7 Tax Season Security Tips
Security pros need be on high alert from now until Tax Day on April 15. Here are seven ways to help keep your company safe.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt7d2f47a70b29b001/64f0d365a5678049590c401c/Tax1Cover.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Tax time has arrived – and that means companies and individuals are vulnerable to IRS phone scams and business email compromises (BECs).
Security pros need to impress upon the staff that high-profile hacks can and do happen during tax season. The most famous one – the Office of Personnel Management (OPM) hack – happened during the 2014 and 2015 tax seasons. Some 21.5 million people had their social security numbers and employment, health, and financial histories exposed.
In preparation for tax season, the IRS has posted its Identity Theft Central page, which serves as an excellent resource for individuals, professional tax professionals and businesses. The site offers step-by-step instructions on what to do if you receive a suspicious IRS-related email or phone call.
Read on for ways to help keep your company and staff secure during tax season.
Monique Becenti, product and channel marketing specialist at SiteLock, says companies should schedule a security awareness session just before the start of tax season - right after the holidays in early January. Most tax scams happen during the first part of tax season in late January and around the April 15 deadline day.
Eva Velasquez, CEO of the Identity Theft Resource Center, advises that at those training sessions companies also need to celebrate the people who question an email that appeared suspicious but actually was legitimate. "We celebrate the people who catch a phishing attempt," she says. "But we also need to create a culture where people feel they can report suspicious activity without fear of retribution."
SiteLock's Becenti says one of the more common business email compromise (BEC) attacks during tax season is one where a lower-level person in the accounting department receives an email message posing as the CFO or CEO asking for all the W2s for the staff. In another scam, fraudsters send links to employees claiming that they need to update their tax information. Clicking on the link could lead to identity theft or worse - a company-wide ransomware attack. Coveware reports that the median ransomware payment in Q4 2019 was $41,179.
Employees should know that the IRS only contacts people in writing for tax information, not via email. The IRS outlines on its website that it will never:
Initiate contact with taxpayers by email, text, or social media to request personal or financial information.
Call taxpayers with threats of lawsuits or arrests.
Call, email, or text to request taxpayer Identity Protection PIN numbers.
Lila Kee, Americas general manager and chief product officer at GlobalSign, recommends that companies that send W2s and 1099s electronically should digitally sign the email as well as encrypt the session where the employee downloads the information. The digital signature demonstrates that the email comes from a trusted sender, and the lock on the address bar of the website confirms that the session is encrypted.
The Identity Theft Resource Center's Velasquez adds that companies should employ encrypted portals to disseminate W2s and 1099s electronically. "They should also require that employees use two-factor authentication to access the portal and retrieve the forms," she says.
Employees should be informed about what the company will NOT be doing when it comes to disseminating tax forms. The Identity Theft Resource Center's Velasquez says to make it clear that HR will not call the staff on the phone about their tax information. In addition, because of all the problems and vulnerabilities with email, the company also should emphasize that it will not send employees emails requesting them to update their tax information.
Companies should have incident response procedures set up all year round, and especially during tax season. SiteLock's Becenti says in the event of a breach, the company should notify the IRS, call the FBI and local law enforcement, and alert all the parties involved. Major hacks where tax information has been stolen have happened several times during tax season, so the four months of tax season require extra attention.
Owners of small companies often think that they are immune to hacks in general and don't think hackers will bother with them during tax time, either. This is just plain wrong, says Erich Kron, security awareness advocate at KnowBe4. If a company has a Facebook account or an Internet presence, they are vulnerable to attack, he says. While on the Dark Web recently, Kron says he found that for $65, a fraudster can send out 50,000 emails. The economics are simple: with just one or two hits a criminal can make his or her money back. So with cybercrime's barrier to entry being so low, all companies are targets today, he notes.
Cofense recently issued an advisory for businesses to be on the lookout for an Emotet scam where fraudsters email fraudulent requests for W9s and then file taxes on behalf of unsuspecting victims. Cofense says it has seen both attachments and simple links to download the document. The security company warns that this threat will evolve and get trickier as the tax season gears up.
Eric Kron, security awareness advocate at KnowBe4, says the first quarter of every year is fraught with tax-related scams like the one pointed out by Cofense. He says these scams are "a rather sneaky way" to take advantage of the fact that people expect their tax forms to be delivered during this time of year.
"From W-2 forms for employees to 1099 and W-9 forms for independent contractors such as in this case, these types of attacks are very effective," Kron says. "Not only do you have the element of expectation of the form's arrival, in many cases, people are in a hurry to file taxes in order to get a refund, so they are motivated to move quickly. It's important to warn employees and contractors about these types of attacks, train them how to spot phishing emails, and teach them the reasons not to enable active content in documents like this."
Cofense recently issued an advisory for businesses to be on the lookout for an Emotet scam where fraudsters email fraudulent requests for W9s and then file taxes on behalf of unsuspecting victims. Cofense says it has seen both attachments and simple links to download the document. The security company warns that this threat will evolve and get trickier as the tax season gears up.
Eric Kron, security awareness advocate at KnowBe4, says the first quarter of every year is fraught with tax-related scams like the one pointed out by Cofense. He says these scams are "a rather sneaky way" to take advantage of the fact that people expect their tax forms to be delivered during this time of year.
"From W-2 forms for employees to 1099 and W-9 forms for independent contractors such as in this case, these types of attacks are very effective," Kron says. "Not only do you have the element of expectation of the form's arrival, in many cases, people are in a hurry to file taxes in order to get a refund, so they are motivated to move quickly. It's important to warn employees and contractors about these types of attacks, train them how to spot phishing emails, and teach them the reasons not to enable active content in documents like this."
Tax time has arrived – and that means companies and individuals are vulnerable to IRS phone scams and business email compromises (BECs).
Security pros need to impress upon the staff that high-profile hacks can and do happen during tax season. The most famous one – the Office of Personnel Management (OPM) hack – happened during the 2014 and 2015 tax seasons. Some 21.5 million people had their social security numbers and employment, health, and financial histories exposed.
In preparation for tax season, the IRS has posted its Identity Theft Central page, which serves as an excellent resource for individuals, professional tax professionals and businesses. The site offers step-by-step instructions on what to do if you receive a suspicious IRS-related email or phone call.
Read on for ways to help keep your company and staff secure during tax season.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024