When it Comes to Tax Season, There is No Safe Haven From Phishing

How bad actors get away with tax fraud

Tax season presents a unique opportunity for cyberattackers to commit identity theft and file fraudulent tax refunds. One of the most common tax-related phishing attacks is for malicious actors to pose as members of the accounting department or the tax authorities, such as the U.S. Internal Revenue Service (IRS), to socially engineer employees into sharing sensitive tax-related information including social security numbers or personal bank account information. To do this, they’ll leverage a number of tactics including:

• Sending attachments that install malware onto the target’s smartphone, tablet or personal computer.
• Sending fake authentication messages through SMS that convince the employee to enter their login credentials on a malicious site.
• Contacting employees over the phone and directing them to download a malicious app or visit a phishing page to access allegedly compromised tax documents.

While finance and HR professionals are aware of these types of attacks and remain diligent in protecting their employees’ personal information, the work-from-anywhere environment has made this more challenging. With many of these professionals working outside the office, it is no longer as easy to turn to colleagues to verify a suspicious message, making remote workers more vulnerable to respond to an urgent request.

Add to this the fact that mobile endpoints are much more trusted than desktop computers, as they’re increasingly relied upon by employees for both work and personal reasons. This means any messages received on them are less scrutinized. And because these devices have smaller screens and simplified user interfaces, it’s quite difficult to spot telltale signs of a phishing attack.

‍

How to avoid tax related scams this tax season

Attackers are aware that these scams are most effective on mobile devices and are creating phishing campaigns to take advantage of the mobile interface. On any given day, an employee working from home may check their personal email on a corporate-issued mobile device, or access corporate resources from a personal mobile device. In either case, there is a risk that this employee may be phished, resulting in the compromise of their enterprise credentials or enabling an attacker to move laterally to the enterprise network. 

The first line of defense against this type of phishing is education and awareness. Any text, email, WhatsApp message or communication that creates a time-sensitive situation should be a red flag. Employees should approach these messages with extreme caution or go straight to their IT and security teams to validate them.

Although many organizations still send tax forms to employees through physical mail, everything is moving digitally. Regardless of how tax documents are sent, security teams should protect employees across all endpoints to ensure they don’t fall victim to a phishing attack or download a malicious attachment that compromises the organization’s entire security posture.

Security practitioners should know whether they have proper security solutions in place. Even if they have phishing protection for email, they need to ensure their users are protected on their mobile devices regardless of where they work or what channel the phishing attacks come from.

To learn how Lookout delivers phishing and content protection to ensure that users are not putting corporate data at risk, visit our Phishing Spotlight Report.