In this third and final part of my three-part series on the challenges we face to securely functioning online in 2018, I’ll look at the threat of Business Email Compromise (BEC) scams during tax season in the United States.
For the past couple of years, I’ve written about how Business Email Compromise scams are associated with tax season which runs from January through April in the United States. As we head into the 2018 tax season it’s a good time to remind employees how to recognize these emails so as to not fall prey to these scams.
For the last two years, the IRS has issued alerts that cybercriminals are using executive impersonation email scams. In 2017 they were heavily targeting nonprofit organizations, schools and universities, tribal organizations, and healthcare clinics.
Executive impersonation Business Email Compromise (BEC) or Business Email Spoofing (BES) scams consist of cleverly manufactured emails designed to look legitimate – often using lookalike domain names to send the email – and have the appearance of coming from an executive. The email often asks for internal data that only a high-level executive can typically ask for and receive without additional checks and balances.
During tax season, the email often targets human resources or payroll managers, and they specifically request employee W-2 files. Cybercriminals comb LinkedIn and other social media sites to find the information they need to specifically target an individual employee, such as in this example:
United States Internal Revenue Service (IRS) W-2 Tax Forms are distributed in January every year by organizations to both employees and to the IRS, reporting the employee’s annual wages and the amount of taxes withheld from a paycheck over the past year. The form also conveniently includes all pertinent information needed to file a basic tax return – including the employee’s Social Security Number and current address.
This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme ” said IRS Commissioner John Koskinen.
The IRS provides a valuable resource page for understanding these types of attacks and who to contact if you or your organization have fallen victim: https://www.irs.gov/newsroom/tax-scams-consumer-alerts.
Beyond Tax Scams
Though there is a heavy focus on tax scams in the first four months of the year in the U.S. BEC scams can be used in many ways. These focused attacks attempt to compromise data or steal money by socially engineering an employee into taking an action sometimes by sending a wire transfer or replying to the email with data. In other cases employees are tricked into opening an attachment that contains malware. Indeed ransomware is often distributed via targeted customized emails and all it takes is one employee to open the attachment. Human resources employees may be targeted more heavily because they routinely receive emails from external email addresses with .pdf attachments.
How to Protect Your Organization
- Employee education awareness and empowerment are key to fighting social engineering tactics. Each employee must understand that they are the first line of defense and should question any out-of-the-norm communications.
- Employees (and all consumers in general) should be suspicious of pressure to take urgent action or action outside of normal business practices.
- Train team members to hit “forward” instead of “reply” so they are forced to type or select the correct “To:” email address.
- Pre-establish internal checks and balances to prevent one person from being able to send a wire transfer or email sensitive information such as an entire employee roster.
The IRS is recommending organizations report receiving W-2 scams to both the IRS at firstname.lastname@example.org with the subject line “W2 Scam” and to the FBI’s Internet Crime Complaint Center (IC3).
For individuals whose W-2 forms may have been compromised the IRS advises reviewing recommended actions by the Federal Trade Commission (FTC) at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
Additionally during tax season often there are other IRS related scams in the form of phone calls demanding payment for a tax return. The IRS will never demand payment over the phone call you for personal information or threaten to bring in local law enforcement for non-payment arrest. Do not give out any personal information over the phone when you receive a call of this nature. Call the IRS at 800-829-1040 for help.