Saturday, April 8, 2023

The Evolution Of BEC 3.0 This Tax Season

 


Well, whether you like it or not, the deadline for filing taxes is approaching – in fact, it is April 18th.  It can always be an unnerving time, especially for last minute tax filers.  But there is yet one more thing to worry about other than filing on time – and that is the Cyber threats that loom at this time of the year. 

This is one of the prime times for the hackers to come out of the woodworks, and do everything possible to submit a falsified return in order to get their hands on your well-earned refund.

In fact, there is really nothing new about these kinds of attacks, as they have even loomed since the last decade.  But it is not just the taxpayers that are hit, it is even the accountants and the tax preparers that are just as many targets as well.  Heck, even the IRS has become a highly favored target as well, by setting up fictitious and phony sites.

But what is different this time is that the Cyberattacker now has a powerful arsenal up their shoulders – and that is AI.  From using everything from Deepfakes to Chat GPT, phony emails and just about everything else now looks so real.  In fact, it is even difficult for the trained Cyber professional to tell the difference. 

An even scarier proposition is getting fake snail mail letters from the IRS.  Typically, this is how the agency communicates, they never send an email or even call a taxpayer directly.  So even here, one cannot tell the difference. 

Even the tax software packages are being hit as well.  Probably the best example of this is the latest hack into the QuickBooks platform. 

In this instance, the Cyberattackers were using the brand of QuickBooks and sending out phony emails in an effort to lure users into submitting their confidential and private information.  More details as to what exactly happened here can be seen at the links below:

https://www.darkreading.com/remote-workforce/cyberattackers-abuse-quickbooks-cloud-service-ouble-spear-campaign

https://www.avanan.com/blog/phishing-from-quickbooks

In fact, the security breach that happened to QuickBooks has been termed the evolution of the “BEC 3.0”.  This is simply an acronym that stands for “Business Email Compromise”.  This is a type of Phishing based email where it appears that it has been sent from an authoritative figure, such as a C-Level exec. 

These are then sent to lower ranking employees in order to scare them into sending large sums of money to an overseas account.

Of course, once the money is sent, it is gone, and it can be hard to recover.  But the good news here is that banks have started to put up very sophisticated controls to detect a fraudulent wire transfer before it is even started, and halts the transaction right there pending further verification. 

Even the Feds, such as the Secret Service and the FBI, are now able to retrieve most of the money if it were to be transferred to a phony account.

But in the end, it seems like Phishing is still the tried-and-true method used during tax season.  A key observation here is that the Cyberattackers are learning how to adapt to the newer technologies that are being used to detect a malicious email when it is inbound to the receiver.  For instance, typos and grammatical mistakes were the give aways when it came to detecting a Phishing email, but now the Cyberattacker is taking their time to make sure that write and spell everything properly.

The only reals clue is the mismatch between the sending domain and the receiving domain if you were to accidentally reply to that email. 

Another key advantage that the Cyberattacker has in their arsenal is that all email providers are now pretty much SaaS based.  This includes everything all the way from Gmail to Yahoo mail to Exchange Server and Outlook.  The Cyberattacker knows how messages are sent on these platforms, and thus they can bypass any control quite effectively.

But another fearful tactic that Cyberattackers are using is stealing the victim’s phone number in addition to their tax and payment information.  Once the latter has been intercepted, the hacker will then call the victim and use the principles of Social engineering in order to con the victim into giving out further personal data. 

These calls can come on the smartphone, but now they are appearing on apps like What’s App and other telephony plug ins that are now available pretty much on all of the Social Media platforms today.

The bottom line in all of this is that the Cyberattacker is trying to use a trusted source in which to lure in their victims.  Once again here, QuickBooks is a perfect example.  It has been a trusted and well branded source for decades, and because of that, there level of trust that goes with it. 

Nobody really questions the authenticity of an email if it were to come through this platform, thus making it a very ripe target for the Cyberattacker.

My Thoughts On This:

A simple Google search will reveal all of the top tips that you need to know about, so I am not going to repeat them here again.  But keep in mind that tax fraud impacts everybody at all levels – all the way from the individual to the entire business.  So thus, one needs to take all precautions accordingly.

But whatever the case might be, always use a tax preparer to do your taxes.  Make sure that you use one that is reputable, and has been around for some time, for at least a few years.  As a client, it is your right to question what kinds of security controls they have in place, and how they protect your PII datasets. 

The reason why I say this is that if you or your business is impacted by a security breach during tax season, the responsibility of recovery is not totally all on you, the tax preparer has to shoulder the burden as well.

Also, one of the best pieces of advice here is to always confirm the sender of a piece of correspondence, whether it is digital or physical, and always trust your gut in these regards.  When it comes to calls, never answer unless you recognize who is calling.  If it is important enough, it can go to voicemail for you to parse through later.  Always do a Google search on a phone number if you do not recognize it.

In the end, becoming a victim of tax fraud is very serious.  It happened to a friend of mine a few years ago, and it took him almost one year to reclaim his identity and money.  Remember, we are all at risk of becoming a victim.  The key is being proactive to mitigate those risks as much as possible.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...