Tax Season 2017 Is High Season for Spear Phishing Attacks

Posted by Andrew Josephides on 3/21/17 8:10 AM

2017-tax-spear-phishing.jpgIt’s tax season. And that means, for internet scammers looking to filch your employees’ identities and steal their money, it’s phishing season.

According to a warning issued by the IRS, tax season triggers a 400 percent surge in phishing and malware incidents. The scammers’ target? The sensitive information found on your employees’ W2 forms:

  • Home addresses.
  • Salary information.
  • Withholding information.
  • Social security numbers.
  • Any other identifying info.

The Cost of Phishing-Based Tax Fraud

In 2016, over $20 billion was lost due to tax fraud. This is an enormous increase over previous years. Experts attribute it to the dramatic increase of phishing and spear phishing attacks on company email systems.

Just this January, solar panel company Sunrun succumbed to a spear phishing attack that may have exposed up to 3,400 of its employees. According to reports, a cybercriminal impersonating the company’s CEO emailed a payroll employee requesting copies of employee W2s. Fooled by the scam, the payroll employee sent along the documents.

Why Do Cybercriminals Want Employee W2s?

Attackers are interested in this information for the sole purpose of filing your employees’ taxes for them and then collecting the return.

In this fraudulent attack, tax returns collect into a large foreign account the attackers routinely empty. The money is difficult to trace and seldom recovered.

When businesses try to recoup their trust with their employees and customers, it often results in the purchase of years of expensive fraud protection for the social security numbers of all involved. This is enormously exhausting, both economically and from a personnel perspective — additionally so when you consider that the social security numbers of your employees and clients can remain compromised after such a breach.

How to Guard Against Phishing-Based Tax Fraud

Protecting yourself and your business, while necessary, is not always a simple task. But employees and clients, if properly trained, can be your first line of defense.

This “whaling” attack, as it is often called, is typically cleverly disguised: Attackers usually purchase domains that are similar to your company’s domain name. One company discovered a whaling attack in which one “o” in their domain had been replaced with a “q.” The difference was almost indistinguishable when viewed in Outlook, which underlines the full email address of the sender.

Among other reasons, this is why mitigating these types of attacks usually involves a collaboration of a human and technology defense strategy.

To protect your company, consider the following technical security measures:

  • Purchase email-targeted threat protection from a provider such as Mimecast or Barracuda.
  • Flag all mail coming from outside the company domain as [EXTERNAL] in the subject line.
  • Employ anti-spam and anti-spoofing measures available through Mimecast, Good for Enterprise, or Office 365.

Towards the same end, it would help significantly to consider the human element: your employees and clients. To prepare your company well, consider implementing the following:

  • Regular training for users that includes the latest attack vectors and current information.
  • Timely reminders to staff coinciding with annual/quarterly events, such as tax season or company events such as IPOs.
  • Policies and protocols customized to departments. For example, “All staff in finance department must require verbal confirmation for all wire transfers.”
  • Easy access to a qualified helpdesk and the knowledge of how to reach them.

There are no surefire ways to eliminate these attacks entirely, but these steps go a long way toward preventing data leaks, enormous losses of revenue, and major headaches for all involved.


New Call-to-action


Topics: IT Security, Email