By Aamir Lakhani, Global Security strategist and researcher at Fortinet
As people get ready to file their taxes in many parts of the world, cybercriminals are getting ready too. Tax-return time is open season for cybercrime, and it’s likely to be worse this year because so many people are still working from home on various devices connected to unsecured networks. Although cybercriminals use other sophisticated tactics to steal information, social engineering scams are low-hanging fruit, especially during tax season. Fortunately, everybody can take steps to avoid falling victim to a social engineering scam.
Watch out for these social engineering attacks
Cybercriminals are out in force, eager to prey on the stress and uncertainty surrounding tax season. Attacks may take the form of phishing email campaigns or phone calls from people claiming to be from the IRS or a collection agency. To appear legitimate, scammers may use stolen data with personal information, such as Social Security numbers.
Cybercriminals use a “spray and pray” model for phishing campaigns. They send thousands of emails, hoping that at least one person will fall victim to the attack. Spear-phishing attacks are a targeted form of phishing that can be more difficult to detect because the emails are personalized to appear as if they were sent by someone the recipient knows. In the past, spear phishing was challenging to implement, but now some advanced cybercriminals use machine learning and artificial intelligence to execute these attacks more efficiently.
Who is the most vulnerable to social engineering attacks?
During tax season, the prime targets for tax refund scams are Green Card holders, small business owners, new taxpayers under the age of 25, and older taxpayers over 60. Cybercriminals assume these people may be less informed about tax policies and what to expect, so they may be more vulnerable to emotional manipulation. For example, the scammer may claim that the potential victim has missed an important tax deadline and pressure the victim to act quickly.
How to protect yourself against tax refund scams
If you know what to look for and how to handle suspect emails or phone calls, you can avoid becoming a victim of tax season social engineering attacks. Here are a few tips for effectively defending against social engineering attacks:
- Look for grammatical issues and typos. Often, phishing emails contain errors that are easy to spot. If a message includes several spelling or grammar errors, odds are good that it is not legitimate.
- Be sceptical. Always consider any unexpected emails or phone calls claiming to be from the IRS or other governmental agencies to be suspect. If you are concerned about the legitimacy of a sender or caller, don’t give the person any information. Instead, contact the IRS or governmental agency directly to verify the caller’s identity.
- Don’t share personal information. Don’t give out your Social Security number or credit card information over the phone or via email. Scammers may pressure you to do so and try to convince you that something terrible will happen if you don’t act immediately. Hang up or delete the email.
- Warn family and friends who may be vulnerable to attacks. Share cybersecurity information with others and encourage them to get educated. The Fortinet NSE Training Institute offers cybersecurity awareness training that covers key cybersecurity terms, the motivations behind cybercrime, attack methods, and protection tactics.
- Use technology to help prevent attacks. Secure email gateway (SEG) solutions such as FortiMail can protect all inbound and outbound email traffic. Like other Fortinet products, FortiMail integrates seamlessly with the Fortinet Security Fabric and is backed by FortiGuard Labs. FortiClient is an advanced endpoint protection solution with a built-in VPN client and zero-trust network access. It connects an endpoint such as a laptop with the Security Fabric and delivers integrated endpoint and network security.
Knowing what is and isn’t normal communication from the IRS or equivalent is critical, particularly during tax season. If you do encounter an IRS-related phone or email scam, you can report it to the Treasury Inspector General for Tax Administration using the form on the IRS Impersonation Scam Reporting website or by sending an email to phishing@irs.gov with the subject line “IRS Impersonation Scam.”
Educate yourself and stay safe during tax season
Although tax-return season can be stressful, knowing the signs of a social engineering attack can keep you from becoming a victim. By learning how the IRS contacts individuals, what constitutes a legitimate message, and what information should be provided, you can stay ahead of cybercriminals and keep your data out of their hands.
Fortinet made all of its self-paced online courses from the Fortinet Training Institute available for free to all, starting at the beginning of 2020. Whether you know very little about cybersecurity, you’re a student, or already have a career in computer science, these courses are designed to give participants a foundational and advanced understanding of cybersecurity tools and principles as well as the threat landscape. Learn about how you can become cyber aware and educated.
Learn more about the Fortinet free cybersecurity training initiative, the Fortinet NSE Training program, Security Academy program, and Veterans program.
