We all hear about reports of a significant increase in phishing activities in the world around us. Many of us know to be careful, and yet the thought still might enter our minds to open that questionable attachment or click the link because we are busy. Let’s face it, the only way we will see change is if we all focus on eliminating the identity theft and fraud risk from phishing. That means not only protecting ourselves, but to spread the word to those we know and work with and assure everyone understands all there is to know about this potential bombshell, thus we are focusing our posting attention to this important area.
It is reported that the total number of unique phishing attacks in 2016 was 1.2 million – a 65 percent increase over 2015. We now see close to 100,000 unique phishing attacks each month, an over 5,000 percent increase in just the last decade. Each phishing attack has the potential to involve millions of emails.
Phishing.org reports there are more than 100 billion spam emails sent each day; more than 85 percent of all organizations have been targeted by phishing attempts and phishing damages exceed $1 billion. Verizon, which publishes an annual data breach investigations report, warns that 1 in 14 users are tricked into opening a link or attachment from a phishing email. The sad part is that a quarter of the victims have been duped more than once.
The bulk of the successful phishing attacks include some sort of malware software installation that allows thieves to export data or take control of the systems. The main culprit either stolen passwords or accessing weak passwords. We thought that the following reminders on passwords would help those in our professional network:
- Use strong, unique passwords.
- Better yet, use a phrase instead of a word.
- Use different passwords for each account.
- Use a mix of letters, numbers and yes, include special characters.
- Use of varying lower case and capital letters
- Rotate the order of the mix to avoid replication
- Avoiding easy to remember strings or series
- Consider utilizing password control software
Those of us who hold sensitive financial data are critical targets. At C & B, we have numerous levels of protection including varying levels of passwords, mandatory password rotation and criteria as well as policy for not clicking on links and only opening attachments from known sources.
You should be especially aware of spear phishing emails, a common tactic used by cybercriminals to target those who have sensitive customer personal information. Phishing emails target a broad group of users in hopes of catching a few victims. Spear phishing emails, often tailored to specific individuals, are the most common, they pose as familiar entities, and the cybercriminals have done extensive research and homework in order to target a specific audience.
We are utilizing an example from the Protect Your Clients, Protect Yourself campaign called “Don’t Take the Bait” which is specifically focused on Tax professionals as an example. This is an example of a spear phishing email that targeted a tax professional during the 2017 filing season. Note the use of “Tax return” in the subject line to bait the tax preparer as the sender impersonates a prospective client:
Note the sophistication of sender who has done their research, obtaining the name and email address of the tax professional. And, the email is conversational but ungrammatical and oddly constructed: “hope your (sic) doing good (sic) and actively involved in the tax filing season.” This is potentially a sign that English is a second language. Finally, note the hyperlink using a “tiny” URL is used to mask the true destination – this is another red flag.
There are several other versions of spear phishing emails in which the criminal poses as a potential client. In one version, the prospective “client” directs the tax professional to open an attachment to see the 2016 tax information needed to prepare a return. In reality, the attachment downloads malware instead, which tracks each keystroke made by the professional so that the criminal can steal passwords and sensitive data.
It is important for you to realize that most spear phishing emails have a “call to action” as part of their tactics, an effort to encourage the receiver into opening a link or attachment. The example above asks the preparer to review their tax information and provide a cost estimate.
Other spear phishing emails impersonate the IRS, such as the IRS e-Services tools for tax professionals, or in some instances a private-sector tax software provider. In those examples, preparers are warned that they must immediately update their account information or suffer some consequence. The link may go to a website that has been disguised by the thieves to look like the login pages for IRS e-Services or a tax software provider.
Cybercriminals are endlessly creative. This year, some identity thieves hacked individuals’ emails accounts. Noticing that the individuals had been in email contact with tax preparers, the criminals used the individual’s email address to send a note to their preparer asking that the direct deposit refund account number be changed.
Protecting You and Your Business from Spear Phishing
There is no one action to protect your customers or your business from spear phishing. It requires a series of defensive steps. Tax professionals should consider these basic steps:
- Educate all employees about phishing in general and spear phishing in particular.
- Never take an email from a familiar source at face value; example: an email from “IRS e-Services.” If it asks you to open a link or attachment, or includes a threat to close your account, think twice. Login in directly to the website for confirmation that action is truly required.
- If an email contains a link, hover your cursor over the link to see the web address (URL) destination. If it’s not a URL you recognize or if it’s an abbreviated URL, don’t open it.
- Consider a verbal confirmation by phone if you receive an email request
- Use state of the art security software to help defend against malware, viruses and known phishing sites and update the software automatically.
Contact Czarnowski & Beer today for a no-obligation financial statement evaluation, or to speak to one of our certified accountants about your unique situation, we can help!