Tips for educating staff on tax related scams

While millions of businesses and individuals are planning on a refund this tax season, cybercriminals globally are working to line their own pockets. We can expect cybercriminals to rely on many of the same tactics that have proved successful earlier, such as phishing campaigns, stolen data and account takeovers. 

Phishing campaigns that manipulate unsuspecting victims to share their personal or corporate data with a fraudster are not new. However, according to open-source reporting, a worrisome take this tax season is the banking Trojan Emotet, which has the potential to compromise an organization’s entire network.

In this campaign, a user is lured into clicking an attachment or link that purports to contain a tax form. Once the victim clicks the link or attachment, his/her system becomes infected with the Emotet malware. In addition to harvesting user credentials, Emotet malware is often used as a first-line dropper in a phased Ryuk ransomware.

Another ransomware variant, Maze, is associated with a tax-centric malspam campaign that hit European users in late 2019. Victims received a phishing email message supposedly from the German Ministry of Finance or Italian Revenue Agency, which directed them to click on an attached Word document for instructions on how to request a refund. When users clicked on or opened the document, malicious code installed Maze ransomware on their computer. 

Maze has gained significant notoriety within the past three months, for becoming the first ransomware variant whose creators have publicly posted exfiltrated data of victim companies, who do not pay the ransom

What can organisations and individuals do?

Be particularly alert during the tax season and follow best practices for cyber hygiene, such as the following:

• Educate your staff, especially finance and human resources staff, on the increasing risk of tax-related phishing campaigns during this time frame, which can also lead to other crippling cyberattacks such as ransomware. Contact me for help.
• Communicate to staff exactly what to expect from your HR or Payroll team at tax time. 
• Leverage resources like the IRS Identity Theft Central platform, to stay abreast of current trends and steps to be taken if you become a victim of tax fraud or identity theft. In Australia, refer to ScamWatch or Cyber.Gov.Au
• Report any suspicious activity to ScamWatch https://www.scamwatch.gov.au/report-a-scam
• Remember that Tax Authorities will never request personal details like bank account details via email, SMS or voice mail. They won't ask for payment in the form of gift cards, or make threatening calls demanding payment. If you do owe a tax debt, you will likely receive a letter in the mail. https://www.ato.gov.au/General/Paying-the-ATO/If-you-don-t-pay/
• Do not allow passwords to be reused across multiple platforms/applications, and remind staff to follow the same practices with their personal online accounts
• Set complex passwords with at least eight characters and a mix of special and alphanumeric characters
• Consider implementing next-generation antivirus solutions and endpoint threat monitoring and response capabilities
• Ensure your incident response plan is up-to-date, particularly regarding potential breach notification responsibilities