Hackers love tax season. With so many emails flying around between consumers, businesses, and their CPAs, the risk for accidental exposure of Personally Identifiable Information (PII) and financial information is great – especially when security measures are lax and email recipients aren’t paying close attention.
In prior years, hackers have been successful in gaining access to Social Security Numbers and Business Employer Identification Numbers (EINs) by targeting tax professional systems to gain access to their client data. And once systems are compromised, the damage can multiply tenfold, leading to data breaches and identify theft. Recently, the IRS warned taxpayers to watch out for erroneous refunds coupled with fake calls to return the money to a collection agency—or a fake recorded message from the IRS claiming a warrant for the taxpayer’s arrest unless they called to discuss the refund.1
It all starts with a phishing attack, delivered by a carefully crafted email intended to dupe the recipient to take some action that initiates a malicious attack chain. According to InfoSecurity Magazine, 76% of organizations experienced a phishing attack in 2017.2 Phishing continues to plague businesses and consumers –and the damage continues to grow. In a recent Ponemon Institute study3, 64% of surveyed organizations reported an increase in the number of phishing attacks, and 65% reported the severity of the attacks had increased.
So, how can you keep your business AND personal data safe? Here are some quick tips to help thwart tax season cyber threats:
- Be alert and skeptical when reviewing emails. If you can’t completely verify the sender, approach the email with caution — don’t click embedded links or open attachments as they may be conduits for delivering ransomware or initiating other malicious actions. Hackers are clever at mimicking trusted businesses, friends and family by spoofing their email address with a slight change in text that the unobservant eye might miss (i.e. changing an “m” to an “r” and “n” in the email address name can trick people).
- Report the suspicious stuff. Report emails or calls from individuals who claim to be from the IRS. The IRS doesn’t initiate spontaneous contact with taxpayers by email to request personal or financial information and they don’t call with threats of lawsuits or arrests. If you’re certain you’re dealing with something suspicious, report fraudulent phishing or malicious emails to email@example.com. If you are the victim of identity theft, report the scam to the IRS.4 and read the IRS Taxpayer Guide to Identity Theft to learn more.5
- Implement a multi-layered security strategy. Use security software to protect against malware and identity suspicious websites used by cybercriminals. Businesses should deploy email security at the gateway to catch spam and malware — these solutions are useful in stopping the bulk of spam-based phishing email campaigns. Deploy a secure web gateway to analyze and block malicious domains because nearly 1.5 million new phishing sites are created each month.6 Lastly, ensure every PC/laptop has endpoint security installed.
- Passwords are precious. Use strong passwords of 8-12 digits (including letters, numbers, and special characters) to protect online accounts but don’t reuse them for multiple accounts. If hackers obtain access to one account, they will also check to see if that password unlocks other accounts. Use multi-factor authentication if available. Common to many online financial institutions, email providers and social media sites, this technology offers additional protection — in addition to entering your username and password, you must identify a personal photo you pre-selected or enter a security code generally sent as a text to your mobile phone. Even if the hacker steals your username and password, it’s unlikely they would be able to guess the photo or have your phone to get the final piece of information needed to access the account.
- Go back to school and learn to fight phishing. Give your employees training on how to identify phishing emails and give them tools to be able to report suspicious emails based on what they’ve learned. EdgeWave offers ThreatTest as an added layer of security for employees to report suspicious emails directly to EdgeWave for instant review and remediation – saving your in-house IT time and resources from managing the incident investigation, and ensuring the fastest resolution possible.
With an understanding of the current threat landscape, the right tools in place, and a watchful eye, businesses and consumers can be a last line of defense in the war on cyber threats.