It’s tax season again! Time to gather your receipts and W-2s and brace for phishing attacks? Last year, the IRS saw a wave of W-2 phishing scams, which effectively hit over 40 organizations in Q1 alone. This year, cybercriminals have become more sophisticated, issuing a couple different multifaceted attacks—the first of which is known as a double barrel attack.
Last year’s W-2 scams consisted of attackers using techniques—like typosquatting—to masquerade as C-level executives, and request information from HR staff, in order to scam individual employees out of their tax refunds. This year’s double barrel attack combines this effort with an attempt to also extort money from the organizations themselves. A successful attempt to retrieve W-2 data is often followed with a request for wire transfer from the same spoofed executive. Attackers are essentially hitting companies with a digital one-two punch.
Another tax scam gaining momentum this year has been directed at tax preparation companies and accountants. Fraudulent emails containing malicious attachments are sent in request for assistance with tax preparation. When the attachment is opened, the machine is compromised, and customer data is exposed. From there, attackers use this information to file the customers’ tax returns and steal their refunds.
The IRS is calling this wave of attacks the most dangerous that they’ve seen in a while. And although attempts to retrieve tax refunds and fraudulent wire transfers are bad enough, stolen W-2s have been found for sale on the dark web in exchange for Bitcoin. And with this attack, nothing is sacred: schools, tribal organizations, nonprofits, and healthcare organizations have all been targeted.
So, what does this mean for security professionals in charge of preventing these sorts of attacks from affecting their companies? And what about individuals? As far as corporate security is concerned, employee training is key. A casual and easy-to-digest training is the best way to convey the severity of this threat (and phishing, in general) and ensure users remain on high alert. Strong Sender Policy Framework (SPF) records and other phishing prevention tactics will also aid in the prevention of unauthorized or spoofed communications.
Professional tax preparers should ensure they have strong passwords across all systems, utilize two-factor authentication (2FA) where available, and confirm that their systems are patched and running an updated virus scan system. Employees at these locations should also be warned about this new wave of threats and taught how to recognize spear phishing and unusual tech behavior. Individuals submitting their taxes to a professional accountant or tax preparation firm should not be afraid to ask questions of this organization to ensure their data will remain secure. And finally, fear not! If something does happen, the IRS has a mitigation process in place in order to ensure tax refund fraud is corrected and the funds are sent to the correct individual (see identity theft link below).