• United States




Tax scams target businesses, too: attacks just the tip of the phishing spear

Mar 28, 20185 mins

There are too many people unaware of the issue and too many organizations that believe they are immune or that your business won’t be a target.

taxes 1040 irs
Credit: Getty Images/DNY59

It’s tax time again and an opportunity for cybercriminals to take advantage of unknowing consumers and businesses. While many of us are aware of this con impacting consumers, the simple truth is that this scam (and the underlying social engineering beneath it) is a huge danger to businesses and municipalities.

Big bets on business

As recently as this January, the United States Internal Revenue Service issued a new alert about a surge in income tax cyberscams. Part of the alert focused on the targeting of businesses. The government agency suggested that criminals were making serious attempts to pose as company executives or human resource and payroll officials to abscond with employee W-2 forms. With those forms in hand, the criminal gangs can file fraudulent returns and effectively have the government cut them a check for their wayward efforts.

Tax professionals, accountants and accounting firms are also a significant target for the same reason – data. If the criminals get hold of the E-File account number of the provider, or the CAF number (a unique nine-digit identification number and is assigned the first-time third-party authorization is filed with IRS), the scammers can redirect every income tax return to their own banking accounts. This is such a concern to the IRS that it has partnered with state tax agencies and the private-sector tax industry to form the Security Summit – a unique partnership formed to fight the crime and the potential financial fallout that can occur from this type of fraud.

The risks

But are they making a difference? While an informed populace is in less risk, the mitigation efforts can only go so far. There are too many people unaware of the issue and too many organizations that believe they are immune or that your business won’t be a target. That belief is human – and that is the very problem. The actual crime (such as the release of information or the transfer of funds) occurs within the authority of the scammed user and outside of the organizations’ security grid. Here’s what the typical crime looks like:

Stage 1: Assume an identity of authority

What is important to note about all these scams, regardless of the target, is that, at their core, the criminal must convince the victim that they are someone authorized to receive the information. 

Stage 2: Gain the information

After they have convinced the target of an identity, they then must convince that victim to willingly hand the information over. Often, the bad guys position the transfer of information in a way that makes the victim feel like they are actually solving a problem or doing a favor for someone in a bind.

And that is how the scammers often approach it. Sure, you will see phishing samples of bullying or threatening. But the best ones, the lures that aren’t caught until after the money or data is gone, are the ones that are business as usual, or where the victim has felt that they have acted accordingly – perhaps even helping someone in a bind.

Effective, well-crafted social engineering lures are at the core of the Tax Scam problem – and also at another rising threat to businesses and governments: money and wire transfer fraud. City governments are seeing a tremendous increase in this type of crime. In fact, they may be most at risk because the infrastructure and security systems may not be cutting edge due to budgets. It is unlikely that a city with a population of 30,000 will have a fine-tuned DLP system installed and fully operational. Intrusion detection may be a wish in the city IT admin’s list, but far from a deployment. And then, even with these installed, if a person routinely makes wire transfers as part of their job, will their security systems (or their financial institutions’) note a transfer?

A recently published account of such an attack on Yarrow Point, a city just outside of Seattle, shows just how routine this type of fraud can seem – until after the money or data is gone.  This story not only shared the account of a city with an annual budget of two million dollars that was scammed out of more than $60,000, it also lists other, bigger attacks.

How to stay safe

With scores to be made from these tax and wire scams on individuals and business, the landscape becomes harsher. However, there are resources available to protect yourself and your business from these threats.

While solid security systems and endpoint protection are necessary elements of your security posture, you must remember that many of these scams are a human problem. It takes human intelligence, in conjunction with security tools to battle this menace. In addition to the Security Summit noted earlier, CIS (Center for Internet Security, Inc.) is a non-profit entity that creates a global IT community network to share best practices and information that may help keep your organization secure.

There are organizations that can help train your employees on how to recognize and report social engineering attempts. You should ensure that whichever security awareness materials you choose will suit your company culture.  While these materials can be effective countermeasures, don’t underestimate your own ability to inform and to make change happen. Discuss this issue with your peers and coworkers. Very few people have ever been criticized for raising awareness of security issues.


Justin Dolly is EVP, Chief Security Officer and CIO of Malwarebytes. Prior to Malwarebytes, Dolly was the VP, Chief Security and Privacy Officer at Jawbone, where he oversaw the security and privacy implications of consumer wearable technology. He also held the Vice President and Chief Information Security Officer position at ServiceNow, where he provided strategy and vision for all information security-related initiatives.

Before that, Dolly was the CISO at VMware Inc., where he developed and led all information security-related programs and initiatives. Previously, Dolly held various security and technology leadership roles at Kaiser Permanente, CNET/CBS Interactive and Macromedia.

The opinions expressed in this blog are those of Justin Dolly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.