Tax Season is a Time to Be Aware of Phishing Attacks
It’s tax time, so you should think twice before clicking on that link in your email inbox. What may look like a legitimate communication from your bank, financial institution or email provider may actually be part of a scheme designed to steal the confidential information stored in your computer, or to gain access to the network it’s attached to.
Experts warn that tax season is a prime time for this brand of fraud known as “phishing” where hackers are out to steal your information in hopes of using it to file a false tax return.
Phishing emails remain one of the top causes of data breaches. While people are more aware of their danger than ever before, the lures continue to evolve and increase in sophistication, making it tough for the average person to discern which emails are legitimate and which ones aren’t.
Here are a few answers to common questions about phishing:
Why Is It So Bad This Time of Year?
Phishing peaks during tax season, partially because it’s a time of year that many people are accustomed to entering their most personal information such as their Social Security number or bank account information on websites.
Hackers can use this information to file false tax returns and steal your refund.
This year is no exception. Earlier this month, the IRS said that it stopped an attack on the e-filing portion of its website. Hackers tried to use a combination of malware and 464,000 Social Security numbers that had been stolen elsewhere to generate PIN numbers that could be used to file fraudulent returns.
Thankfully no taxpayer data was stolen from the IRS computer systems as a result of the hack.
Phishing also spikes around Christmas, with attacks in the form of fake delivery notifications. Thieves also often tie phishing emails to major sporting events, or natural disasters like overseas earthquakes.
What’s the Difference Between Phishing and Spear Phishing?
Phishing is like a person casually throwing a rod in a lake and waiting for a bite. Phishing emails don’t contain a lot of specifics, but are quick and easy to send out in mass quantities.
“Spear phishing” is much more targeted and personalized. The people behind those attacks spend time researching their targets in order to create highly customized emails that look much more legitimate and are much more likely to be clicked on.
The rise of social media has made this a lot easier. Thanks to Facebook and Twitter, details including a person’s place of employment, where they bank, like to shop and the names and ages of their children are just a few clicks away.
What Other Red Flags Should I Be on the Lookout For?
In an effort to get more people to click on a link before thinking about the possible consequences, many phishing emails will give an impression of scarcity, or include some kind of time limit.
For example, an email made to appear to be from a person’s bank or email provider may state that if that person doesn’t click on the enclosed link within 24 hours, they will be locked out of their account.
And while poor English and long, complex web links were previously sure signs of phishing, they’re not as prevalent anymore. Many overseas hackers are no longer using clunky translation websites, because there are fluent English speakers who specialize in translating phishing emails.
Meanwhile, it has become easier to shorten the Web links that direct a people to fake websites.
You should be wary of emails purported to be from banks, or other companies you do business with, but did not opt into emails from. Be aware that banks generally do not include Web links in emails.
Be aware of this. Links can take you to a fake website where you will be asked to login and those credentials will ultimately be stolen.
In addition phishing attacks do not just come in the form of email. They can come as text messages as well, with those links often containing viruses.
Is There Any Way To Prevent a Phishing-Related Hacking?
Basic cyber hygiene can go a long way toward preventing a data breach, even if a link in a phishing email gets accidentally clicked on.
Using different passwords for different accounts, two-factor authentication and changing passwords frequently all can be a big help. In addition, companies should test their employees by periodically sending out fake phishing emails to see who falls for them.
Also organizations need to make sure their security keys are up to date, along with their anti-spam filters, so past bad senders don’t keep getting through.
In the end – even you do not remember most of this – one simple rule will do a lot to protect you.