Article written by:
Larry Rosen
Security Architect

When tax season begins each year, expect IRS scammers to come out of the woodwork. They send fake emails (phishing), they make fake phone calls (called vishing or voice phishing), all to get your employees’ personal data and their W2s.

Oftentimes, the emails will come in the form of impersonated emails from someone at your company in a position of authority. The scammers rely on people’s innate desire to be helpful and send an email to an administrative assistant pretending to be a senior executive. The email can look legitimate; they may have created a fake email address that is very close to the actual email of the person they are pretending to be. They may have seen that the senior executive is on vacation via social media, including Facebook, Twitter, Instagram, or even LinkedIn. That information is then used to craft an email that seems legit, such as:

“I’m really enjoying my vacation here in Bali, but I forgot to do something very important before I left town. Since I didn’t bring my work laptop with me, can you please gather up this year’s W2 forms and send them to our consultant so he can finish up an important analysis I asked him to do? He can be reached at ThisIsAScam@gmail.com. This confidential project needs to be kept quiet for now. Thanks! I’ll see you when I get back from vacation!”

It may come from an impersonated email address at one of the free email services like Gmail, Yahoo!, or AOL. It will have enough legitimate information and a sense of urgency to convince someone they are doing their job and following their senior executive’s request. After all, the colleague is in Bali.

How do you stop this from happening? Well, do you have a multi-layered cybersecurity approach in place to Protect, Detect, PREVENT (but if that fails!), Respond and Recover? If you don’t, you should!

Safeguards need to be in place to prevent these types of scammer emails from being delivered to your employee’s mailboxes in the first place. To start, make sure you have an email filtering solution that is properly configured. Additionally, people need to be trained to not only detect these emails when they make it past spam filters, but also report them to the internal IT team. It is also important to conduct regular training exercises to encourage your employees to increase their ability in detecting and reporting phishing attempts.

Depending on your business and regulatory requirements, it may be appropriate for you to have systems in place that look for sensitive data being sent outside of your company. This is called Data Loss Prevention (DLP) and can be configured to look for all sorts of sensitive information like SSNs, credit card information, banking information, etc. If you do fall victim to an IRS scam, the IRS has a website with additional information and an email to submit a report.

It is crucial to stay informed and prepared, and there are many ways to get started. One of the best options is to pick a cybersecurity framework to see exactly how you’re doing.

GBQ IT Services is one team of builders, breakers, operators and auditors with access to a consortium of 50 experienced IT, cyber and assurance professionals delivering IT risk, cybersecurity and productivity solutions. We build value through IT strategy, protect value with information risk and cybersecurity services, measure value and improve productivity with data analytics and process automation and assure value through IT audit services.

« Back