By a show of triple thumbs up emojis, who loves tax season? I understand the sense of dread and loathing this time of year brings. The assignment for this annual operation is both basic in direction and primal in its simplicity. Hunt for those elusive documents, forage for forms like W-2s and 1099s, and gather with finance departments and accountants to see how good (hopefully) or how bad (hopefully not) of a year we objectively had.
As if this yearly ritual does not put us enough on edge, it has also now become a primetime playoff for hacking scams and fraud. In our minds, October may technically be Cybersecurity Awareness Month, but now is the time when businesses and individuals need to be hyper-vigilant against innovative and never before seen hacks that are being employed and will be deployed against us.
One of the most elementary, if not ultra-efficient from an effort standpoint, ways hackers can get us to click on emails or links and divulge personal information is to use what is called spear phishing. Most of us have heard this term by now. Spear phishing is a targeted email that usually comes from a so-called "trusted sender" with the goal of getting the recipient to click on a link. Usually, but not always, the information used to spear phish can be gained through social engineering and tracking an individual's online activity. Such information that can be “learned” about the individual is then used to create the targeted email.
Much like shaping metal, each click of information is used by a hacker to sharpen the effect and appearance of authenticity of this email. Add to that the predictability of circumstances, i.e., we are all by law engaged in the same activity of tax preparation, and conditions become optimal for a breach to cut through even the most stringent cybersecurity defenses and measures. Rest assured that through a lot of well thought out probabilities and some old-fashioned trial and error, cybercriminals already have a pretty good idea of what type of email might catch the unsuspecting recipient's attention. When this individual unknowingly, and of course unintentionally, clicks on the already carefully considered link or download of the document in the email, a multitude of steps can occur in a chain of reactions that take place in matter of mere seconds. The most likely of consequences? Malware released into the recipient’s system.
Recently, Cybereason said that it identified a new variation on this theme whereby the recipient receives an email with a blurred-out tax document. Naturally, the recipient cannot read it, but the helpful cyberattacker provides a prompt that encourages the recipient to click "enable editing," thereby allowing the hacker to unleash the malware. Sound pretty clever so far? Keep in mind, though, whether the cyberattacker is using this new trick or any of their recycled bags of old ones, the action needed to be taken by the recipient is basic and one in the same: namely, the recipient only needs to click on a link or download a file.
In order to provide some context, tax fraud is so prevalent that the Internal Revenue Service (IRS) released a list of "Dirty Dozen" tax scams for 2020. The scams range from phishing campaigns to setting up fake charities scamming individuals into "donating" to the fake entity. A classic and effective favorite, and maybe dirtiest of the dozen, is an urgent and threatening phone call to individuals seeking immediate action. The scam breaks down like this. The scammer calls the potential victim demanding immediate payment and threatening the individual. This threat and sense of urgency alone (i.e., you knowingly did not pay your taxes and owe money) already causes immediate anxiety and emotional distraction on the part of the recipient, and is what makes this such a highly effective technique.
And to be clear, these calls do not have to come just from the IRS. A few weeks ago, this author received a call from her "electric company" saying that I had not paid a bill and that they would be shutting off the heat to my home in no less than 45 minutes if I did not pay the bill immediately. The theme of urgency underlies most of these schemes. Now, under full disclosure, even though I knew in my mind this was a scam, I did admittedly have a second of panic thinking; did I really forget to pay the bill? It is therefore not hard to imagine how successful such a scam can be against ordinary, unsuspecting individuals who are not well versed in the intricacies of defensive cybersecurity and offensive cyber data breach tactics.
Phone scams like this are called vishing (for voice phishing) and are a common type of cybersecurity threat. The reason is that the scammer is usually interested in obtaining personal or credit card information from the victim which the visher potentially uses to then set up fake accounts and even file a false tax report. The cybercriminal attempts to instill fear and urgency in the victim to distract them long enough into making a hasty mistake. Neither the IRS nor a utility company will ever threaten a taxpayer or surprise a customer with a demand for immediate payment. There is a step-by-step notification process that every entity, including the IRS and electric company, must go through by law in order to demand payment. Calls that surface seemingly out of nowhere and threats of denial of service or worse do not overcome the protections of due process.
Same as an IRS tax form, the bottom line is that the IRS does not call or email taxpayers without warning for payment. Period. Expect that if the IRS wants to reach out, they will make their intentions known through a letter, not an email or phone call. Similar to the census survey, it will come in the mail and be marked with proper instructions for your attention. Keep this classic paradigm in mind in the future should you get cast into such a situation. Urgency, plus threat, plus seemingly trusted sender, equals a reflexive lowering of defenses for a cybercriminal to hit their target over and over again.
