If you work on accounting or human resource, the past few months might have been a busy season for you – tax season.
Either working in-house, accounting firm or a tax-processing company, you have a profusion of forms and sheets to fill in. In these forms and sheets lies significant information of your clients, personal identifiable information (PII) in particular.
Nevertheless, when you stay unconscious of the security risk in your working environment, your clients’ information will be at stake once you become the target of a business email compromise (BEC), a kind of phishing scam.
The trick you might fall for
You must have heard of a wide variety of phishing scams. The baits are usually a seemingly familiar and reliable claimed sender and an urgent request.
Accordingly, in the case of BEC, the claimed sender would be your boss or someone who works at your company. Through social engineering, the scammers would know you and your boss so well that they are aware of who you work with or work for, how you usually communicate with each other, as well as what you are working on recently.
With such an all-round knowledge about you, the scammers could easily impersonate as your dear colleagues. They may have several rounds of email conversation with you before asking you for what they want.
Having fully gained your trust, they would either send you a phishing website or directly ask you for W-2 information of employees in the company. No matter which path they take, they will gain access to a large number of PII.
Consequently, they will steal tax returns from the pockets of taxpayers you are responsible for. Meanwhile, personal information via phishing emails, popular on underground markets, is much likely to be used to stage future attacks.
This is no new trick
As early as March 2016, a growing line of corporations and businesses have been found to have fallen for similar schemes. Companies like Seagate, Snapchat, and Sprouts Farmer’s Market were among the businesses that were victimized by email scams that use the same modus.
By the end of the same month, Pivotal Software, a San Francisco-based software and services company, was breached via a phishing scheme that leaked an undisclosed number of employee tax information. Similar scams also happened in the education sector.
Do take precautions
We are increasingly relying on email as the primary tool for information exchange and storage in workplaces. Therefore, scammers are making more and more efforts to compromise business emails. Accordingly, we shall take stronger precautions against BECs. For example:
- Carefully scrutinize all emails. Be wary of irregular emails that are sent from C-suite executives, as they are used to trick employees into acting with urgency. Review emails that request transfer of funds to determine if the requests are irregular.
- Educate and train employees. While employees are a company’s biggest asset, they’re also usually its weakest link when it comes to security. Commit to training employees according to the company’s best practices. Remind them that adhering to company policies is one thing, but developing good security habits is another.
- Use effective anti-phishing tools. Installing a professional anti-phishing add-in to your Outlook would be a good choice. e.g. Mr. Post. Backed by the top-rated threat intelligence and emerging AI (artificial intelligence) technology, it informs you of any potential risk with one click. Currently free and available on Microsoft AppSource.
If you’d like to recommend this add-in to the whole organization instead of installing it one by one, you can use “Centralized Deployment” to finish whole deployment in one minute.
Here is a video to guide you through the installation.
 Photo by Gregor Cresnar, Chanut is Industries, Ralf Schmitzer and Creative Stall from the Noun Project.