Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/17/2020
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

This Tax Season, Save the Scorn and Protect Customers from Phishing Scams

As security professionals, it's easy to get cynical about the continued proliferation of tax ID theft and blame the consumers themselves. But that doesn't help anyone.

We hear about it every year at this time: consumer-targeted phishing scams in which hackers are after tax returns. We're all well aware of the motivations behind these schemes. It has now reached the point that the IRS issues a warning about phishing scams every January, urging consumers to file as early as possible to avoid being victims.

The biggest challenge with tax ID theft through phishing is that the victims aren't aware they've been targeted until it's too late. As security professionals, it's easy to get cynical about the continued proliferation of these scams and blame the consumers themselves. I've been seeing articles by members of the security community that take a tone of condescension and snark. You can almost hear the authors sighing deeply and picture the exasperated eye rolls.

I'm appealing to my fellow security professionals: This tax season, let's drop the scorn toward victims of phishing scams. Underestimating the effectiveness of phishing and blaming its victims doesn't help anyone. For example, in February, cybercriminals intentionally preyed on the public's fears and concerns about the coronavirus by sending out malicious links masquerading as information consumers can use to protect themselves from the virus. With the coronavirus all over the media, can you blame consumers for clicking on a URL that promises safety and information?

A tone of condescension also ignores the real and increasing damage phishing does to the trust relationship between consumers and brands, tech firms, and government agencies. In addition, it's worth noting that the tips we often give to consumers aren't foolproof. Almost half of all spoofed sites are now SSL-registered, exploiting the trust consumers have placed in visiting what they believe are secure "https" URLs with the familiar padlock icon. And phishing domains and emails sent to customers are both more sophisticated than ever. In fact, 97% of people around the world are unable to identify a sophisticated phishing email.

Focus on What Matters
I ask that we focus on better ways to shut down these insidious attacks before they can take hold. The good news is, the security community has already created the tools and technology it takes to solve this problem. We just need to refine them and point them in the right direction.

Right now, defenders are placing much emphasis on email filtering and domain monitoring. Both of these tools are valuable, but they're only pieces to a larger, more complex puzzle. For example, it's smart to use anti-phishing email filtering to make sure fake email messages don't get through to your company's employees, but a growing number of phishing scams employ social engineering techniques to trick people into giving up sensitive information, particularly over text. 

Additionally, email filtering helps to keep your employees safe, but what about the email accounts of your customers? And, yes, it is your problem if customers are duped. Don't forget that under consumer privacy laws such as GDPR and the newly enacted CCPA, your company is legally responsible for customer data loss caused by phishing, even if you never knew your brand was being targeted by a campaign.

As for domain monitoring software solutions, they are designed to alert businesses when certain domains have had a status change or need to be renewed. But they don't alert security teams when a new spoof URL has been published or spot all of the fakes. According to Dell Technologies, an estimated 30,000 spoof URLs are launched every day. These URLs typically cycle back and forth between malicious and legitimate, as reported in a recent Anti-Phishing Working Group report. The sheer volume and constant state of flux make it difficult for any domain monitoring solution to monitor and identify them all.

Defenders should consider scalable, real-time strategies that improve detection from the moment a spoof site or page has launched. [Editor's note: The author's company offers a related solution.] The problem with the current approach to phishing detection is that by the time the victim clicks on the link and visits the spoof site, it's too late. The consumer who tries to file a real tax return only to learn that someone else already filed one in their name is a perfect example.

End the Victim Blaming
It's easy to heap blame on customers, telling ourselves that they "should know better" than to click on a URL in an email from someone they don't know. But as the saying goes, "You don't know what you don't know." Customers believe that the emails and texts containing spoof URLs are coming from a brand they know and trust. And it could very well be your brand. That's the most insidious part of a phishing attack. It's up to us, the defenders, to innovate new ways to solve this vexing problem.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Dr. Salvatore Stolfo is the founder and CTO of Allure Security. As a professor of artificial intelligence at Columbia University since 1979, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Dr. Stolfo has ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
3/18/2020 | 10:01:08 AM
Nightmare
I know someone this happened to. It made filing their taxes a nightmare for years to come after someone fraudlently filed taxes as them for the return.
EUNQUE12
100%
0%
EUNQUE12,
User Rank: Apprentice
3/18/2020 | 8:29:49 AM
Tax Season
Good post, thank you for the helpful information.
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11565
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
CVE-2020-11558
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.