Why Hackers Love Tax Season and How You Can Protect Your Business
During tax season, personal information is being exchanged at a much higher rate than any other time of year.
Documents like W2s with Social Security numbers on them are just par for the course. It’s also a time of year when employers and employees engage in tax-related tasks that aren’t routine to them.
There’s often a bit of chaos getting everything in order and even a bit of anxiety over doing it right.
For hackers and scammers who rely on human error and deception, all of this combines to create ideal conditions. I was recently on FOX61 Morning news to offer tips to viewers to avoid tax season scams.
In recent years in Connecticut, we've had some noteworthy cases of W2 fraud.
In one instance, an employee at the Groton School District received what appeared to be an email from their boss asking for the W2 forms of all employees. They complied, unknowingly sending the personal information of 1,300 people to a hacker.
The hacker implemented the same scam with multiple school districts including Glastonbury, where they obtained information that enabled them to file fraudulent tax returns netting some $37,000.
They were ultimately caught, convicted, and sentenced to three years in prison, but this story is all too common. During tax season, companies and individuals fall prey to scams like this frequently but we don’t hear about them because they aren’t public employees.
Typically, the hackers get away with it.
Taxes are confusing. It’s no wonder people get tricked.
The Groton School District story is a reminder that most hacks these days aren’t “brute force” attacks in which hackers gain access purely through technological means. They almost always trick individuals into giving up data.
This is all the more true during tax season when people are already sharing their data with accountants, financial planners, and the IRS.
The most common tactic is phishing, which is highly sophisticated these days. A hacker may gain access to an email account at your company and observe the schedule and writing style of the messages, then send an email asking for tax info at the right time and tone for it to be believable.
There are many ways to pull off phishing attacks, so the one crucial rule to remember during tax season is not to email any sensitive information to anyone. Your accountant or comptroller should have a secure system for transferring documents online.
What can companies do to protect themselves from hackers during tax season?
Here are a few key practices that are a good idea year round, but especially prudent during tax season.
- Cybersecurity training – Regular employee training is an important part of any comprehensive cybersecurity strategy. Why not take an opportunity during the late winter or spring to do a tax-themed training session? Doing so will strengthen the biggest weakness in your cyber defenses (your employees) at your most vulnerable time of year.
- Make sure patches are up to date – Making sure your patches are up-to-date before beginning to prepare your taxes helps ensure that anyone who has gained access to your system and may be watching your activity gets booted from your system before you start poring over sensitive data.
- Add-ons to SPAM filter – Microsoft 365 (formerly Office 365) has an add-on that filters all links clicked by employees using their work email and makes sure that they are legitimate sites. With such sophisticated and realistic-looking phishing sites out there, this helps stop anything that made it through the SPAM filter. Another useful tool is OpenDNS which checks all websites addressed on the company network to make sure they are real.
- Encrypted email – Adding email encryption to your company’s email platform is an effective way to ensure that hackers never gain access to sensitive data through email. If it sounds difficult to use, it’s not—users would never know it’s there and it can be set up and managed by an IT partner.
- Question the format of communications – The IRS only communicates via US Mail—never by phone or email. Similarly, it can’t hurt to double check in person or by phone with someone in your organization asking for W2s or other info.
If you're still uncomfortable with where your cybersecurity is this tax season...
Kelser helps companies across Connecticut and Massachusetts defend themselves from these social engineering attacks during tax season (and year round) so we've seen firsthand how cybercriminals try to make the most of the season.
If you have any concerns about how your organization will fair against cybercriminals this tax season (and in general) feel free to reach out to us with any questions you may have.
You can also find more insights on phishing, social engineering attacks, and how to defend your organization from them in our Learning Center.