If you’re anything like me, you’re tired of picking up the phone just to hear someone’s terrible recording of a tax collector, IRS agent or CPA demanding some outrageous sum of money. According to the IRS, in their latest security bulletin, they have formulated 2019’s “Dirty Dozen.” Keeping employees and end-users in mind, many will have sensitive data leftover on their devices, making your business a prime target.
With highly targeted attacks plaguing many of us today, it’s not uncommon to see Business Email Compromised, or more commonly, CEO Fraud. Reaching $12.5 Billion in total known losses, these attacks have bad guys trying to convince end-users, typically in Accounting, Receiving, HR, and sometimes IT, to release information or funds based on their faked email address or title. Typically, this results in many unknowing employees making some form of payment or releasing the information as they view their job could be at stake.
We’ve even seen these “Fake CEOs” attempt to send out emails regarding W-2 issues. Once opened, the payload can be delivered from these attacks at any point in time. In most cases, we’ve witnessed malware lying low in systems for 90 days. With tax season closing, we wanted to shed some light on the technology aspects of the “IRS’ Dirty Dozen.”
Here’s a recap of this year’s Dirty Dozen scams:
1. Phishing: Businesses filing on their own behalf this year should be alert to the potential for faked emails or websites looking to steal personal information. The IRS notes, “The IRS will never initiate contact with taxpayers via email about a bill or tax refund.” Don’t click any links or attachments from someone claiming to be from or on behalf of the IRS. For more information from the IRS website, see here: (IR-2019-26)
2. Phone Scams: Phone calls from criminals or on behalf of them impersonating IRS agents remain an ever-growing threat to end-users during tax season. It’s these same calls your employees receive that contain outlandish threats, including police arrest, deportation, or my personal favorite license revocation. For more information from the IRS website, see here: (IR-2019-28)
3. Identity Theft: During tax season, businesses will have taxpayer information on-hand for one of the few times all year. This means for the period between March to May, the IRS warns that identity theft will rise, although the security industry has made several large strides in protecting employees currently. The IRS warns businesses as they continue perusing these criminal actions. For more information from the IRS website, see here: (IR-2019-30)
6. Tax Return Preparer Fraud: Unfortunately for some businesses, the amount of fraudulent Tax Preparer has also grown in stride. As we all know, the vast majority of tax professionals are there to provide honest, high-quality services, but others will operate during the filing season and it’s these scams that continue to push refund fraud and identity theft further. For more information from the IRS website, see here: (IR-2019-32)
8. Inflated Refund Claims: Alert the IRS or the police of anyone who’s promising inflated refunds or credits. Be alert to anyone promising large returns or asking for credits. This falls on local law enforcement to assist as these frauds will use flyers, fake storefronts, and community groups to infiltrate your trust. For more information from the IRS website, see here: (IR-2019-33)
Continue staying diligent, as the typical end-user and employee has sensitive information nearby. Maybe it’s an email of your tax return or that W-2 from human resources. Regardless, having it near anything business-related can be an area for concern, but for cybercriminals and fraudsters, they will have hit the jackpot.
Learn how to secure your end-users and employees, educating them on how to handle sensitive information, how to interact with strange emails.