Beware of data theft and other cybersecurity threats during tax season

According to the 2018 Worldwide Threat Assessment of the US Intelligence Community, released on February 13, by Director of National Intelligence Daniel R. Coats, the risk of a cyber attack is growing. Adversaries continue to target US critical infrastructure and other sectors, and increasing sophistication and aggression pave the way for more surprise attacks.  

The document suggests that, “The potential for surprise in the cyber realm will increase in the next year and beyond as billions more digital devices are connected – with relatively little built-in security – and both nation states and malign actors become more emboldened and better equipped in the use of increasingly widespread cyber toolkits.”  

IT and cybersecurity professionals know that tax season is breach season. Employees have the first three months of the year – until Tuesday, April 17 – to file their taxes – either with or without the help of an accountant. Those choosing not to use an accountant use an online service instead, exposing themselves to insecure cyber conditions. Even with the help of an accounting services provider, there is the risk that information is processed on insecure networks. 

Cyber criminals compromise employees’ sensitive information and, among other things, file fraudulent tax returns. In 2017, Tamara Powell, then acting director of the IRS Return Integrity Compliance Services, indicated that during 2017 the number of organizations hit by a cyber attack rose. For example, 200 organizations lost data through a phishing scam, which could have translated to hundreds of thousands of taxpayers’ personal information being exposed. No single industry was targeted, and the trend will undoubtedly continue in 2018. 

CEO fraud and W-2 phishing scams are the most common types of tax-related cybercrimes

Criminal hackers commonly infiltrate computer systems through CEO fraud and W-2 phishing scams. CEO fraud is a type of email scam in which the attacker imitates a corporate officer and tricks employees into wiring funds. In tax-related CEO fraud, the malicious actor impersonates a high-ranking company officer and requests a copy of employee W-2 forms. These forms are valuable bounty that criminal hackers can sell on the dark web or use to file fraudulent returns. Criminal hackers may also use the personal data on W-2 forms to conduct identity theft. 

As criminal hackers target a wider range of organizations, phishing has become more aggressive. According to the IRS Return Integrity Compliance Services, from 2016 to 2017, W-2 phishing emails increased 159 percent. According to the IRS, W-2 phishing scams have become one of the most dangerous threats to the tax community, “During the last two tax seasons, cybercriminals tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces.” 

Cybersecurity awareness training will help your organization fend off cyber crime 

Information security and HR teams should work together to develop continual phishing assessments and training, providing an additional layer of defense that will help employees recognize and report suspicious emails. Employees should also be aware of cyber threats outside of the office. Scam phone calls from IRS imposters are expected, with fraudsters calling to either demand immediate payment or convince the victim that they are eligible for a tax refund if they provide valuable sensitive information. 

IT Governance, a global leader in cybersecurity consulting, training, tools, and resources, has developed a multi-faceted, customizable program to help you to tackle employee awareness. We will conduct an organization-wide assessment of your learning needs, culture, and knowledge gaps, issue a detailed report, provide 149 eLearning licenses with test assessments, and include ancillary materials. The entire process will help you achieve long-term cybersecurity benefits. Learn more about our Security Awareness Essentials program.