Tax Season is a Feeding Frenzy for Phishers

Phishing attacks are a year-round problem, infuriating end-users and business leaders with their duplicitous use of current event themes and other nefarious methodologies. The concern for MSPs and their clients this time of year is not just the ever complicated and always stressful process of filing income taxes, but the threat of all the related email phishing schemes.

Cybercriminals are old pros at these types of time-tested deception. While phishing scams are always a problem for unsuspecting end-users, the tax-related attacks are plentiful and quite damaging. While that situation is nothing new, with so many employees working from home on personal devices today, the risk factors continue to rise and threaten many businesses.

Scammers understand that tax season creates stress and makes people more likely to fall for malicious email messages. They also know that many rely on tax preparers for support and may freely share information over the internet using less than optimal security protocols, especially when filing deadlines approach. Unfortunately, people often conduct those activities using their company-supplied PCs, laptops, and other work-related devices, opening another door open for phishers looking to trick unsuspecting users.  

As with prior years, MSPs are often responsible for keeping those organizations safe from the scams that occur this time of year. As a security expert, you and your team members must know all there is to know about tax-related phishing schemes and other related cybercrimes.

Types of Scams

The methods used to trick users are practically endless. Here’s a shortlist of potential message subject lines that your unsuspecting clients’ employees might find in their inboxes in the coming weeks.

  • Your Account is Locked
  • Payment Deducted from Account
  • Electronic Tax Return Reminder/ You Are Eligible for a Refund
  • Tax Account Transcript

Almost every email scam looks to originate from the Internal Revenue Service (IRS), although more recently, cybercriminals began impersonating software companies like TurboTax or TaxSlayer. Others may spoof their actual personal tax preparer.

The goal of many of these schemes is to convince users to click a link and fill out a form with their personal information. That request may include highly valuable data such as a copy of their passports, bank statements, utility bills, and a long list of details on family members, employers, and other info people may use to create passwords. All that information may find its way to the dark web or be used to hack their computer systems.  

Other attacks simply focus on infecting recipients’ machines with malware. Phishers use attachments or links to infected sites, usually prompting malicious files to begin downloading and permeating through their computers and connected systems. Some will then launch additional attacks on people who know and trust those users. Once malware enters the network, cybercriminals can track keystrokes, steal passwords, and completely take over their devices and applications.

Know these Key Points

Perhaps the most important thing for your customers to know is that the IRS never communicates with taxpayers through email. Nor will the agency request immediate payment using a specific method.

IRS agents must follow protocols and will never demand immediate tax payments without the opportunity to appeal. Perhaps the most important thing to remind your clients is that those government officials will certainly not threaten to call law enforcement for non-compliance with their requests.

Email messages with any of those threats or unreasonable requests are a dead giveaway that something is truly amiss, and they should never open attached files or links. Also, instruct your clients not to forward messages from the IRS, Income Tax Department, or a given tax preparation company, and contact your team for instructions. MSPs should watch for patterns and share details of each scheme with other users as part of their ongoing cybersecurity education process.

Implement Essential Defenses

While there are multiple services that MSPs can use to protect their clients’ employees from these types of tax-related scams, especially in WFH environments, these two particular cybersecurity offerings are a must today.

  • Email filtering and anti-phishing software are some of the best protections service providers can offer. These solutions allow MSPs to control the level of spam, viruses, malware, and malicious attacks hitting end-users inboxes without inhibiting workflow. Of course, nothing is foolproof, but implementing these safeguards helps you minimize the issues.   
  • Awareness training may be the most important anti-phishing activity your clients can undertake. Cybercriminals constantly change tactics, and their attacks are becoming increasingly harder to detect, inevitably snaring more people into their traps. Passive education is meaningless. Involving end-users in ongoing programs covering the latest and most relevant attacks ensures they are up to speed on all threats. Awareness training helps employees identify and avoid more scams, giving MSPs more allies in the war against cybercriminals.

Phishing Protection for Every Season

Basement hackers and nation-state-supported crooks are always on the prowl, not just during tax season. With email remaining the number one mode of business communication, it sits smack in the crosshairs of cybercriminal’s targets, so MSPs must take the initiative to protect their clients with strong and multiple layered defenses.

Email filtering is a great first step. However, adding an easy-to-manage encryption solution will help safeguard your clients’ information in transport from the prying eyes of cybercriminals and other saboteurs.

Business information can be highly valuable to those who create it as well as those trying to take it away. Your clients need all-around data protection to protect their organizations from breaches and minimize the aftereffects of the inevitable successful attack. Is your cybersecurity stack up to that challenge?

For more reading, we have compiled some things to consider when selecting the best phishing protection solution for your users.