The only certainties in life are death and taxes, or so the wisdom goes. However, in the 21st Century, we may need to revise the old saying to be: “Death, taxes and phishing.” Tax scams via phishing email have been growing that quickly.
The Tax scam cometh
As if tax season wasn’t torturous enough, IT admins and businesses must now contend with increasingly common, sophisticated socially engineered attacks. Phishing topped the Internal Revenue Service’s (IRS) “Dirty Dozen” list of tax scams for 2017, which comes as no surprise considering the U.S. government reported a 400 percent increase in phishing and malware incidents in 2016. This cost victim organizations an average of $1.6 million each in response costs.
Like the majority of phishing incidents, the most common attacks during tax season are fraudulent emails appearing to be from a trusted source. These scams pressure or deceive users into revealing sensitive personal, corporate and financial information or request a wire transfer. The latter is more common in spear phishing and business email compromise (aka whaling) attacks.
For the 2017 tax season, the IRS has urgently warned against a W-2 Form phishing scam. Hackers purporting to be a high-level executive or staff member request a list of all employees and their W-2 forms from payroll or human resources departments.
Alternately, they may also ask for an updated employee list with information like their Social Security Numbers (or Social Insurance Numbers), home addresses and salaries. This has spread beyond the corporate world to other sectors including school districts, tribal organizations and nonprofits, and has already affected more than 30,000 people in 2017.
Similar attacks were carried out last year, claiming Snapchat and Seagate Technology as victims. Organizations who took the bait are now facing class-action lawsuits from employees.
In 2017, tax season phishing scams have also been reported in the UK and hackers in the Great White North have been posing as the Canada Revenue Agency (CRA) since 2013.
Protecting against tax season phishing scams
Tax season is like shooting ‘phish’ in a barrel. As with other socially engineered attacks, prevention is about education. To help you protect your organization and users against tax season phishing scams, our cyber security experts at Vircom put together these admin tips.
Encourage double authentication (2-FA or two factor authentication).
Remind your users if they get an email asking for their personal or financial information, or data about other employees or payroll, to pick up the phone and call the government organization or executive asking for it. If the person on the other end of the line seems clueless, it was a hacker.
Dear user, the IRS isn’t emailing you.
As noted on their website, “The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.” If you receive a suspicious email from them, visit their phishing reporting page or immediately notify them at phishing@irs.gov. The page also provides ways to for users to spot fraud including samples.
… the CRA isn’t emailing you either.
According to the CRA’s website, they will never: “send email with a link and ask you to divulge personal or financial information; ask for personal information of any kind by email or text message; request payments by prepaid credit cards; give taxpayer information to another person; unless formal authorization is provided by the taxpayer; leave personal information on an answering machine.” Also be sure to circulate their page of examples of fraudulent online refund forms among your users.
Go dark on digital.
Given the nature of the W-2 phishing email scam, your human resources, IT and payroll personnel should remove their operational titles from social media as well as the company website. (Their privacy settings should also be set to the maximum.) Seems extreme? Consider this: spear phishers will be trawling their profiles to gather information in order to better impersonate them.
Make a stink about links.
Hackers targeting Americans often pressure users into clicking malicious links with scare-emails using subject lines like “The IRS is looking for you”. Remind your users that no matter how spooked they are, they should never click the link of a suspicious email — especially during tax season. As the IT admin, you are the point person; when in doubt, forward it to you.
Spread the news.
Send the above information in an internal memo or catchy newsletter to all users. Not a great writer? Get somebody from marketing to do it. Phishing email tax scams prey on the unaware. Making sure your team is up to date on what to be on the lookout for around tax season is a no-brainer. Feel free to share this post with them!
Oh yes, and good luck with your taxes.
For other tips in protecting against phishing and avoiding human errors in cyber security check out “The Human Factors in Cyber Security and Preventing Errors“.
Leave a Comment