The Security Summit, consisting of the Internal Revenue Service (“IRS”), state tax agencies, and private-sector tax industry officials, is encouraging tax professionals during the 2019 summer season to take some time to assess their data security policies and review critical security steps to ensure adequate measures are in place to fully protect sensitive taxpayer information from cybercriminals and to help battle identity theft. As part of this initiative, the Security Summit has released a “Taxes-Security-Together” Checklist as a starting point for analyzing office data security in a special five-part weekly series over this summer. Snell & Wilmer cybersecurity and privacy lawyers are tracking these releases. Step 1 of the Checklist can be found here. Step 2 can be found here.
Step 3 is to educate yourself on e-mail phishing scams to avoid becoming a victim. Cybercriminals use phishing emails and malware to gain control of computer systems or to steal usernames and passwords. According to a recent report from Verizon, as much as 90% of all external data thefts start via email, particularly phishing emails, when the method of malware installation is known. A user will click on a link that takes them to a fake site or downloads an attachment embedded with malware that downloads onto the computer.
Spear phishing emails pose as a trusted source and “bait” the recipient into opening an embedded link or an attachment. The email appears to come from a trusted source or from a known name within the organization that demands some sort of urgency and immediate action. The name of the sender may appear as if it is being sent internally by a known employee, but the email address itself is from an external source. The perceived trusted source could also be a thief posing as a prospective client sending unsolicited emails.
After an exchange of emails, the spear phishing thief will send a link or attachment that contains malicious software. These links or emails may contain keylogging malware, for example, which secretly infects computers and provides thieves with the ability to see every keystroke. Allowing them to steal passwords or take remote control of computers to steal data. At times the links will send the recipient to a fake site that mirrors a real site to trick the recipient into entering usernames and passwords, which the thieves can then steal.
Another cyber attack method, which the Federal Bureau of Investigation (“FBI”) has deemed a growing threat to businesses and others, is the use of ransomware. Rather than stealing data, thieves will encrypt data, preventing its access, then demand a ransom in return for a code to unencrypt the data. The FBI warns victims not to pay the ransom because thieves often do not provide the code.
Information Security is only effective when employees are educated and know how to avoid phishing scams. The Security Summit recommends these steps to protect against data theft:
- Use separate personal and business email accounts; protect email accounts with strong passwords and two-factor authentication if available.
- Install an anti-phishing tool bar to help identify known phishing sites. Anti-phishing tools may be included in security software products.
- Use security software to help protect systems from malware and scan emails for viruses.
- Never open or download attachments from unknown senders, including potential clients; make contact first by phone, for example.
- Send only password-protected and encrypted documents if files must be shared with clients via email.
- Do not respond to suspicious or unknown emails; if IRS-related, the IRS encourages users to forward to firstname.lastname@example.org.