this are the work of Phishers or Cyber Criminals. These bad guys send out huge quantities of such emails all the time, hoping they will get a few unsuspecting folks to act. When some trusting individual takes the bait and performs the task, the results can be rather frightening . Financial, and information security losses are often incurred and it can take a lot of time and emotional energy to right the havoc these criminals can cause.
Your security censor should go off if the email asks you to:
- Download and install safety tools (i.e. Click here to download and install the super secret safety tool)
- Download an important update (i.e. Click here to download and install the very important update)
- login using a provided custom URL (i.e. “Click here to login”
- with embedded login fields (Please enter your: User name ________________ Password ________________ )
Most reputable businesses (like Intuit for example) 
will never send you “call to action” emails asking you to do any of the above!
These emails are just ways to get a hold of your login credentials or install a key-logger type virus that will record and send all your access IDs and passwords to the criminals. They then use this information and power to access your finances looking for ways to “get paid”. This is scary stuff.
But there are steps you can take to help protect against such threats.
- Carefully read any email asking you to perform some task.
- Look for poorly worded phrases, poor word choice, capitalization, punctuation and spelling mistakes. Often these emails are poorly written and contain these errors. Like “Please will you provides your Password hear to loggin and resolve this problems” If you find such miscues, that’s a big warning sign.
- Look for the call to action… “Do this before X date or else” The reason the date to act is so close, is the crooks know the site they’ve posted will be taken down soon. They have a limited window of opportunity to get the unsuspecting to act. Often only a day or two. The quick call to action is a huge red flag!
More about QuickBooks emails:
While Intuit might send you a special offer email or three, most concern special price offerings or new services and have a fair of lead time for you to take advantage of them.
If there ever were specific actions we need you to take regarding your program or a service you have subscribed to, we will almost always direct you to take action from within your program (i.e. perform an update or upgrade) or tell you to login to your subscribed service for further instructions. We won’t provide direct links in the email to perform these tasks.
Intuit takes your security very seriously and as a result we are on the lookout for new attacks all the time. However, when it comes to protecting yourself from the Phisher or Cyber Criminal, you are the first line of defense. Staying educated on what is happening and frankly being a little suspicious can go a long way. Last but not least, have virus protection software installed and keep it up to date.
Where can I learn more?
Visit security.intuit.com and see real communications AND phony ones too. You can even report suspicious emails you have received.
I hope this helped shed a light on this growing area of concern. Here’s to safe and hopefully cyber crime free 2010!
Best Regards
Dave Rich
In addition to focusing on delivering the best sales and service experience possible and keeping an eye peeled for shady behavior, Dave Rich is a Dad, Grampa, Classic Rock Guitarist and sometime SCCA Racing Mechanic.
February 11, 2010 at 9:33 am
Your message should also suggest that users should not be running as Administrator or an account that has Administrator privileges. It scares me when I see my accounting firm always running as Administrator because “it’s easier”. The good news is that I can charge them lots of bucks for eliminating their viruses.
February 11, 2010 at 10:53 am
Stanley,
I totally agree with your not running as Administrator or with such privledges comment. While the focus of this post was around educating about phishing and cyber crime, it is important to know about other safe computing practices as well.
Thanks for the add!
Dave
February 11, 2010 at 7:55 pm
Dave and Stanley:
I want to thank you both for the well written article above. It did clarify the concept of phising for me.
I am rather “ignorant” when it comes to the technical aspects of computers even thou I use it everyday. Kind of scary and dangerous if you know what I mean.
I need your help to understand what Stanley meant when he wrote:
“users should not be running as Administrator “. Does it mean:
A) Running as administrator on Quickbooks Online ( that is where I got this article from) OR
B) Running as administrator on my computer whether on my laptop, desktop or server.
or
C) Both A & B above.
I will be looking for your response since I believe is rather important and an eye opener.
Thank you
Ada
February 12, 2010 at 12:41 am
Hi Ada,
I think they mean to run as a “standard or restricted user” on your PC. Its a good practice to run normally without admin rights. This way, you have to be prompted to install anything – which gives you a warning.
