Well, whether you like it or not, the deadline for filing
taxes is approaching – in fact, it is April 18th. It can always be an unnerving time,
especially for last minute tax filers.
But there is yet one more thing to worry about other than filing on time
– and that is the Cyber threats that loom at this time of the year.
This is one of the prime times for the hackers to come out of
the woodworks, and do everything possible to submit a falsified return in order
to get their hands on your well-earned refund.
In fact, there is really nothing new about these kinds of
attacks, as they have even loomed since the last decade. But it is not just the taxpayers that are
hit, it is even the accountants and the tax preparers that are just as many targets
as well. Heck, even the IRS has become a
highly favored target as well, by setting up fictitious and phony sites.
But what is different this time is that the Cyberattacker now
has a powerful arsenal up their shoulders – and that is AI. From using everything from Deepfakes to Chat
GPT, phony emails and just about everything else now looks so real. In fact, it is even difficult for the trained
Cyber professional to tell the difference.
An even scarier proposition is getting fake snail mail
letters from the IRS. Typically, this is
how the agency communicates, they never send an email or even call a taxpayer
directly. So even here, one cannot tell the
difference.
Even the tax software packages are being hit as well. Probably the best example of this is the latest
hack into the QuickBooks platform.
In this instance, the Cyberattackers were using the brand of
QuickBooks and sending out phony emails in an effort to lure users into
submitting their confidential and private information. More details as to what exactly happened here
can be seen at the links below:
https://www.avanan.com/blog/phishing-from-quickbooks
In fact, the security breach that happened to QuickBooks has
been termed the evolution of the “BEC 3.0”.
This is simply an acronym that stands for “Business Email Compromise”. This is a type of Phishing based email where
it appears that it has been sent from an authoritative figure, such as a
C-Level exec.
These are then sent to lower ranking employees in order to
scare them into sending large sums of money to an overseas account.
Of course, once the money is sent, it is gone, and it can be
hard to recover. But the good news here
is that banks have started to put up very sophisticated controls to detect a
fraudulent wire transfer before it is even started, and halts the transaction
right there pending further verification.
Even the Feds, such as the Secret Service and the FBI, are
now able to retrieve most of the money if it were to be transferred to a phony
account.
But in the end, it seems like Phishing is still the tried-and-true
method used during tax season. A key
observation here is that the Cyberattackers are learning how to adapt to the newer
technologies that are being used to detect a malicious email when it is inbound
to the receiver. For instance, typos and
grammatical mistakes were the give aways when it came to detecting a Phishing
email, but now the Cyberattacker is taking their time to make sure that write
and spell everything properly.
The only reals clue is the mismatch between the sending domain
and the receiving domain if you were to accidentally reply to that email.
Another key advantage that the Cyberattacker has in their
arsenal is that all email providers are now pretty much SaaS based. This includes everything all the way from
Gmail to Yahoo mail to Exchange Server and Outlook. The Cyberattacker knows how messages are sent
on these platforms, and thus they can bypass any control quite effectively.
But another fearful tactic that Cyberattackers are using is
stealing the victim’s phone number in addition to their tax and payment
information. Once the latter has been
intercepted, the hacker will then call the victim and use the principles of
Social engineering in order to con the victim into giving out further personal
data.
These calls can come on the smartphone, but now they are
appearing on apps like What’s App and other telephony plug ins that are now available
pretty much on all of the Social Media platforms today.
The bottom line in all of this is that the Cyberattacker is
trying to use a trusted source in which to lure in their victims. Once again here, QuickBooks is a perfect
example. It has been a trusted and well
branded source for decades, and because of that, there level of trust that goes
with it.
Nobody really questions the authenticity of an email if it
were to come through this platform, thus making it a very ripe target for the Cyberattacker.
My Thoughts On This:
A simple Google search will reveal all of the top tips that
you need to know about, so I am not going to repeat them here again. But keep in mind that tax fraud impacts
everybody at all levels – all the way from the individual to the entire business. So thus, one needs to take all precautions
accordingly.
But whatever the case might be, always use a tax preparer to
do your taxes. Make sure that you use
one that is reputable, and has been around for some time, for at least a few
years. As a client, it is your right to question
what kinds of security controls they have in place, and how they protect your PII
datasets.
The reason why I say this is that if you or your business is
impacted by a security breach during tax season, the responsibility of recovery
is not totally all on you, the tax preparer has to shoulder the burden as well.
Also, one of the best pieces of advice here is to always
confirm the sender of a piece of correspondence, whether it is digital or
physical, and always trust your gut in these regards. When it comes to calls, never answer unless you
recognize who is calling. If it is important
enough, it can go to voicemail for you to parse through later. Always do a Google search on a phone number
if you do not recognize it.
In the end, becoming a victim of tax fraud is very
serious. It happened to a friend of mine
a few years ago, and it took him almost one year to reclaim his identity and
money. Remember, we are all at risk
of becoming a victim. The key is being
proactive to mitigate those risks as much as possible.
No comments:
Post a Comment