New Tax scams targeting your phone apps


Threat actors are impersonating personal-finance apps to fool people into giving up their private information

It’s tax season, and just like every year, it’s rife with scams. Usually we see scammers impersonate Intuit and Turbotax but this year, attackers have pivoted to take on the personas of fintech apps like Stash and Public, stealing credentials and personal information, all while giving victims the illusion that their tax returns were safely filed.

What are these Apps?

Stash is a personal finance app with more than 6 million users that allows users to both do traditional banking and to invest. Public has similar capabilities but focuses solely on investing in both traditional stocks and crypto. It also has a social networking aspect so people can see where other users are investing.

Attackers have been successful by spoofing the logo, look and feel of communication that Stash and Public might send to end users to inform them that their tax document is ready. When the user clicks the inclosed link, they are directed not to a legitimate log-in site, but to one that harvests their credentials.

We’ve seen tricks like this before, for all financial service companies that might report user earnings during tax time, such as Etrade, Fidelity, Charles Schwab and Robin Hood.

The Takeaway

According to a study by fintech startup Plaid, 88 percent of people in the United States are using some form of fintech by late 2021 – a rise of 52 percent from the 58 percent of people who reported using fintech in 2020.

Surprisingly, that’s more than the number of people in the United States who use streaming services or social media, making fintech an attractive target for threat actors. You can bet that there is going to be a huge increase in the number of methods scammers and bad actors will use to try to get at your money.

Here are 3 tips to help keep you from becoming a victim:

  1. Check the url before clicking that link On a computer this is pretty straight forward – hover your mouse over the link and it will show up. On a mobile phone or tablet, tap and hold the link to see where it’s trying to take you. There’s a good chance that the malicious link it directing you to a compromised site or malicious url designed to harvest your information or deliver malware.

  2. When in doubt, log in directly It’s pretty unlikely that a financial institution will contact you by text or email with an urgent call to action and a link to log into your account. When in doubt, log into their website or the app to see if there are any notices to your account. Sometimes the bank will even notify users of scams right there on the homepage, warning users not to fall for them!

Scam alert on HawaiiUSA FCU’s website


  1. Check with IT Not sure if an email is legitimate or not? After all, these scammers can be convincing. Forward the message or email to your IT or security department to have a look at it. If you DO fall for a scam, DON’T delete the email and text message to hide your tracks, then tell IT about it later (yes, we see this more often than you think). It makes it difficult to find out your level of compromise and hackers depend on users to do this to cover their tracks! Instead, take everything as-is directly to IT or Security Dept for analysis.

Not sure who to call? We’re here to help.

Stay safe out there

-A