It’s everyone’s favorite time of the year – tax season! Jokes aside, cyber terrorists work hard to make April even worse with an increased volume of attacks and tricks designed to exploit a stressful time. This article describes why cyber terrorists love tax season, the most common forms of attack, and several practical recommendations to keep you and your employees safe.
Why Tax Season?
Cyber terrorists target holidays, even Tax Day, for a variety of reasons. First, holidays provide a larger tax surface for criminals, as people tend to do more online shopping and financial transactions during holidays. Second, holidays often include increased travel and public events, which also provide opportunities for criminals to exploit weaknesses in security systems. Third, holidays find people in an emotional or vulnerable state, which makes it easier to lure victims to click on malicious links promoting holiday-related “deals” or “gifts.” Finally, holidays typically disrupt regular business operations, so criminals seize upon reduced staff and hours to identify vulnerable systems.
For tax season, cyber terrorists simply follow the money. According to the Washington Post, during the government’s most recent fiscal year, individual and corporate tax returns totaled more than $1 trillion. Refunds paid during 2022 totaled $360 billion. (1) The bad guys hope to take a percentage. They recognize that people stress over the money owed, struggle with online tax software, and move too quickly to meet deadlines. Each factor makes the public, including your employees and your business networks, more susceptible than usual.
What Tricks Worked in the Past?
As with other holidays, phishing campaigns – emails designed to trick people into clicking malicious links or attachments that can affect a user’s device with malware – remain the most frequent form of cyber terrorism during tax season. In fact, criminals may send emails pretending to be from the IRS, offering refunds or threatening legal action if the user does not respond. Here are just a few of the thousands of recent examples:
- In February 2021, the cybersecurity firm Check Point reported on a new phishing campaign that targeted U.S. taxpayers. The campaign appeared to be from the IRS, informed the recipient that they were eligible for a tax refund, and directed them to a fake IRS website that contained malware. (2)
- In March 2021, the IRS issued a warning about a new phishing scam that involved cybercriminals sending fake tax bills to victims. The emails appeared to be from the IRS and contained a link that, when clicked, downloaded a file containing malware. (3)
- In April 2021, the cybersecurity firm Vade Secure reported on a new phishing campaign that targeted taxpayers in the United States and Canada. The campaign, which appeared to be from the IRS or the Canada Revenue Agency, informed the recipient that they were eligible for a tax refund and directed them to a fake website that requested personal information. (4)
- In 2019, cybersecurity firm Proofpoint released a report that detailed a ransomware campaign that specifically targeted taxpayers during tax season. Again, the campaign sent emails that appeared to be from the IRS, but this time, informed the recipient that their tax return had been rejected, and directed them to a link to resubmit their information. Clicking on the link would download a file containing ransomware. (5)
How Can You Protect Your Business?
Considering the prevalence of tax season attacks, it is critical for business leaders to remain vigilant and take proactive steps to protect their employees and customer data. We recommend the following steps as the bare minimum for keeping your business safe.
- Provide Employee Education – To avoid threats, employees must be aware of them. Please share this article with your employees. Invest in a cyber education training system, particularly one that focuses on phishing simulation campaigns, such as BullPhishID or KnowBe4. These applications not only customize a fake phishing campaign for your organization, but also generate reports to identify who opened, clicked, and submitted personal information from the fake attack. Managers may review this info with employees directly, thereby decreasing the likelihood of their interaction with a real attack. For tax season specifically, remind employees that the IRS never contacts taxpayers by email, text message, or social media to request personal or financial information.
- Require Longer Passwords – For years, security professionals have recommended “strong” passwords that require a variety of uppercase/lowercase letters, numbers, and symbols. However, since these requirements make the passwords harder to remember and type, users repeat passwords to ease the burden, thereby reducing their usefulness. According to the National Institute of Standards and Technology (NIST), password length offers greater protection. Create a policy that requires employees to choose longer passwords or even phrases, including spaces.
- Enable Multi-Factor Authentication (MFA) – Multi-factor authentication allows user access to an application or website only after the user presents more than two pieces of evidence (password, one-time code, etc.). According to Google, MFA prevents over 95% of bulk phishing attempts and over 75% of targeted attacks. According to Microsoft, MFA can prevent 99.9% of all automated cyberattacks.
- Install Security Patches Consistently – Installing security updates, particularly for Windows networks, is both mundane and essential to network safety. Many IT teams incorrectly mistake the rote nature of security updates for being less important. However, when small businesses neglect security updates for servers and workstations, they leave well-known, gaping holes for criminals to exploit. Install security patches on a weekly basis and confirm that all workstations, including for remote workers, receive the updates. These updates may be the last line of defense once an employee had inadvertently triggered a cyber incident.
Dynamic Edge Can Help
Since 1999, Dynamic Edge has helped hundreds of small and mid-sized businesses maximize the return on their technology investment. Contact us today for a free network assessment, so that we may help you implement cost-effective security solutions to keep your organization and its clients safe and productive.
- https://www.washingtonpost.com/politics/2023/04/05/watch-out-online-scams-vulnerabilities-this-tax-season/
- https://blog.checkpoint.com/2021/02/18/new-campaigns-targeting-us-taxpayers/
- https://www.irs.gov/newsroom/irs-warns-against-covid-19-related-scams-urges-taxpayers-to-be-vigilant-against-these-threats-and-watch-for-schemes-using-the–agency-s-name
- https://www.vadesecure.com/en/blog/tax-refund-fraud-tactics/
- https://www.proofpoint.com/us/threat-insight/post/proofpoint-q3-2019-threat-report-emotets-return-rats-reign-supreme-and-more