Catch and release: it’s phishing season
It’s April, which means it’s tax season. It also means, for cybercriminals, that it’s prime phishing season — a window of opportunity where they can target anxious taxpayers, infiltrate inboxes and siphon sensitive personal documents. But unsuspecting taxpayers aren’t the only ones at risk. Businesses can also easily fall victim to phishing attacks during this especially stressful season, preying on innocent employees who unknowingly give crooks the opportunity to wreak havoc on company IT systems well into 2017.
To help lessen the likelihood of a tax-season phishing attack, we’re looking at five methods cybercriminals use to breach networks during tax season and offering tips to help you keep a grip on personal information.
- Suspicious links
Phishing scams can be either incredibly easy or incredibly difficult to spot. Sometimes generic links, like “Dear valued customer” spell trouble. Other times it’s an apparent email from the IRS. Just remember: the IRS rarely reaches out to taxpayers via email and will never demand immediate payment or threaten arrest. If you receive any type of email that looks remotely like a threat, it isn’t from the IRS. Phishing attacks can look incredibly convincing, as the example below shows, and often use well-known names and create a sense of urgency to infiltrate an organization.
- Last minute refunds
With many employees hurrying to get their taxes in, cyber thieves have begun to pose as taxpayers requesting a last-minute change to refund destinations. These requests often ask for account numbers and include seemingly valid information. For example, these emails may identify you or someone you work with at a company by name to try and establish credibility.
- Account updates
Hackers can steal information by asking taxpayers to provide additional information, such as social security or debit card numbers, in a bid to “update” their account information on a “government-run” website. Be on guard any time an update request requires personal information to verify an account—the IRS will never verify your identity by asking for personal or financial information.
- W2 forms
A particularly unsettling way hackers get private information during tax season is through W2 forms. Cyber thieves may send a fake email, often impersonating a company executive, requesting employee W2 form information. Though the request may be as simple as an updated employee list, if companies hand over this information, hackers instantly have access to sensitive information, such as salaries, social security numbers, and home addresses.
- Specialty programs
Does an exclusive tax program opportunity seem too good to be true? Well, then it probably is—listen to your instinct and ignore the link in question. Although these types of emails may claim to offer exclusive benefits, it’s best to stick with the IRS-approved programs you’re familiar with.
How to avoiding phishing attacks:
Spotting a phishing attack doesn’t always come naturally—it requires a certain level of employee awareness and training. By spreading cybersecurity awareness and educating individuals on what the different types of phishing attacks look like, companies can help employees avoid malicious links and hacker threats.
If worst comes to worst and a phishing attack breaches your systems or sends threats to your organization, just remember: never engage over email. This means no bargaining and certainly no paying. The minute you engage is the minute cyber thieves gain control over the situation.
Additionally, you don’t need to deal with phishing attacks alone. Added support can be a great way to mitigate any threats or concerns. The best action to take is to inform your IT department or cloud email provider of the threat so they can launch immediate mediation.
We’ll leave you with this simple advice: when in doubt, don’t click the link. It’s best to go the cautious route and avoid temptation as much as possible—if an online request or link seems slightly off or it’s overpromising certain benefits, listen to your instinct and navigate away from the potential threat. When it comes to taxes, if you’re unsure of a request, directly contact the IRS to confirm if an email is legitimate and if any action is required. Calling to confirm may seem like a hassle, but in this case, it’s better to be safe than sorry.