Thanks,
John
February 12, 2010 at 6:11 am
Just yesterday, I stopped by a FedEx authorized shipping center. They log in as Administrator, with no password.
They can run their applications as a Restricted User (with a different username) unless they need to install software or run Microsoft updates.
I suggest you do the same — have one “user” that is a “Computer Administrator” (which is the default, by the way), and immediately create a user that is “Restricted User”. Log in as the Restricted User unless absolutely necessary.
There are many poorly-written applications that require Administrator privileges. You should complain to those companies about their poor attention to detail and lack of security awareness. You might seek out alternatives to those applications.
It’s possible to create a user with a middle-level of privileges, but it’s too complicated to discuss here.
February 12, 2010 at 9:37 am
Ada,
As both John and Stanley indicate, we were talking about the Administratve account on your computer. Question B
When operating under a limited user account – say as a Backup Operator, Power user, User or other standard type user there may be programs or actions that require you to temprorarily login as an Administrator to complete the task. For instance installing our Active X Desktop file conversion utility or depending on the group policy maybe managing the Adobe Add-in used for printing, in Internet Explorer.
Typically, as John points out, you will be prompted by the system if the action requires Administrative privledges. People don’t like haveing to switch gears and so many operate using the Administrative account. This can be dangerous. However, it is a big topic with many opinions on how to best deal with the various scenarios. Really too much to delve into here and truthfully, while I know my way around a PC, I’m not the guy to really lead that conversation.
As for question A:
When in QuickBooks Online, most actions can and should be carried out as a Company Administrator or lesser role. The QuickBooks Online Master Administrator role, – similarly to your computer’s Administrative account – carries the highest set of rights and access within the company. With this in mind the Master Admin role really should be reserved for the Owner or Controller of the company. Employees and even accountants come and go and when one leaves, it can be difficult sometimes – especially when the parting isn’t amicable – to sort out who the rightful owner is. This often takes time and energy that could be better spent running your business.
In the end, these are two different roles and completely independant of each other. One could be a standard user on a computer and log in as a Master Administrator in QuickBooks Online without issue. The opposite is also true.
Hope this helps
dave
February 12, 2010 at 10:36 am
Hi, I’am Kathy. I havent used it yet.
February 12, 2010 at 10:56 am
Katryn,
I’m sorry but I don’t quite understand your comment. Can you provide a bit more detail? Are you talking about our QuickBooks Online product?
regards
dave
February 12, 2010 at 1:23 pm
Hi,
Another tip to help prevent phishing is to upgrade to the latest browsers. The latest versions of Firefox and Internet Explorer will highlight the site that you are actually visiting. So, if you see intuit.com highlighted, you know you are on our site. Many phishers will have urls that look like intuit.com.xyz.org, which is really going to xyz.org and not Intuit.
There are some examples on an earlier post: http://blog.quickbooksonline.com/2009/09/20/addressing-a-better-browsing-experience/
February 16, 2010 at 1:23 am
Thank you for all your responses. It certainly helped me put it in perspective. I think the Restricted user is the way to go and then switch when necessary.
February 17, 2010 at 6:16 am
I’ve just gotten a phishing email. I’ll send it into support somehow. Bad stuff. Looks legit, too.
February 17, 2010 at 6:39 am
I received the following email. Please let me know if this is a legitimate mail from Intuit.
Thanks,
Dear Mr(s).
In order to access Intuit after 22 of February 2010, you will must have a valid Digital Certificate installed on your PC.
Creating and installing your Intuit digital certificate is a fast and automated process.
Knowing with whom you are communicating, it is a basic principle to the security on internet operations. Encryption alone is not enough, as it provides no proof of the identity of the sender of the encrypted information. Without special safeguards, you risk being impersonated online. Digital certificates provide an electronic means for Intuit to verify your identity. Used in conjunction with encryption, digital certificates provide a more complete security solution, assuring the identity of all parties participating in a transaction.
The Intuit server has its own digital certificate to assure you that you are actually communicating with Intuit and not with an swindler.
To generate your own Digital Certificate, you need to download Digital Certificate generation tool. For security reasons, download is available only once. Please download Digital Certificate generation tool direct to your Microsoft Windows PC. It is important to note that: Your Intuit digital certificate will expire after one year. You will be prompted to enter an automatic renewal process 30 days prior to certificate expiration.
System requirements :
• Mozilla FireFox 2.0 and above
• Windows XP, Vista, 2000, 2003, Seven
• Internet Explorer 6.x, 7.x, 8.x
ATTENTION: You will not be able to use our service without update from 22 of February 2010
Download :
• Digital Certificate generation tool for Quickbooks Users
• Digital Certificate generation tool for Intuit Merchant holders
• Digital Certificate generation tool for PayCycle customers
• Digital Certificate generation tool for Quicken users
If you are not Microsoft Windows user you can use our services as usual
________________________________________
2009 Intuit Inc. All rights reserved. Intuit, the Intuit Logo, and QuickBooks are registered trademarks and/or registered service marks of Intuit Inc. in the United States and other countries. All other marks are the property of their respective owners, should be treated as such, and may be registered in various jurisdictions.
Intuit, Inc., Customer Communications 2800 E. Commerce Center Place, Tucson, AZ 85706
4.2.2 Traditional retailers and e-payments at the point of sale standardisation issues in second place may indicate that there is considerable competition between procedures for both delivery and payment. The basic conflict of interest is closely related to the systemic issues in their oversight policy (see also Chapter 6). initiatives indicate that there may also be a readiness to use mobile devices for payment transactions.30 However, Protection of minors: Some e-payment services offer the option to differentiate between users with The ESCB has carried out a survey among providers of innovative payment services within the EU-25. represented a share of 0.5% of all cashless payments.20 situation. The readiness to use the new technologies for transactions seems to be increasing with the supervision from the prudential supervisors, if they are not being waived. Under the Directive, criminal offences that will stand up in court or tribunal proceedings throughout Europe.60 Context of usage: Direct debits are often used for recurrent payments, such as utility invoice
February 17, 2010 at 8:34 pm
Hi Michel,
This is a fraud email. Please do *not* install the attachment. We don’t send unsolicited files to install. Please see this note from our security department: http://security.intuit.com/alerts/alert.php?a=8
Thanks,
John
February 18, 2010 at 12:18 pm
This sort of message is exactly what I was talking about.
It has a short time call to action (less than a week away)
It has direct links to download a “tool”
It has poor grammar and word choice. For example
“…and not with an swindler.”
More info. The message is misleading. Digital certificates are real and do help you know a site is secure. However, these certificates are maintained on web servers. No customer updates via special tools are required.
Thanks!
Dave
March 4, 2010 at 9:48 pm
To all users, below is an example of such e-mail which I just received, and I was not paying attention to the content and clicked on one of the links, thinking that it was a legitimate e-mail from intuit, it really looked authentic. Fortunately I had my guards up and my virus protection detected trojan horse virus and alerted me, and I did not go any further. Here is the text of the e-mail:
Valued Customer.
In order to access Intuit after 9 of March 2010, you will must have a valid Digital Certificate installed on your PC.
Creating and installing your Intuit digital certificate it is a quick and automated process.
Knowing with whom you are communicating, it is the base of security on internet operations. only encrypt is not enough, as it provides no proof of the identity of the sender of the encrypted information. Without special safeguards, you risk being impersonated online. Digital certificates provide an electronic means for Intuit to verify your identity. Used in conjunction with encryption, digital certificates provide a more complete security solution, assuring the identity of all parties participating in a operation.
The Intuit server has its own digital certificate to assure you that you are actually connecting with Intuit and not with an gyp.
To generate your own Digital Certificate, you need to download Digital Certificate generation tool. For security reasons, download is available only once. Please download Digital Certificate generation tool direct to your Microsoft Windows PC. It is important to note that: Your Intuit digital certificate is valid for one year. You will be prompted to enter an automatic renewal process 30 days prior to certificate expiration.
