What do financial scammers have in common with florists? Turns out, they both have busy seasons. For florists, it’s February 14th. For scammers, it’s April 15th (and, this year, May 15).
Scammers exploit tax season because of its heightened urgency over financial compliance, which primes people to fall for hoaxes and phishing attacks and surrender sensitive data. “The IRS will jail you,” the caller says, “if you don’t settle up now. And could you make that payment in the form of Amazon gift cards?”
You may see through that one, but what if it were an email from your CFO saying that a major (and very unhappy) client needs a money transfer right away?
“The ingenuity of people who want to do nefarious activity is infinite,” says privacy expert Matt Stamper, president of the San Diego Chapter of ISACA. In 2020, more than $4.2 billion was lost to scams, according to the FBI’s 2020 Internet Crime Report.
For corporations, legal consequences can be even worse. “The legal landscape gets more complicated each year, with shorter data-breach notification time frames and more ability for individuals to sue,” warns Richard Santalesa of the SmartEdgeLaw Group.
Tax professionals need to be especially wary of data breaches, as the IRS explains.“Organizations face potential liability from numerous directions for data breaches—state attorneys general, federal agencies, individual plaintiff attorneys, and client companies,” says Santalesa. “Lastly, professionals, such as tax preparers, accountants, and attorneys, may additionally face censure or penalty from their professional regulatory associations.”
With all of that on the line, what can you do to protect your data?
You can start by not using email for confidential documents. Choose a secured, shared-file application site such as Box, and use appropriate permissions and protections. Include a password for the documents—and transmit it through another media, such as text, advises ISACA’s Stamper. Beyond that, remember commercial off-the-shelf antivirus tools can barely keep up with attacks on home users.
Businesses have different things they can do. A corporation needs a custom configuration of firewalls and enterprise-grade security software if it really want to secure data from end to end on its journey through on-premises systems and cloud-based applications and servers. This means to consider investing in a data protection platform. In addition, Stamper recommends, companies should have executive security awareness training for key personnel. As we’ll see, executives are the prime targets of cybercriminals.
HOW HACKERS AND SCAMMERS WORK
It’s worth remembering that the IRS does not phone people. It sends letters. Any caller claiming to be from the IRS or other government agency is a scammer. Full stop. The only exception is if you have pre-arranged a phone call with the agency.
Scammers also use email, text, and social media. Again, this is not the IRS’s style. Email scams (known as phishing attacks) used to be easy to spot: Phishing emails didn’t address you by name, but insisted you must immediately re-set your password because “Securities is problem (sic).”Unfortunately, scammers are improving their English and their overall game. They can take personal information gleaned from social media posts—such as your mother’s maiden name—and craft letters that appear authentic.
Fortunately, in most cases, scammers aren’t going to bother with that level of customization. This could change, however, as more automated tools are developed, making it easy to drop stolen personal information into phishing-form letters. For now, a little attentive reading, including a good look at the sender’s address, will prevent the average email user from falling for a scam.BankofAmericacom.ru is not your bank.
However, Stamper warns that high-value targets, such as your company’s senior executives and network administrators, are far more vulnerable to custom attacks. Scammers compile dossiers on their targets, including details from social media, the business press, and stolen data. With it, they create requests for money transfers plausible enough to get otherwise sophisticated people to drop their guard. They can also use this information to trick phone companies into issuing new SIM cards, thus cloning the cell phones of key personnel. This kind of thing is even more prevalent during tax time, when most people and companies will be open to financial and tax questions.
To defend your organization, offer security training and create strict protocols for authenticating requests, the most basic of which are: Never transfer money at the request of an unknown company’s “colleague.” If you know the requester, always call to confirm.
Here are some helpful tips to prevent scams and protect sensitive data:
- Don’t choose simple passwords. The longer and more complex the password, the better. Most important, says Stamper, use an especially strong password for your primary account, so that criminals can’t break in and use it to request password changes for your other accounts.
- Don’t repeat passwords and usernames among accounts. Massive data breaches are becoming more common because they’re a big pay-off for criminals. Because many people repeat their username/password combos, thousands of combos stolen from site A will often also work on sites B, C, D, and so on.
- Don’t leave anything confidential in plain sight or in an easily accessed part of your office—at least when you are back in one. No sticky notes with passwords in the top drawer of your desk.
- Don’t do anything on public, unsecured WiFi that involves confidential information.
- Don’t let anyone share a computer where you store confidential information.
- Don’t overshare on social media. That cute pic of your first pet, Spock the Iguana, just gave a scammer the answer to a “What is the name of your first pet?” security question.
Effective security means minimizing damage from when it does happen. By protecting data no matter where it is and how it is used, and by following those tips, your company should feel safer this tax season—and all year long.