Nothing is Certain, Except Death and Taxes … and Phishing

“…But in this world, nothing can be said to be certain, except death and taxes.” – Benjamin Franklin

We should add phishing to this idiom, too. Many businesses and their employees have recently fallen victim to a very successful spear-phishing attack that dupes an unsuspecting employee into sending the company’s W-2s to a company executive, who has emailed the employee and asked for the W-2s to address a “financial emergency.”

Instead, the email is a spear-phishing attack, with all the employees’ W-2s going directly into the hands of the attacker or attackers, who now have the names, addresses, Social Security Numbers (SSN), wages, and tax information for ALL the company’s employees, a treasure trove of information that can lead to false tax claims, identity theft and other financial catastrophes.

But, the IRS began warning accountants and tax professionals over a month ago that they, too, are now under attack by hackers, and not with just one scam, but at least two.

In the first scam, an accountant or tax professional receives an email from a prospective client – really the attacker – stating that they are looking to hire someone to prepare their personal or business taxes. The attacker may use the name of a friend or associate – who has also been hacked – as a reference in their email, to avoid suspicion and ease the mind of the accountant or tax professional.

The attacker will include a link to a website, or an Adobe Acrobat or other file attachment with an embedded link, claiming that the link leads to their financial information. Once the accountant or tax pro clicks the link, the website pilfers the accountant’s or tax pro’s email address, user name, password, and likely much more.

The attackers can also begin the cycle all over again by sending out another phishing email to the clients of the accountant or tax professional they initially attacked, after stealing their email address, asking for the clients to click on a link in the email or in an attachment to re-enter their financial information, or their user name and password for the hacked accountant’s or tax pro’s online software or web site. And, when a client falls for this phishing attack, their information is pinched, and its likely their tax return will end up being claimed by the attacker.

Yet another phishing attack is underway that forced the Internal Revenue Service to send yet another alert out to accountants and tax professionals. In this attack, the attackers send an email to an accountant or tax professional indicating that they have been locked out of their tax preparation software due to “security issues”. Under tight deadlines and under tremendous pressure, this is the last thing the accountant or tax professional needs to see! The phishing email includes a link that will supposedly unlock the software for the accountant or tax pro.

Desperate to ensure that their tax preparation software is secure and accessible, the accountant or tax professional clicks on the link provided with no questions asked or without any suspicion. But, the link leads to a phishing website requesting the accountant’s or tax professional’s user name and password for the tax preparation software, so that the software can be unlocked. Once they enter their user name and password, the attacker has all the information needed to break into the tax preparation software and steal the financial and tax information for all the accountant’s or tax pro’s clients!

So, what can be done to halt these attacks on accountants and tax professionals, and, ultimately, you and your tax and financial data?

Existing email security software may catch some of these phishing attacks, but it’s unlikely, based on their own capture statistics, that they will catch these sophisticated phishing attacks. And, it takes only one, single successful phishing attack to gain access to the tax, financial and even personal information for every client that an accountant or tax professional has, ruining their reputation and possibly destroying a business that took years to create,

The only way to ensure that all email-based phishing attacks are stopped before they can happen is with isolation.

Isolating all web access ensures that all email-based phishing attacks requiring users to click on a link to initiate an attack won’t be successful. That’s because, once the user clicks on the link in the phishing email or attachment, their web access is isolated, the selected web page is executed in the isolation platform, the web page proxied, and only a safe, clean, malware-free web page is returned to and rendered for the user. Some isolation platforms can even eliminate credential theft by allowing websites to be rendered in read-only mode, preventing users from entering their name, password, or any other sensitive information into a web form.

So, if your accountant or tax professional has deployed an isolation platform, then you can be sure that phishing attacks targeting your sensitive financial and tax information will be stopped cold, and your financial security will be.

But, if they haven’t deployed an isolation platform, you might want to tell them about it before you file your taxes this year.

———-

Jay Kelley is a cyber security professional with Menlo Security (Silicon Valley) http://www.menlosecurity.com