What Accounting Firms and Tax Preparers Need to Know About Phishing in 2017
Notorious American bank robber Willie Sutton once said that he robs banks because, “That’s where the money is.” The criminals behind phishing attacks have the same motive: to get to wherever the money is.
Today, phishing attacks are all too familiar for many accounting firms. In fact, PwC’s most recent Global State of Information Security® (GSIS) Survey found that phishing is the most common type of cyberattack affecting accounting firms, and this type of attack still remains on the IRS “Dirty Dozen” list of tax scams for this filing season.
Already the news headlines this year are filled with stories about the latest W-2 phishing attacks. So far, 29,000 people and counting have fallen victim, and tax preparers in particular are getting hit hard with criminals posing as new clients sending malicious links and attachments that, once clicked or downloaded, are designed to steal sensitive information from your firm. If these new developments are any indication, 2017 is going to be a big year for phishing criminals. That is, if businesses don’t buckle up…
With tax season and the rise in W-2 scams upon us, let’s dive into how accounting firms and tax preparers can begin protecting themselves now to keep their businesses and their customers safe from these tricky attacks.
Types of Phishing Attacks Aimed at Accounting Organizations
In an earlier post, we explained what exactly a phish is. It comes in two forms: phishing (where attackers cast a wide net, hoping someone (anyone) will fall for it) and spear phishing (a more targeted attack, where the recipient is hand-selected). Both forms can be delivered via email, online advertisements, or even a malicious phone call.
Take the current W-2 phishing scam as an example. Once a person takes the bait (such as sending employee W-2 information), the attacker can then use that information to carry out their malicious deed, typically to file fraudulent tax returns. This can be damaging to both employers and employees, taking months, if not years, to fully recuperate from the repercussions.
Though phishing can seem like an outdated, dot-com era threat, the reality is that attackers still have high success rates with phishing, which is why they’re not backing down anytime soon.
How to Protect Against Phishing Attacks in 2017
If your firm doesn’t yet have phishing protections in place, now’s the time to do it. With tax scams on the rise and techniques like spear phishing proving to be quite lucrative, your firm needs a three-pronged approach to combat phishing attacks and keep your company out of the news spotlight, in good graces with your customers, and focused on what really matters — growing your business.
1. User Education and Training
Your first lines of defense (but also your weakest links) are your users and customers. You see, phishing is a numbers game — if it reaches enough people, the chances that someone will click and fall victim to the scam are good. In fact, the Verizon Data Breach Report reported that 30 percent of employees fall for phishing attacks. The larger your company, the more ominous this number becomes.
To educate your employees about phishing, you should conduct regular security awareness training that goes into everything from how phishing works to what common phishing attacks look like. Often these are emails that have spelling errors, unusual requests (like to send W-2 forms over email!), or that link to a strange URL like http://gogledoc.com-stz.info/ instead of docs.google.com. For more insight on how to conduct user training, visit our previous post on phishing.
Simultaneously, you should proactively educate your customers. We recommend sending an email to them letting them know about the dangers of phishing and what to look out for. Explain to them the information your firm will never request from them and how to report issues. If you have the resources, you may also want to host a webinar that goes in depth about phishing and how customers can securely submit their information, create strong account passwords, and follow other security best practices.
Not only will these efforts help protect both your customers and your business, but they can also help improve your brand reputation, increasing customer loyalty and retention. Security, in this way, can be a great business enabler!
2. Test Your Employees With Fake Phishing Emails
Once you’ve educated and trained your employees about phishing attacks, you’ll want to test out their new skills in the wild. Testing should be conducted regularly and randomly so you can determine how successful training is and what else needs to be covered in ongoing training.
To do this, you can manually send a fake email or use a simulation tool like InfoSec’s Security IQ that sends these emails to your staff and users for you and then reports on how they respond.
The findings of these tests can help inform your next security training sessions, so it’s smart to do it a couple times each year.
3. Monitor & Protect
Security should always be a layered effort, so in parallel to running training and testing programs, you’ll need a line of defense that can detect and protect against phishing attacks when they do come in. The more layered your defense, the harder it will be for attackers to be successful.
Automated malware protection monitors for outbound communications from phishing attacks to prevent phishing attacks that land on your systems from carrying out their mission. At Strongarm, we work hard to stay up-to-date on the latest phishing attacks and malicious sites, so that even if a new phishing technique comes out tomorrow and your user training can’t catch up, Strongarm will have your back.
Implementing A Parallel Phishing Defense
Keeping your users (employees and customers alike) well-informed of basic security practices and what to look out for with phishing can go a long way in preventing it from ever hitting your network and wreaking havoc. But if and when an attack does make it in (humans aren’t perfect, and the bad guys are getting very clever), having a second layer of defense, automated malware protection, will help safeguard your employees, your customers, and your business.
If you do receive an unsolicited email that appears to be from either the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System, report it by sending it to firstname.lastname@example.org. For further information, visit: https://www.irs.gov/uac/Report-Phishing.