Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/17/2020
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

This Tax Season, Save the Scorn and Protect Customers from Phishing Scams

As security professionals, it's easy to get cynical about the continued proliferation of tax ID theft and blame the consumers themselves. But that doesn't help anyone.

We hear about it every year at this time: consumer-targeted phishing scams in which hackers are after tax returns. We're all well aware of the motivations behind these schemes. It has now reached the point that the IRS issues a warning about phishing scams every January, urging consumers to file as early as possible to avoid being victims.

The biggest challenge with tax ID theft through phishing is that the victims aren't aware they've been targeted until it's too late. As security professionals, it's easy to get cynical about the continued proliferation of these scams and blame the consumers themselves. I've been seeing articles by members of the security community that take a tone of condescension and snark. You can almost hear the authors sighing deeply and picture the exasperated eye rolls.

I'm appealing to my fellow security professionals: This tax season, let's drop the scorn toward victims of phishing scams. Underestimating the effectiveness of phishing and blaming its victims doesn't help anyone. For example, in February, cybercriminals intentionally preyed on the public's fears and concerns about the coronavirus by sending out malicious links masquerading as information consumers can use to protect themselves from the virus. With the coronavirus all over the media, can you blame consumers for clicking on a URL that promises safety and information?

A tone of condescension also ignores the real and increasing damage phishing does to the trust relationship between consumers and brands, tech firms, and government agencies. In addition, it's worth noting that the tips we often give to consumers aren't foolproof. Almost half of all spoofed sites are now SSL-registered, exploiting the trust consumers have placed in visiting what they believe are secure "https" URLs with the familiar padlock icon. And phishing domains and emails sent to customers are both more sophisticated than ever. In fact, 97% of people around the world are unable to identify a sophisticated phishing email.

Focus on What Matters
I ask that we focus on better ways to shut down these insidious attacks before they can take hold. The good news is, the security community has already created the tools and technology it takes to solve this problem. We just need to refine them and point them in the right direction.

Right now, defenders are placing much emphasis on email filtering and domain monitoring. Both of these tools are valuable, but they're only pieces to a larger, more complex puzzle. For example, it's smart to use anti-phishing email filtering to make sure fake email messages don't get through to your company's employees, but a growing number of phishing scams employ social engineering techniques to trick people into giving up sensitive information, particularly over text. 

Additionally, email filtering helps to keep your employees safe, but what about the email accounts of your customers? And, yes, it is your problem if customers are duped. Don't forget that under consumer privacy laws such as GDPR and the newly enacted CCPA, your company is legally responsible for customer data loss caused by phishing, even if you never knew your brand was being targeted by a campaign.

As for domain monitoring software solutions, they are designed to alert businesses when certain domains have had a status change or need to be renewed. But they don't alert security teams when a new spoof URL has been published or spot all of the fakes. According to Dell Technologies, an estimated 30,000 spoof URLs are launched every day. These URLs typically cycle back and forth between malicious and legitimate, as reported in a recent Anti-Phishing Working Group report. The sheer volume and constant state of flux make it difficult for any domain monitoring solution to monitor and identify them all.

Defenders should consider scalable, real-time strategies that improve detection from the moment a spoof site or page has launched. [Editor's note: The author's company offers a related solution.] The problem with the current approach to phishing detection is that by the time the victim clicks on the link and visits the spoof site, it's too late. The consumer who tries to file a real tax return only to learn that someone else already filed one in their name is a perfect example.

End the Victim Blaming
It's easy to heap blame on customers, telling ourselves that they "should know better" than to click on a URL in an email from someone they don't know. But as the saying goes, "You don't know what you don't know." Customers believe that the emails and texts containing spoof URLs are coming from a brand they know and trust. And it could very well be your brand. That's the most insidious part of a phishing attack. It's up to us, the defenders, to innovate new ways to solve this vexing problem.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Dr. Salvatore Stolfo is the founder and CTO of Allure Security. As a professor of artificial intelligence at Columbia University since 1979, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Dr. Stolfo has ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
3/18/2020 | 10:01:08 AM
Nightmare
I know someone this happened to. It made filing their taxes a nightmare for years to come after someone fraudlently filed taxes as them for the return.
EUNQUE12
100%
0%
EUNQUE12,
User Rank: Apprentice
3/18/2020 | 8:29:49 AM
Tax Season
Good post, thank you for the helpful information.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.