It’s almost here – April 18, tax day in the U.S. As businesses and employees prepare their tax returns, cybercriminals are once again ramping up efforts to steal this information, and they are getting more intelligent every year.
How it works
Business Email Compromise (BEC) scams have been on the rise since 2016, and tax season is another large uptick in numbers so much so that it caused the IRS to issue a warning to organizations on the high risk of these attacks.
BEC scams are simple in execution and are all focused on one thing – to compromise business email accounts in order to facilitate phishing scams to achieve unauthorized fund transfers to fraudulent accounts around the world. However, cybercriminals operating this particular type of scheme must perform a significant amount of research prior to attempting an attack on a target. It takes a firm understanding of the target company, how they operate, and even the interpersonal relationships of employees to effectively reach the desired outcome.
For BEC scams targeting tax refunds, scammers pose as the CEO and request employee payroll and W2 information from someone in finance or HR. If successful, this information is then used by the attackers to steal tax refunds from their intended recipients. Trend Micro recently published a report on West African cybercriminals who utilize this threat extensively.
What to do about it
To counter the threat, all individuals in a company with access to employee data should be notified of BEC threats, and reminded of the increased risk of attack during tax season. Also, employees need to be reminded that the types of information requested by cybercriminals should never be sent over email unless it’s encrypted.
To help inform yourself and your employees on the dangers of spoofing, the Department of Justice, the IRS and the Federal Bureau of Investigation (FBI) have provided example content of emails confirmed to have been fraudulent. Here are some things to watch for:
• Requests that discourage contacting the executive for confirmation.
• Emails containing the following language:
Businesses should look into email security solutions that have the ability to identify and block socially engineered emails that in particular do not have an attachment nor an embedded link. The tax scam emails typically only contain content asking the employee to send the employee PII data.
Other options for protecting against BEC scams are:
Knowing that these threats use email as an attack vector, companies should strengthen employee education and invest smartly in advanced email protection. With these, the threat of BEC attacks can be greatly reduced.