Betty opened up her email and scanned through her messages. One in particular stood out, from the Internal Revenue Service (IRS), so she clicked on it and began to read. It appeared that there was an issue processing her refund, and the IRS needed some additional information from her. So, she clicked on the link provided which took her to the IRS website. She began to enter her personal information, including her social security number, then clicked submit once she was done. She then closed her web browser and went about her day completely unaware that she had just given all her personal information to criminals operating a phishing scam.
This is an example of one of the myriad of phishing scams which have targeted tax professionals and individual taxpayers in recent weeks. As tax season approaches, the incidence of phishing scams targeting taxpayers and tax preparers continues to increase. The IRS is once again listing phishing schemes as one of the top tax scams for the 2017 filing season (*). So, how can you protect yourself and your business from these scams?
Phishing is a form of social engineering, which seeks to obtain confidential information by tricking the user into voluntarily handing it over. One method of obtaining this information is via email. Be sure to scan emails for these red flags before replying or clicking on any embedded links:
- Is the email from someone you do not know or ordinarily communicate with;
- If it is from someone you know, is the content unusual or out of character;
- Is the subject line of the message irrelevant or doesn’t match the message contents;
- Is the email a reply to something you never sent or requested;
- Is the sender asking you to click on a link or open an attachment to avoid negative consequences or gain something of value;
- Is the email asking you to look at a compromising or embarrassing picture of yourself or someone you know;
- Were you cc’d on an email sent to additional people whom you personally do not know;
- Was the email sent at an unusual time (like 2 AM) but would normally be something you would receive during regular business hours;
- Is there an attachment that you were not expecting or that makes no sense in relation to the email message;
- When you hover your mouse over the hyperlink in the email, is the link for a different website;
- Is the hyperlink in the email a misspelling of a known web site. For example, www.imternalrevenueservice.com (should be www.internalrevenueservice.gov)
Some links can appear genuine, but actually take the user to a website controlled by the fraudster. This is why employee training on social engineering scams is critical to the security of your business. Some hard and fast rules include:
- Never open email attachments that end with .exe, .scr, .bat, .com, or other executable files;
- Never click on an “unsubscribe” link;
- Never click embedded links in messages without first hovering your mouse over them to check the URL;
- Never respond or reply to spam in any way.
In addition, employees should be trained to never give out confidential or personal information over the phone regardless of who the person on the other end is claiming to be or what business they claim to represent. Always contact the individual or business back via an independently verified method (not via contact information provided by the caller or found in the suspicious email).
Following these simple steps will help to protect you and your business from falling victim to phishing scams this tax season.
Shyla A. Ingram, MSA