Phishing scam pits Intuit against St. Paul's Cadenza Music

The collection letter sent to Cadenza Music in St. Paul resembled what shows up in your mailbox when you forget to pay a phone or electric bill. Except for the amount.

"Dear Nancy Vernon. This is final notice and demand for payment of your $40,091.92 debt to Intuit."

Vernon owns Cadenza Music with her husband, Eugene Monnig. The store supplies school bands and retail customers, repairs instruments and offers lessons at its 149 N. Snelling Av. storefront location.

"$40,000 is a lot of money," Vernon said. "That's a lot of piano lessons."

Cadenza Music's tussle with Intuit holds many lessons of its own — mostly about the perils of phishing scams and the hard question of who pays when fraudsters steal.

Phishing is the effort to trick individuals and businesses into giving up personal and financial information. Phishing e-mails arrive in inboxes by the millions, often with alarming subject lines saying your bank account has been hacked. Most estimates put the annual losses from phishing scams in the billions.

Cadenza Music was hit by an especially insidious attack called "spear phishing," in which these scammers gather some information about their targets to make their deceptions more convincing.

She followed those directions, but a short time after she entered the last four digits of her Social Security number, she realized she had made a mistake. Too late.

Within an hour, she was talking to Intuit about freezing the account. "While I was on the phone with Intuit, I received a phone call from a man in New York," she said. He wanted to know: "Who are you and why did you charge my credit card for $19,000?"

A woman, also on the East Coast, called with the same question.

These were big charges for a store whose typical charges are about a hundred bucks. Intuit secured the account, but not before those fraudulent charges directed the $40,000 into the thief's temporary bank account, Vernon said.

Vernon said she was told for weeks not to worry about the charges, though she never received anything in writing from Intuit saying that. Instead, in January, the bills began to arrive.

"If Intuit had enforced the contractual limits, these fraudulent transactions would have been prevented, and you would not be demanding $40,000 from me and my company," she wrote in a Feb. 2 letter to Intuit.

Intuit described a somewhat different sequence of events, but did not address Vernon's specific complaints.

"In October 2015, Intuit proactively reached out to the impacted customer after identifying potentially suspicious account activity," Steve Sharpe, Senior Public Relations Manager at Intuit, said in a statement. "Intuit continues to work with the customer to resolve this issue."

"At Intuit, safeguarding the privacy and security of our customers' data is job one."

With 2015 revenue of more than $4 billion, Intuit is best known for its QuickBooks and TurboTax software. Based in Mountain View, Calif., the software behemoth is a constant target of these kinds of attacks. It issues multiple security alerts about phishing e-mails every day.

"I still dream of not having to write that check," Monnig said.

Contact James Eli Shiffer at james.shiffer@startribune.com or 612-673-4116.