If you follow our Facebook and Twitter feeds then you’ve got a leg up—you know all about the growing phishing epidemic. Well-worded emails from supposed IRS workers or company execs have mislead many a dutiful employee. We’ve warned about this scamming method in the past, and the widespread threat continues to morph.
The need for vigilance is vital. For while cybersecurity insurance could save you, circumstance is king. Your solid cybersecurity policy is just one piece of a comprehensive approach to protection. Here’s where being the boss means stepping up and taking care of business, from double-checking coverage limitations to educating employees. And we’re right here with you, ready to help. So are the IRS and others, offering tips and pointers galore, even establishing an awareness campaign. Let’s glean from their experience.
I Are Not the IRS
What to do if an employee receives a questionable email? Encourage them to pause and think, ask a supervisor’s opinion, and be ever wary. Even if the sender seems credible, they should just assume they’re being baited. A word of wisdom to business owners: to prevent legitimate requests from being stalled, set up a process by which identity can be confirmed, and share details with need-to-know employees.
One good plan deserves another. Encouraging executives to limit the scope and exposure of their personal data on social media and networking sites could be the wrench that ruins a phisher’s scheme. Add to that routine simulated phishing attacks and you’ll have a top-down awareness to be reckoned with.
But even though you’re on guard, the emails can still come. And when they seem to be from an entity like the IRS, special precaution is due. US-CERT has some great suggestions on how to handle:
- Suspicious Emails: If you read an email claiming to be from the IRS, do not reply or click on attachments and/or links. Forward the email as-is to email@example.com and then delete the original email.
- Phony Websites: If you find a website that claims to be the IRS and suspect it is fraudulent, send the URL of the suspicious site to firstname.lastname@example.org with subject line, “Suspicious website”.
Remember that the IRS is old-school, so even if the sender’s address and email body appear to be from the IRS, if you haven’t received snail-mail hardcopy, assume you’re being phished*—don’t divulge any information. Keeping in mind that taxes cannot be filed on any IRS site and that any announcements will be made via their official website should act as a first line of defense against email tax scams.
Train That Phisheye Lens
Being armed with facts is key, because the specific, sneaky wording used may sound legit, even urgent. That’s why we’re duty-bound to emphasize the importance of employee education and training. While there’s no silver bullet to quell the tide of phishing attacks, supplying staff with facts, figures and real-life examples will go far toward fostering awareness and instilling best practices. Business owners are also afforded an opportunity to mold company culture: information sharing and incident reporting should always be encouraged, never feared. Company executives: you and your managers set the tone. Develop procedures by which suspicious correspondences can be reported, and encourage employee involvement.
What to do if you think you’ve been duped? Above and beyond checking the cybersecurity infrastructure you already have in place, US-CERT shares a few must-do’s:
- Inform someone with authority and permissions to monitor accounts for unusual activity
- Follow above suggestions to report phishing to the IRS
- Change all relevant passwords
Filing a complaint with the Internet Crime Complaint Center (IC3) isn’t a bad idea either. And while it’s surely a stressful time, the interim following a successful phishing attack can be seen as a valuable, teachable moment.
It’s Your New Pain in the Bass
According to some experts, phishing is “cybercriminals’ next new favorite.” Basic facts of life in the cyber age, phishing and tax fraud affect individuals and businesses at an ever-increasing rate. So let’s use our combined knowledge this tax season to break the cybercrime cycle, making “security and protection just as important as receipts and deductions.” This is doable, and oh, so worth it.