Unfortunately, it seems there’s a phishing scheme to go along with virtually every event in life, whether a holiday, a tragedy, or an annual ritual. Tax time is not exempt, so to speak.

Whether you work in finance or you support users who do, it’s important to be on the lookout this tax season for phishing schemes geared towards obtaining confidential information from unsuspecting individuals.

What should users look out for?

A common phishing attempt involves compromised or spoofed emails which purport to be from an executive at your organization and are sent either to human resources or finance/payroll employees. The email requests a list of employees and their related W-2 forms.

That’s not all, however. Another common scam (which can occur throughout the year) involves receiving a phone call from an individual claiming to be from the IRS (caller ID can be spoofed to show this as well) who informs you that you owe money for back taxes and often threatens law enforcement retribution if payment (usually via credit card over the phone) isn’t provided.

The IRS will never call you on the phone to report you owe them money nor demand money over the phone; they utilize the postal service for such notifications. They also will not engage in threats and are supposed to provide an opportunity for you to work constructively with them or negotiate payment.

SEE: IT leader’s guide to cyberattack recovery (Tech Pro Research)

What standard protection methods should be used?

The typical safeguards against phishing can protect you and your employees; establish a policy against requesting confidential information through email, call people directly to verify such requests, arrange for secure transfer of data, and limit the number of employees who possess the authority to access or handle W-2 forms.

The IRS also recommends contacting them about any malicious activity. Phishing attempts can be reported to phishing@irs.gov. If someone from your company has given out W-2 information, contact dataloss@irs.gov with a description of what happened and how many employees were affected. Also make sure not to attach any confidential information!

If your company is contacted by scammers claiming you owe the IRS money, report it via the IRS Impersonation Scam Reporting webpage. You can also call 800-366-4484. You should also report this to the Federal Trade Commission via the FTC Complaint Assistant on FTC.gov.

What else is available to help here?

Education and establishing proper procedures can be helpful in minimizing risk, but I also highly recommend using technology to safeguard data as well. While both technology and humans may be prone to failure, technology is harder to fool or take advantage of.

With that in mind, data loss prevention (DLP) can be a handy tool in combating phishing gimmicks of this nature. DLP systems examine traffic coming in and out of an organization: emails, instant messages, web access – anything that is sent over the network. These systems can sniff out confidential information such as Social Security numbers and block them from being transmitted.

This comes with a potential cost, however; legitimate traffic may end up blocked, such as when employees email tax information to their tax preparers or their own personal accounts. This can pose a challenge for DLP systems (and those responsible for administering them) in separating the wheat from the chaff. The end result is undoubtedly a slew of false positives with frustrated and/or confused employees.

SEE: Intrusion detection policy (Tech Pro Research)

Another potential solution is user and entity behavior analytics (UEBA). UEBA can determine the likelihood the employee is sending tax information to themselves via their personal email address by analyzing behavioral patterns to determine the legitimacy of specific activities.

For example, if an employee named Ray Donovan sends a W-2 form from his corporate email address (ray.donovan@company.com) to his Gmail address (ray.donovan72@gmail.com), UEBA can determine that it’s highly likely this information is being sent to the same person and will not send a critical alert nor block the transmission. It helps if Ray has a history of sending himself emails of this nature so UEBA can mark that behavior as normal.

However, in a genuine phishing scenario where Ray sends a W-2 form to SWRedLeader55@gmail.com, an email address he has not previously contacted, UEBA could determine that it’s not the same person, analyze further using behavioral comparisons and send alerts or take action as necessary.

What about a situation where an employee is emailing confidential information to themselves when they shouldn’t (such as someone else’s W-2 form, or their own despite company policies prohibiting this)? UEBA can still send alerts which can then result in investigational activity and appropriate discipline as needed, including termination. Making employees aware that this activity is analyzed and monitored can serve as a deterrent and ensure confidential information remains in appropriate hands.

Also see: