Skip to main content
ThreatScams & fraud

Fake TurboTax / H&R Block / TaxAct / FreeTaxUSA / Credit Karma Tax breach lure — "your tax-software account was accessed in a recent security incident, verify within 24 hours or filing access suspended" targeting 60M+ TurboTax + 10M+ H&R Block users during Jan-April filing season; prior-year return exfil is the highest-value ID-theft document ($500-2000/bundle dark market) — SSN + DOB + spouse SSN + all W-2 employers + dependents + banking

fake-turbotax-hrblock-breach-lure

What this tier means

High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.

How Gorganizer detects this

Fake "your TurboTax / H&R Block / TaxAct / FreeTaxUSA / Credit Karma Tax account was accessed in a recent security incident — verify your identity within 24 hours or your tax return filing access will be suspended" email targeting US taxpayers during the Jan-April filing season. With 60M+ TurboTax users, 10M+ H&R Block, 3M+ TaxAct, and 2M+ Credit Karma Tax users, this is a massive demographic. Distinct from `fake-irs-refund-hold-lure` (IRS-branded) — this targets tax-software vendors where the victim's filed return data + SSN + spouse SSN + dependents + AGI history + all prior-year W-2 employers + banking lives. Tax-software breaches ARE real (TurboTax had credential-stuffing incidents 2015+; HR Block 2024 data breach). Post-compromise: full tax-return history exfil (prior-year returns are the single highest-value identity-theft document in existence), attacker files a fraudulent return for the current year claiming the victim's refund BEFORE the victim files, sells complete tax-identity bundle at $500-2,000 per victim on 2024-2025 dark markets (highest per-record identity-fraud price per Flashpoint + HIBP data). Fires when body references TurboTax / H&R Block / TaxAct / FreeTaxUSA / Credit Karma Tax / TaxSlayer / Jackson Hewitt / Liberty Tax / tax software / tax return filing AND contains security-incident / breach / verify-identity / filing-access-suspended / protect-your-return urgency. Excludes intuit.com, turbotax.intuit.com, hrblock.com, blockadvisors.com, taxact.com, freetaxusa.com, creditkarma.com, taxslayer.com, jacksonhewitt.com, libertytax.com. Auto-classified as danger via the `-lure` suffix.

False-positive guard

Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.

About the scoring engine

Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.

Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.

Browse all signalsSafety guaranteesJSON

Ready to clean your inbox?

Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.

Get started