Sunday, September 19, 2021

Tax Time Means Prime Time For The Cyberattacker: 4 Quick Ways For The SMB To Stay Safe

 


Well hey everybody out there, Happy Weekend!!  Guess what!?!?  If you filed for an tax extension, you are going to have to pay next month.   This also happens to be one of the prime seasons for the Cyberattacker to come about from their hiding. 

The reason for this is clear and simple:  In one fell swoop, they can collect a treasure trove of Personal Identifiable Information (PII) datasets from people all over the United States, and in fact even in the entire world, if they have to file taxes here in the United States. 

But now, their tactic has changed.  It is not so much going after individuals, but rather the IRS itself and pretty all of the tax accountants that they can get their hands on.

Why are they doing it this way?  Well, the answer is simple:  Rather than just go after one individual, why not go after an entity that has more PII datasets that can be garnered in one shot, as just described?  Once again, one will never be 100% prone to not being a victim, but the key is in mitigating that risk. 

Although you have the ultimate responsibility to make sure your confidential information and data is safe, the other parties have an equal stake as well, and must be cognizant of the fact also that they need to do their part as well.

So what can be done?  Here are some strategies:

*Your accountant should be implementing training programs:

Yes, this is a subject that has been labored on before who knows how many times, but your accountant should be having regular security awareness training seminars for their employees, if the company is large enough.  If it is not, then your accountant themselves should seek out the needed training so that he or she can be aware of what to look out for.  Once again, it all comes down to Phishing Emails.  As I have written about in the past, to recognizing such things as BEC Attacks, Spear Phishing Attacks, the Fake Invoice Attacks, Social Engineering Attacks, Smishing Attacks, you name it.  The best line of defense in this regard is to simply ignore the call, delete the Email, or the text message.  Of course, if you are expecting to receive something, and you still have doubts, contact your accountant or the IRS first to see if it is legitimate.  Of course, calling the IRS and waiting for hours on end can be an infuriating task, so maybe in this regard, you could even seek the help of reputable Cybersecurity company.  But just first make sure that you your homework on them first.  Everybody wants to help each other, so there should be a minimal charge if any, to help you out.  Actually in this regard, you could even engage a Penetration Testing company to simulate real world Phishing attacks of the types that I have just reviewed, just to see how cognizant your employees are.  Of course, those that fall for the bait, will need more training.  In theory, these Emails should look like Phishing Emails with the IRS logo.  But keep one thing in mind:  That Cybersecurity company who is doing these mock drills for you must be licensed by the IRS in order to use it.  If there is no explicit and written permission, not only will they, but you could also be held liable for using an official government logo without permission.  So in this regard, make sure that the Cybersecurity company does indeed have this permission.

*Make sure that your documents are delivered securely:

Yes, there are still some people who like to do things the old-fashioned way, and still use the snail mail for the receiving and receiving of tax return documents.  But most of us have now gone the digital route, so that we can get our refund even quicker.  But there has to be security on both fronts:  Your accountant should send your stuff through an encrypted Email software package.  Yes, this can be a pain, because you will have to create an account and use a One Time Password (OTP) to access these documents.  Then you, the taxpayer, has to make sure that whatever you send to your accountant is also safe as well.  Hopefully, there will be some layer of encryption in the Email service that you use.  But if you are using a service like Yahoo Mail or Gmail, don’t count it.  If you send stuff with these two, always call your accountant’s office to make sure that they have received all of the attachments.  And also confirm with them that everything looks reasonably OK, in other words, they should also be checking for the integrity of the contents.  In the Cyberworld, there is always that chance your message could be inserted, and fake or altered documents could be inserted instead while your message is in transition to the receiving party.

*Beware of intimidation tactics:

In order to lure taxpayers and accountants and even businesses in general to give up their PII datasets, the Cyberattacker will go to great lengths to claim that they are an authorized representative from the IRS.  Such scams to be on the lookout for include the following:

*A call demanding immediate payment such as using a credit card, debit card, checking account, etc.;

*Demand that any back taxes to be paid also immediately without the benefit of first appealing to a court of law;

*Threaten to physically invade the place of business, and arrest employees, take control of the business license, etc.

The bottom line here is that the IRS, no matter how intimidating that they may get (especially with this those letters), have to stay within certain bounds of the law that they cannot overstep.  For example, they will never call you demanding for payment, nor will they threaten you to come to your business.  All communications is usually done by the snail mail, and there is a process that the IRS must follow before it all comes down to this.  Heck, there is even a taxpayer’s Bill of Rights that they have to abide by, and one of them is your right to go to tax court to fight the IRS if you think that they are in the wrong.  But this brings up yet another key issue:  How do you even know if a snail mail letter you get from the IRS is for real or not?  Yes, this is happening also, and even I was almost duped once.  If you have any doubts, always call the IRS to see if they have actually sent you a letter or not.

*Access to W2 documents:

This is probably the heart and soul of any tax return that is to be prepared.  After all, the gross wages that you have earned and all of the taxes that you have withheld have to reported to the IRS by the end of January.  Likewise, employers are also required by law, to send out W2 forms in the mail to employees no later than by January 31st.  But in an effort to make things more streamlined and efficient, many companies are now offering for these documents to be offered and accessed on the Internet.  While most of the confidential information is usually X’d out (such as the Social Security Number), this sometimes does not happen.  So, if you do go this route, make sure that the portal you are using to access these documents require at least two forms of authentication (the more, the better), with one of them being at least a One Time Password.  Also, if you are an accountant, make sure that you restrict the access of these documents in your company to only those staff members who absolutely need to have it in order to complete the tax return.  You need to be especially mindful of this if your employees use their Smartphones to access these documents if they work remotely.

My Take On This:

Well, there you have it, some tips for both you and your accountant to keep your tax returns safe so that you can get your refund and enjoy it for whatever you want to use it for.   I personally have known of people and businesses that have fallen for tax scams, and it can take years to recover from it.  It is both a drain financially and mentally.  Avoid all of these nightmares by being proactive now!!!

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...