Nothing’s Certain, Except Death and Taxes…and Phishing

0

“…But in this world, nothing can be said to be certain, except death and taxes.” – Benjamin Franklin

We should add phishing to this idiom, too.

menlo-logoMany businesses and their employees have recently fallen victim to a very successful spear-phishing attack that dupes an unsuspecting employee into sending the company’s W-2s to a company executive, who has emailed the employee and asked for the W-2s to address a “financial emergency”. Instead, the email is a spear-phishing attack, with all the employees’ W-2s going directly into the hands of the attacker or attackers, who now have the names, addresses, Social Security Numbers (SSN), wages, and tax information for ALL the company’s employees, a treasure trove of information that can lead to false tax claims, identity theft and other financial catastrophes.

But, the IRS began warning accountants and tax professionals over a month ago that they, too, are now under attack by hackers, and not with just one scam, but at least two.

In the first scam, an accountant or tax professional receives an email from a prospective client – really the attacker – stating that they are looking to hire someone to prepare their personal or business taxes. The attacker may use the name of a friend or associate – who has also been hacked – as a reference in their email, to avoid suspicion and ease the mind of the accountant or tax professional. The attacker will include a link to a website, or an Adobe Acrobat or other file attachment with an embedded link, claiming that the link leads to their financial information. Once the accountant or tax pro clicks the link, the website pilfers the accountant’s or tax pro’s email address, user name, password, and likely much more. The attackers can also begin the cycle all over again by sending out another phishing email to the clients of the accountant or tax professional they initially attacked, after stealing their email address, asking for the clients to click on a link in the email or in an attachment to re-enter their financial information, or their user name and password for the hacked accountant’s or tax pro’s online software or web site.  And, when a client falls for this phishing attack, their information is pinched, and its likely their tax return will end up being claimed by the attacker.

Yet another phishing attack is underway that forced the Internal Revenue Service to send yet another alert out to accountants and tax professionals. In this attack, the attackers send an email to an accountant or tax professional indicating that they have been locked out of their tax preparation software due to “security issues”. Under tight deadlines and under tremendous pressure, this is the last thing the accountant or tax professional needs to see! The phishing email includes a link that will supposedly unlock the software for the accountant or tax pro. Desperate to ensure that their tax preparation software is secure and accessible, the accountant or tax professional clicks on the link provided with no questions asked or without any suspicion. But, the link leads to a phishing website requesting the accountant’s or tax professional’s user name and password for the tax preparation software, so that the software can be unlocked.  Once they enter their user name and password, the attacker has all the information needed to break into the tax preparation software and steal the financial and tax information for all the accountant’s or tax pro’s clients!

But, tax phishing scams are not just limited to the United States. In Canada, for instance, attackers have been sending phishing emails posing as the Canada Revenue Agency (CRA), informing the recipient of the email that, due to a recalculation of their taxes from the prior year, they are either due a refund, or should be receiving more in their tax return. The link in the email leads to a bogus website in which the user is asked to re-enter their personal and financial data, including, in some cases, their user name, passwords, and to even answer questions like their mother’s maiden name. This data is then used by the attackers to access the user’s tax refund, to access their finances and bank accounts, and to rob them.

In Australia, attackers pose as the Australian Tax Office (ATO), sending the unsuspecting recipient what they may believe is an email to access their next Online Activity Statement, or may dupe them into believing that they are due a refund or an additional amount in their tax refund, that they owe additional taxes, or to reconfirm or update their tax file number. If the user clicks on the link in the email and provides their personal and financial information, their accounts are pillaged and personal information is quickly posted for sale on the Dark Web.

And, unfortunately, the United Kingdom is not immune to these phishing attacks, either. The phishers send unsuspecting users a “tax refund notification” email, posing as Her Majesty’s Revenue & Customs (HMRC), with a link to a false webpage so that they may enter their banking information, so that their phony “tax refund” may be deposited for them automatically. Only the poor user doesn’t get a tax refund but, instead, loses their hard-earned money to the unscrupulous phishing attacker.

So, what can be done to halt these attacks on accountants and tax professionals, and, ultimately, you and your tax and financial data?

Existing email security software may catch some of these phishing attacks, but it’s unlikely, based on their own capture statistics, that they will catch these sophisticated phishing attacks. And, it takes only one, single successful phishing attack to gain access to the tax, financial and even personal information for every client that an accountant or tax professional has, ruining their reputation and possibly destroying a business that took years to create,

The only way to ensure that all email-based phishing attacks are stopped before they can happen is with isolation.

Isolating all web access ensures that all email-based phishing attacks requiring users to click on a link to initiate an attack won’t be successful. That’s because, once the user clicks on the link in the phishing email or attachment, their web access is isolated, the selected web page is executed in the isolation platform, the web page proxied, and only a safe, clean, malware-free web page is returned to and rendered for the user. Some isolation platforms can even eliminate credential theft by allowing websites to be rendered in read-only mode, preventing users from entering their name, password, or any other sensitive information into a web form.

So, if your accountant or tax professional has deployed an isolation platform, then you can be sure that phishing attacks targeting your sensitive financial and tax information will be stopped cold, and your financial security will be maintained.

But, if they haven’t deployed an isolation platform, you might want to tell them about it before you file your taxes this year.

Share.

Comments are closed.