With the April 15 U.S. tax deadline looming, millions of users are logging in to manage their finances online—unfortunately, cybercriminals are watching too. Leveraging this surge in digital activity, attackers are exploiting trusted platforms like Google to deceive users of Intuit’s QuickBooks.

By purchasing top Google Ads placements, hackers are directing users to authentic-looking but fraudulent login pages. These fake portals are designed to steal crucial information including usernames, passwords, and even one-time passcodes (OTPs)—granting criminals access to victims’ financial data needed for filing taxes.

Understanding how this scam works is the first step toward staying safe. Phishing scams targeting accounting software are nothing new. Fraudulent support calls and infected software downloads—often traced to large-scale operations in India and nearby regions—have long been tactics in the scammer playbook.

Late last year, security experts uncovered a malicious QuickBooks installer that prompted users to call a fake support number through a deceptive pop-up.

This new scam is even more concerning. Instead of malware, attackers are now going straight for login credentials. The scam begins with a simple Google search. An ad mimicking Intuit’s branding for “QuickBooks Online” leads users to a convincing fake website.

The phishing site mirrors the actual QuickBooks login portal. Once users enter their credentials, the information is harvested in real-time and sent to cybercriminals.

"Passwords alone offer a limited level of security because they can be easily guessed, stolen through phishing, or compromised in data breaches. It is highly recommended to enhance account protection by enabling a second form of authentication like one-time passcodes sent to your device or utilizing a 2FA app for an extra layer of verification."

However, even two-factor authentication (2FA) and OTPs are being targeted. Modern phishing kits use advanced tactics like “man-in-the-middle” or “adversary-in-the-middle” (AiTM) attacks to intercept this second layer of protection.

As users unknowingly submit both their password and OTP to a fake login page, the information is relayed instantly to the attacker—who uses it before the code expires.

Cybercriminals ramp up efforts during tax season, banking on urgency and the volume of financial activity to catch users off guard. Their tools? Deceptive Google ads that closely resemble legitimate QuickBooks links. These reroute users to cloned websites that can collect sensitive data—or even install malware.

While 2FA and OTPs still offer critical protection against many threats, they must be used on verified platforms to be effective. If you land on a malicious site, even the best security tools can be bypassed.