The tax software companies disagree.
The report’s method was narrow and cannot come to a conclusion about a company’s security, said Matt Gause, of FreeTaxUSA.
“The Global Cyber Alliance report only tells part of the security story,” Gause said, describing the other protective measures it takes.
He said those include DomainKeys Identified Mail or “DKIM,” which verifies email senders and Sender Policy Framework or “SPF,” which prevents sender address forgery. It’s also in the process of updating its DMARC protocol, Gause said.
A spokeswoman for TurboTax echoed that message.
“TurboTax takes the security of our customers and their data seriously,” said Lisa Greene-Lewis, senior communications manager at TurboTax. “We leverage DMARC and an array of security protocols and best practices while engaging with our customers.”
Tom Collins, vice president of corporate communications at H&R Block, said it takes the protection of emails very seriously.
“We continue to assess the threat and available tools in the ongoing effort to combat phishing attacks,” Collins said.
TaxAct did not respond to a request for comment.
Although DMARC is not the only way to block these attacks, it’s a very good one, said Giovanni Di Crescenzo, an adjunct professor at the New York University Tandon School of Engineering who researches phishing.
“The number of attacks are rising and consumers should chose the service that provides the highest level of security,” Di Crescenzo said.