Fake TurboTax / H&R Block / TaxAct tax filing software account locked, suspended, or tax return access on hold phishing — fraudulent email impersonating TurboTax, H&R Block, TaxAct, or FreeTaxUSA claiming the recipient's tax software account has been locked for suspicious activity, their in-progress tax return is no longer accessible, their prior-year tax documents are at risk, or their filing fee payment has failed — directing them to sign in, verify identity, pay an outstanding fee, or secure their account through a credential-harvesting portal; TurboTax 40M+ users ($39-89/filing); H&R Block 23M+ online users; TaxAct 7M+; FreeTaxUSA 7M+; during tax season (Jan-April) users have in-progress tax returns containing SSN, W-2 data, 1099 information, bank routing numbers, and prior-year adjusted gross income — "your in-progress tax return may be lost" creates extreme urgency to protect irreplaceable uploaded documents and avoid missing the April 15 deadline; TurboTax is consistently in the top-10 most impersonated tax brands during Q1

Phishing emails impersonating TurboTax, H&R Block, TaxAct, or FreeTaxUSA claiming the recipient's tax filing software account has been locked for suspicious activity, their in-progress tax return is no longer accessible, their prior-year tax documents are at risk of being lost, or their filing fee payment has failed — directing them to sign in, verify identity, pay an outstanding fee, or secure their account through a credential-harvesting portal. Key facts: (1) Tax software phishing is distinctly seasonal with peak attack volume between January 15 and April 15 — the IRS filing window — when users have actively in-progress tax returns; during this window, a 'your TurboTax account has been locked and your in-progress tax return is inaccessible' notification creates maximum urgency because users fear losing: (a) hours of data entry work, (b) uploaded W-2 and 1099 documents, (c) saved prior-year AGI needed for this year's filing, and (d) access to the return during the April 15 deadline rush; the deadline-adjacent urgency ('you must file by April 15') is uniquely powerful because procrastination means recipients often receive this attack days before the deadline when they are under maximum time pressure; (2) TurboTax has 40M+ users ($39-89 per filing) and is the #1 most widely used tax software in the US; H&R Block has 23M+ online users; TaxAct 7M+; FreeTaxUSA 7M+; these platforms process tens of millions of returns containing the most sensitive financial data: SSN, adjusted gross income, W-2 employer income, 1099 investment income, bank routing numbers for direct deposit of refunds, and detailed itemized deductions that reveal every major expense category; (3) This signal is specifically distinct from the `fake-tax-preparer-refund-advance-ssn-harvest-scam` which targets people with a 'you can get a refund advance' lure; this signal instead targets an account-lock and credential-harvest attack — attackers want TurboTax credentials to: (a) steal financial data from the account, (b) change the direct deposit bank account to steal the actual tax refund, (c) file a fraudulent return in the victim's name before they do; IRS IP PIN theft and fraudulent return filing is a growing attack vector; (4) The 'filing fee payment failed' lure is highly effective: TurboTax charges fees for federal and state filing that are deducted from the refund OR paid by card — a 'your TurboTax filing fee payment was declined and your return cannot be submitted' email mirrors legitimate billing failure notifications users receive from other services; (5) The 'unauthorized access to your tax return' lure is emotionally resonant because tax returns contain extraordinarily sensitive information that victims know is permanently sensitive — unlike passwords that can be changed, disclosed SSN and AGI cannot be 'un-disclosed.' Warning signs: sender domain not turbotax.com, hrblock.com, taxact.com, freetaxusa.com, or intuit.com; TurboTax and H&R Block always include your specific account email address and partial SSN confirmation in legitimate security notifications; any account issue should be resolved only via direct navigation to the official website.