Aside from the potential gains from individuals, tax professionals and businesses provide a target rich environment for cybercriminals this time of year given the size of such an attack surface. With many employees working from home due to generational pandemic, being vigilant against business email compromise (BEC) or business email spoofing (BES) is of heightened concern this year, if not an outright challenge. BEC can be explained as the business account of executives, or in this case tax professionals, being compromised. These accounts can be compromised through keyloggers or phishing attacks whereby the cybercriminal actually gains access to the individuals’ email account and takes it over. From there, the cybercriminal can set up all kinds of mischief, including fraudulent transfers or obtaining sensitive information from individuals who believe they are providing the information to their accountant. With BES, the cybercriminal sets up an email account that looks like it is coming from a company on the surface and then sends out messages using that email address. This scammer can get passwords, bank account numbers, or even convince people to send them money. Either way, it ends up causing both the business and the unknowing individual to be victims of the fraud.
Last year, cybercriminals cleverly tried to obtain large tax refunds by posing as clients of a California based accounting firm. As part of the scam, the company was notified that its client's personal information was compromised and used to file fake returns. Also last year, the IRS reminded tax professionals to be aware of phishing scams and to employ multi-factor authentication protections on their systems, as well as on all access points, because it was seeing a spike in data breaches for tax professionals. Considering the steady increase we observe in cybersecurity incidents, it is important that we examine what individuals and businesses can, and frankly should, be doing to protect themselves and the trusted relationships they have with their clients.
What to do (individuals)
First, be aware of phishing and spear phishing. Remember, the IRS will not call or email you and demand information or payment. Individuals should never, ever give personal information to anyone on the phone or through email.
Second, practice safe computing when it comes to storing sensitive data, filing a return, and sharing personal information with others. Do not email sensitive information, and do not share sensitive information on social media. Stop taking quizzes that tell you your magical unicorn name. Those quizzes ask you for personal information that is used to verify your identity.
Third, if you do nothing else, use complicated passwords and put two-factor authentication on every account. I have heard the complaints, but this is the single most important, cheapest, and best thing you can do to protect your personal information.
What to do (businesses)
Three pillars of support can go a long way for businesses of all sizes to achieve, at least in part, functional cyber readiness. First, businesses need to have a better understanding at the organizational level of the type of data they are collecting, who they share it with, how they access it, and where they store it. This step is accomplished by creating a data map that can be used to cross-map regulatory and contractual obligations. Knowing where the sensitive data is collected, processed, and stored allows an organization to fully understand which system houses its most sensitive data. In turn, this allows the organization to accurately identify and efficiently defend those systems.
Second, document compliance using written policies and procedures. In the realm of data privacy and cybersecurity, it is not done if it is not documented. As such, an organization needs to, above all, document its data privacy and cybersecurity practices. This not only serves to empower employees and vendors so those individuals and organizations understand the "how" and "why" data is treated this way, but it also demonstrates the importance of, and commitment to, data privacy and security practices.
Last, and maybe most important, is to train and communicate with employees. Documentation is a key step to establishing compliance. Organizations should keep in mind that one of the biggest issues they face is that their employees are unaware and/or not trained on specific policies and procedures. Strong commitment from the top filters down through the organization. The strongest door in the world does no good if left either unlocked or opened to a cybercriminal from the inside. Training is one of the principal, yet often weakest, links in the organizational cybersecurity and data privacy practices. Many businesses pay lip service to training, but the truth is that it is usually not done well enough, and should really be done by experienced cybersecurity professionals to be considered effective. The proof is in the pudding, where there are headlines from all industries and sectors that cybercriminals are regularly tricking employees into clicking on a disguised link or providing personal data to a deceiving source. Training and communication on the specific policies and procedures of an organization are key to closing the loop and establishing an efficient and effective data privacy and cybersecurity program.
These three basic rules of thumb can go a long way to protecting the integrity of your business and establishing good cyber practices. All three of these can brace an organizational cyber defense plan and cut down the probability of a breach—leaving decision makers with more time and resources for productivity and to deal with other areas of concern to the business infrastructure. Tax season may never inspire a triple thumbs up emoji, but doing so with these three basic pillars of support as a starting point can help at least navigate this time of year more securely. Positive or negative calculation results from final tax returns are, of course, another story.