Business Email Compromise and Tax Season
It’s tax season again, and W-2s, 1099s, and dozens of other tax forms are flying around. These documents, which include personally identifiable information, such as addresses and Social Security numbers, have attracted spear phishers who are using Business Email Compromise, or BEC, tactics to steal this information.
There are thousands of employees across the land who in some way or other handle tax-related documents and they have found themselves potential targets for scammers. In fact, the FBI has issued alerts against these cybercriminals: “This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
BECs show how far phishers have come since the days of spam emails that dropped into your inbox with typos, grammatical errors, fake “account numbers”, and other obvious clues. BEC spear phishers have done their homework, and now, rather than sending out a phishing email to thousands of people, they now create emails targeted to individual employees.
A typical example of a BEC email may look something like this:
Cheryl Knight is the name of the recipient, so the greeting in the body of the email is correct, and Robert is an actual employee in the organization’s human resources department. Furthermore, the scammer knows Cheryl has access to W-2 forms and, because of his true position in the company, Robert might reasonably request the forms.
This targeted attack has become the new norm. The scammer is relying on the would-be victim to trust the alleged sender and fulfill he request.
Fortunately, there are ways to effectively protect yourself and your organization against BECs:
- Call the executive or manager to verify that the request is legitimate.
- Double-check the email address of the sender to make sure it isn’t being spoofed.
- Avoid replying to the sender, especially if this is being received from a personal email address. Instead, forward your response to the executive or manager’s actual work email address.
- Be cautious of changes in how the sender communicates, especially if you are asked to maintain secrecy or if the tone is urgent.
- If you do fall victim to a BEC, it is very important to alert your manager quickly. If funds were transferred, there may be a chance to freeze the process and recover the funds.
Want to learn more?
Talk to one of our Cybersecurity Experts and request a free demo today. 855-765-4925