This tax season don’t just focus on savings, but also be more vigilant as you may be the next victim of Spear Phishing. Cyber criminals are taking advantage of our focus on tax saving and our hope on getting some money back from the government.
Attackers send an email to the employees, convincingly mimicking the email address of company’s CEO asking them to share employees’ W-2s form. This gives attackers access to employee’s personal data, helping them to file fake returns and get refunds.
If you are living in the UK, you may see phishing attacks impersonating HM Revenue & Customs, promising refunds. By clicking a link, present in the mail will re-direct you to a legitimate site asking your name, address, phone, credit card details, mother’s maiden name and ID numbers. Thus, giving attackers access to all confidential information, leading to full-fledged ID theft.
Similar lures have been reported in France, Australia, and America.
Many businesses and their employees are falling for this spear-phishing attack. It tricks an employee from HR or finance department into sending the company’s W-2s form to the CEO or senior manager, who asks for the form explaining that it is due to some financial emergency.
What is W-2s Form?
W-2s form is a United States federal tax form issued by employers stating how much tax an employee pays in a year. It consists of employee’s name, SSNs, and other confidential data. It is also called an informational return.
Only authorized personnel, HR or finance department has access to this data.
What is Spear Phishing?
Spear phishing is an e-mail spoofing attack targeting specific organizations or individuals, seeking access to confidential information. It uses clever tactics to gain victims attention like: impersonation, access-control bypass techniques.
How does Spear Phishing work?
Spear phishing focuses on selective individuals or employees. In most cases, attackers do not have to work much, as most of the companies post full name, title and e-mail address of their executives, it becomes easier to access the data. Thus, turning out to be a treasure trove for bad guys, to send phishing mails and impersonate a person.
Defending Against Spear Phishing
Any form of phishing eventually leads to compromising of sensitive data. If ignored, a company will witness data breach, identity theft. Few notable incidents where companies lost millions of dollars and must compromise customer records are: JP Morgan, Home Depot, and Target.
Attackers not only target large businesses but also focuses on small and mid-size businesses. Small companies have less security infrastructure due to less staff, therefore they are easily targeted.
As email is the most common medium of communication in organizations, it is important to secure it against likely spear phishing attacks. Employees should be imparted with education to combat different phishing techniques.
They should know how to make difference between a genuine and a phishing mail.
Here are a few pointers that can protect you and other from this scam:
1. The first and most common thing to notice in a suspicious e-mail it that it will have misspelled text, odd vocabulary.
- There should be a strong security network so that no could bypass it.
- If you receive an email requesting confidential information, confirm it first by contacting the individual who is allegedly requesting the information. Never try to contact the person via the telephone number or email provided in the suspicious mail. Instead, cross check the same with a trusted source.
- Do not share/send confidential information through unencrypted email.
- File your tax returns and do not save the data on your machine.
- Do not save username or password on public/ official systems.
- Finally, Think Before You Click!