In a past blog post, we discussed how cyber criminals will often use tax season as a cover to attack unsuspecting organizations. Usually this is done via a phishing method where the attacker poses as a member of a particular organization’s C-Suite and requests sensitive information be sent their way – like W2 forms, for example.
This trick relies on the fact that some HR employees do face requests similar to this, and in such a tense period (tax season), are more likely to slip up and fail to fully verify these requests.
With tax season now firmly in the background, one might think that cyber criminals would lay off this method of attack for the time being. Unfortunately, this is not true. As the IRS recently warned, these attackers are staying busy by trying to steal valuable information from tax professionals via fraudulent software updates.
The IRS describes these attacks as, “a new phishing email scam impersonating tax software providers and attempting to steal usernames and passwords.”
Tax professionals receive emails with a subject line reading “Software Support Update,” and the body of the email stresses that this is a very important update the reader should not pass up. Once the target indicates they’d like to receive this upgrade, the attacker then requests the victim to validate their login credentials, sharing a link to a fake website which has been designed to mimic the software developer’s portal.
If a tax professional then inserts their information, that’s all the attackers need to gain access to their systems and steal their client’s private information.
As the IRS warns, “This sophisticated scam yet again displays cyber criminals’ tax savvy and underscores the need for tax professionals to take strong security measures to protect their clients and protect their business.”
If you don’t, then the cost can be huge. As the IRS notes, it has received around 177 reports from tax firms of data being stolen – data which in turn has ended up affecting thousands of people who thought their information was in safe hands.
This attack is a particularly dangerous method known as “spear phishing,” which sends targeted, fraudulent emails to trick victims into turning over valuable information. These attacks are unique in that they can be very difficult to stop. Unlike lesser phishing attempts, these appear so official that they can often slip by certain spam filters or email authentication programs.
This is, it probably goes without saying, less than ideal. The onus to sift through what is and what isn’t a valid piece of communication falls entirely on your staff, which is an unfair thing to ask of them. As far as they can tell, they have no reason to believe this information isn’t correct. These attackers even have email templates designed to match those of the company they are impersonating. This attack, from top to bottom, is as sophisticated as it gets.
Therefore, it’s vital for all managers and owners to put an internal system and checklist in place to ensure all upgrades are valid. Teach your staff how they should react to requests like this – ideally by passing it up the ladder for verification. Work with your IT provider to ensure all authentic upgrades are scheduled and addressed. The IRS has released a thorough guide for how to avoid these spear phishing emails; send this resource around to your employees and have them carefully review this information.
After all of this, if you’re still unsure if something is fake or not, pass it on to your IT provider. Don’t hesitate – the health of your organization is at stake.
Interested in learning more about how you can protect your organization from threats like these? Click here to learn more about our Security Awareness Training.