How to Protect Yourself & Your Business from Tax & Ransomware Scams
Social engineering attacks have been an ongoing problem for individuals and companies for years. When the pandemic began, criminals ramped up efforts to turn the global crisis into personal profit. Many of these scams involve social engineering ranging from simple phone, text, and social media schemes to more complicated email phishing scams that could result in the theft of personal information, passwords, or extortion.
Phone scams claiming to be from the IRS have declined in recent years. However, the IRS reports nearly 400 different phone scams were reported during 2020; almost 25 percent of these scams attempted leveraging fake tax liens to obtain money from people.
To avoid such scams, it is important to remember:
- The IRS contacts by mail, not phone. This also is true for many collection agencies.
- If a collection agency does initiate a communication by phone, it will not attempt to collect using gift cards, prepaid gift cards, money orders, or wire transfers.
- The IRS does not attempt collection of personal information using text messages, email, or social media.
In these situations, it is best to hang up the phone. Never give out personal information of any kind. Scams can be reported to the Treasury Inspector General for Tax Administration (TIGTA).
Ransomware has become a plague on nearly every business sector. These attacks, and the amounts demanded through ransom, have increased dramatically since the pandemic started.
According to a recent report by Cybereason, the demanded amount doubled in 2020 to $178,000. Worse, 80 percent of organizations that paid the ransom were attacked again—and the damage doesn’t stop there. Brands are often damaged in the public eye, revenue is lost if the business is closed during the attack, and layoffs often occur when the dust settles.
To further complicate the subject, the report also indicates nearly half of respondents that paid the ransom had some or all of the data corrupted. Another 3 percent indicated they never received any data back at all. Of those who did pay, 80 percent were targeted by another attack. Many believed subsequent attacks were by the same criminals as the first, which begs the question, “Should you pay?”
The Cybereason report found the top five solutions implemented after a ransomware attack were:
- Email scanning
- Data backup and recovery
- Endpoint protection
- Security operations center
- Security awareness training
The importance of social engineering security awareness training cannot be stressed enough. Researchers at Barracuda found spear-phishing campaigns rose 667 percent shortly after the pandemic began. Since people are always the weakest link in the security chain, phishing them is often the easiest method of introducing ransomware into an environment.
Training is key and should take a multifaceted approach. Here are a few tips to consider when planning your ongoing social engineering awareness training:
- Short emails to employees can be quick, helpful reminders. Keep them brief and informative. Longer emails are often skimmed or ignored.
- Consider performing your own internal periodic phishing tests. BKD clients whose employees have all successfully passed annual phishing tests typically conduct their own periodic internal tests.
- Consider implementing policies stating no URLs should ever appear in emails from other employees and under no circumstance should URLs be clicked.
- If using URLs cannot be avoided, always place the mouse cursor over them to check where they go before following. Extortionists who use Cryptolocker often create complex URLs that appear to lead to legitimate websites. Just because it includes the name of a company you recognize does not mean it belongs to that company.
- Never follow shortened URLs without knowing where they lead.
- Relying on typos or misuse of grammar is not enough to detect a phishing email. While this is almost always included in training, there is no guarantee a phishing email will be littered with errors.
- If the email asks you to do something, especially as a means of avoiding some kind of negative action, always verify the email’s legitimacy. Do this by phone or in person if possible. Do not reply to the email. If your attacker receives replies asking, “Is this real?” they will likely reply “Yes.”
- If you believe you have fallen for a phishing attack, change your password immediately and contact IT.
- Never download files from senders you do not know or internet sites that are unapproved by the organization. This is especially true for executable files regardless of the sender. It may look like an update but instead allow an attacker access to your computer.
The importance of social engineering training cannot be overstated. As reported cases keep rising and businesses continue operating in uncertain times, criminals will still take advantage wherever they find weakness. For assistance with cybersecurity, reach out to your BKD Trusted Advisor™ or use the Contact Us form below.