7 Tips to Secure the Enterprise Against Tax Scams
Tax season is yet another opportunity for fraudsters to target your company. Here's how to keep everyone in the organization on their toes.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltddd3b1ea0c403463/64f0d2e7f11104bc3e1bf325/1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Tax season is in full swing at enterprises. Security teams know that cybercriminals are up to their tax-scam tricks, too, often in search of a company's weakest link: its employees.
"These scams are so widespread because they work and it's easy money for cybercriminals," says Joseph Carson, chief security scientist at Thycotic. "If you have a large target list at a company and many of the victims are unable to tell the difference between a scam and authentic notices, then even if a small number of people fall for such a scam, it's still extremely profitable for the cybercriminals."
Indeed, tax scams are a significant enterprise risk, not only for dollars lost but in terms of stolen credentials that provide criminals with initial access into a company's network environment, says Rick Holland, chief information security officer and vice president of strategy at Digital Shadows.
"[Just] when you thought the pandemic didn't provide fraudsters with enough phishing lure options, US tax season now comes along," Holland says. "This year's tax fraud season even gets an extension, as 29 million Texas residents and business owners have had their filing deadlines extended to June because of February's winter storm."
The best offense, as any security pro worth their weight very well knows, is to have a good defense. The following tips can keep enterprises and their employees on their security toes as April 15 nears.
As a first step, enterprise security teams must educate employees about tax-related scams, such as phishing and business email compromise (BEC), says Hank Schless, senior manager, security solutions at Lookout. Attackers also like to pose as members of the IRS or even the organization's internal accounting department to socially engineer employees into sharing sensitive tax-related information, such as Social Security numbers or bank account information, so they must be on guard.
"Posing as part of the IT team puts attackers into a role with greater authority and credibility than traditional phishing," Schless says.
In addition, attackers often leverage a number of tactics, including sending malicious message attachments that deploy malware; sending fake authentication messages through SMS that convince an employee to enter their login credentials on a malicious site; or calling employees by phone to direct them to visit a phishing page to access allegedly compromised tax documents.
Digital Shadows' Holland also suggests awareness training based on specific security threats. For example, base training on IRS-issued fraud alerts. And tailor training to the team taking it, as well. For example, a finance team member falling for a scam could have more serious consequences than for other departments.
Many security awareness training companies will want to create phishing lures purporting to be from the IRS or Treasury Department. However, these vendors must be authorized by the government to use official logos in a simulation, says Jonathan Matkowsky, vice president of digital risk at RiskIQ. Before signing on with a vendor, a business should ensure the vendor has a valid written license for logo usage. Without authorization, the business itself could face significant damages and liability, even though a logo was used in connection with a legitimate security training program. (The government doesn't consider training in the same light as it does ethical hacking under a bug-bounty program.) If possible, it may be best to avoid using the IRS or Treasury in a phishing example altogether.
While many organizations still send tax forms to employees through physical mail, more are doing so digitally, says Lookout's Schless. So it's all the more critical that security teams protect employees across all endpoints to ensure they don't fall victim to a phishing attack or download a malicious attachment that compromises the organization's entire security posture. Communication is also key: Companies should make it clear to their employees exactly how they will receive their tax documents, says Lookout's Schless.
The IRS doesn't initiate contact with taxpayers via email or other social channels -- companies should see such correspondence as a red flag, says Andrew Barratt, managing principal, solutions and investigations at Coalfire.
Cybercriminals use certain tax-season-specific scare tactics to reel in companies and employees, who fear breaking the law and or having to pay steep financial penalties if they don't respond to demands.
Once again, training is key -- in particular, educating employees on how to detect email scams, Thycotic Carson says. Tips include checking the email sender address (not the display name) to ensure the sender is legitimate, checking the email for spelling mistakes, checking hyperlinks by hovering over (but not clicking) them to see where they go, and checking personal details for accuracy.
Companies may also want to use a email spam filter to help prevent fake email from landing in corporate inboxes. But no solution is fool-proof. Employees must know not to call the number provided within the email; most likely, it's fake. Rather, they should go to the website and use the number provided. These simple tips can help avoid a potential cybersecurity nightmare, says Carson.
When employees understand how their tax data is handled, they'll know when to alert their company's finance department about any unusual requests, says RiskIQ's Matkowsky. Companies also have certain reporting obligations in the event of personal data theft, so looping in the legal department is likely necessary, too.
Companies should also limit the number of employees who are authorized to handle W2 requests, he says. Additional verification procedures is advisable to validate the actual request before emailing any sensitive data, which is often the target of spear-phishing and BEC fraud.
If companies let employees access W2s from a corporate portal, keep policies consistent with the security measures put in place for other sensitive documents, NuData Security's Capps adds. Typically, larger companies have a secure token in place that automatically changes the password whenever the employee accesses the site. Companies of all stripes can also deploy options such as Google Authenticator or Symantec's VIP Access, where employees can authenticate to download a W2 off the portal with a unique PIN provided by a mobile device.
These days, mobile devices have just as much access to sensitive data as their desktop counterparts. Without modern endpoint protection, a company could experience a significant gap in its overall security posture.
"Remote work increases the likelihood of success for the attacker because the target employee can't walk down the hall to validate the communication with another member of the team," Lookout's Schless says. "As attackers become bolder in their tactics, security teams need to ensure that their employees are protected from visiting phishing sites on their smartphones and tablets."
One last point from Schless: If an employee chooses to access their tax data on mobile, they should make sure they're doing so through a legitimate channel. As stated previously, any communication from the IRS or other agencies regarding taxes typically comes by mail, not over the phone or via the Internet.
These days, mobile devices have just as much access to sensitive data as their desktop counterparts. Without modern endpoint protection, a company could experience a significant gap in its overall security posture.
"Remote work increases the likelihood of success for the attacker because the target employee can't walk down the hall to validate the communication with another member of the team," Lookout's Schless says. "As attackers become bolder in their tactics, security teams need to ensure that their employees are protected from visiting phishing sites on their smartphones and tablets."
One last point from Schless: If an employee chooses to access their tax data on mobile, they should make sure they're doing so through a legitimate channel. As stated previously, any communication from the IRS or other agencies regarding taxes typically comes by mail, not over the phone or via the Internet.
Tax season is in full swing at enterprises. Security teams know that cybercriminals are up to their tax-scam tricks, too, often in search of a company's weakest link: its employees.
"These scams are so widespread because they work and it's easy money for cybercriminals," says Joseph Carson, chief security scientist at Thycotic. "If you have a large target list at a company and many of the victims are unable to tell the difference between a scam and authentic notices, then even if a small number of people fall for such a scam, it's still extremely profitable for the cybercriminals."
Indeed, tax scams are a significant enterprise risk, not only for dollars lost but in terms of stolen credentials that provide criminals with initial access into a company's network environment, says Rick Holland, chief information security officer and vice president of strategy at Digital Shadows.
"[Just] when you thought the pandemic didn't provide fraudsters with enough phishing lure options, US tax season now comes along," Holland says. "This year's tax fraud season even gets an extension, as 29 million Texas residents and business owners have had their filing deadlines extended to June because of February's winter storm."
The best offense, as any security pro worth their weight very well knows, is to have a good defense. The following tips can keep enterprises and their employees on their security toes as April 15 nears.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024