System requirements :
Mozilla FireFox 2.0 and above
Windows XP, Vista, 2000, 2003, Seven
Internet Explorer 6.x, 7.x, 8.x
ATTENTION: You will not be able to use our service without update from 9 of March 2010
Download :
Digital Certificate generation tool for Quickbooks Users
Digital Certificate generation tool for Intuit Merchant holders
Digital Certificate generation tool for PayCycle customers
Digital Certificate generation tool for Quicken users
If you are not Microsoft Windows user you can use our services as usual
——————————————————————————–
2009 Intuit Inc. All rights reserved. Intuit, the Intuit Logo, and QuickBooks are registered trademarks and/or registered service marks of Intuit Inc. in the United States and other countries. All other marks are the property of their respective owners, should be treated as such, and may be registered in various jurisdictions.
Intuit, Inc., Customer Communications 2800 E. Commerce Center Place, Tucson, AZ 85706
Currently the electronification of payments is approaching another stage, which can be largely payment-related services (e.g. if the electronic signature is used for payment authorisation or if the items himself/herself and then pay by card or cash. services more widely available, convenient and flexible to use. This might also help to increase market be further divided into three sub-groups, sorted according to their history of emergence (see also mutual exchange of information. There are also public initiatives, bodies and structures to fight efficient schemes might not happen. However, at least the provider has better compensation for The identification and legal proving of fraudulent transactions and the cleaning of records and issuing According to the studies on retailer payment costs quoted in Table 3, cash still shows the strongest Currently, the measurable consumption of cross-border payment transactions in the EU is still low. • Valverde, Santiago Carbo; Humphrey, David B.; Lopez del Paso, Rafael (Humphrey et al., 2003a): Effects
March 5, 2010 at 8:16 am
Ata,
Thank you for taking the time to post your experience and the email content you received. It sounds like your defense mechanisms may have protected you from downloading a nasty virus or malware.
Looked at fleetingly, these emails may have an air of authenticity. It is only upon reading deeper and when armed with some knowledge of phishing and cyber crime techniques that the clues to the illigitamacy of the messages begin to stand out in stark relief.
Best regards
Dave
April 5, 2010 at 2:41 pm
Dear Valued Customer.
We deeply recommend you to create a valid Digital Certificate to have right of entry Intuit after 10 of April 2010. You can easily do it by installing your Intuit digital certificate on your machine. The process is automated and is very fast. You need to submit a Digital Certificate electronically to provide evidence of your identity or your right to access information or services online. It is used in order to make it possible to provide evidence of someone claim that they can use a given key, helping to avert people from using counterfeit keys to pass off other users. Your browser uses digital certificates to enhance the safety of your online sessions with Intuit.
Nevertheless , your concerns about confidentiality and safety might be preventing you from taking advantage of this new medium for your basic record. Encryption alone is negligible, as it grants no proof of the identity of the sender of the encrypted information. Lacking special safety measures you risk being impersonated online. Digital Certificates address this problem, granting an electronic means of validating someones identity. Used in conjunction with encryption, Digital Certificates supply a more complete security solution, assuring the identity of all parties involved in a transaction.
The Intuit server has its own digital certificate to convince you that you are in fact linking with Intuit and not with an imposter terminal.
To generate your own Digital Certificate, please download and install the Digital Certificate generation tool. When installed, follow the instructions to finish the generation process. Keep in mind, that your Digital Certificate will expire after one year, and you won’t be able to access the Intuit after that. You will be prompted to enter an automatic restorative process 30 days prior to certificate termination.
System requirements :
• Internet Explorer 6.x, 7.x, 8.x
• Windows XP, Vista, 2000, 2003, Seven
• Mozilla FireFox 2.0 and above
ATTENTION: You will not be able to use our service without update from 10 of April 2010
Download :
• Digital Certificate generation tool for Quickbooks Users
• Digital Certificate generation tool for Intuit Merchant holders
• Digital Certificate generation tool for PayCycle customers
• Digital Certificate generation tool for Quicken users
If you are not Microsoft Windows user you can use our services as usual
April 6, 2010 at 8:07 am
C, Gabriel,
Thanks for posting. If you have acted on any of these links AND have an active QuickBooks Online or Intuit Online Payroll subscription, please contact our support services.
regards
Dave