While your clients are busy preparing for the impact of coronavirus shutdowns on their businesses, MSPs must stay vigilant when it comes to the annual influx of tax scams.
In the past, these scams centered around W-2 form theft. Because of past incidents, W-2s are better tracked and protected than they used to be, and they have less value as a source of personal information cybercriminals are trying to steal.
That said, many filers and firms are still sorting out the complications introduced by the Tax Cuts and Jobs Act of 2017. Tax forms include lots of personal information that can be used to steal money, file fraudulent forms, and harvest data for additional cyberattacks.
Cybercriminals obtain these forms by using a spoofed or compromised account to request the documents. Because this type of scam doesn’t include attachments or spoofed URLs, it can be almost impossible to detect or block using traditional security technologies.
Tax season security tips
Your clients are likely going to be targets of some of these attacks, and it’s essential to take action to help them avoid becoming victims of tax season fraud.
-
- Provide common-sense advice. Remind clients that the IRS doesn’t make robocalls or ask for payments over the phone. IRS letters always include an official seal – so any mail lacking that seal can be ignored. If there’s a question about communication purporting to be from the IRS, the client can contact the IRS directly for confirmation.
- Review security best practices. Make sure your clients’ security is updated and that their internal IT staff are following best practices, including having systems in place to protect against spear-phishing and impersonation attacks. Clients should have incident response plans in place (including a mechanism for reporting incidents to the IRS) and use data loss prevention (DLP) to prevent sensitive tax documents from being emailed to unauthorized recipients.
- Conduct awareness training. Help your clients safeguard their employees against common threats through awareness training that educates and informs them also as to which protocol to follow if there’s a breach. This training should include phishing simulations to help identify the most at-risk employees. Barracuda PhishLine uses computer-based training to teach employees how to recognize and avoid becoming victims of phishing attacks.
- Educate yourself and your clients about the most common tax scams. The IRS provides an annual list – here is the 2019 list. Review the list each year.
Create and review policies
In addition to the aforementioned best practices, MSPs should also encourage managers at your client facilities to create policies that can help prevent scams, including instituting protocols for sensitive documents or financial transactions that require in-person or verbal confirmations. They should also review existing policies around document retention, encryption, and transmittal.
You can also help your clients implement robust email protection and other technologies that can reduce the flow of fraudulent email. Barracuda Total Email Protection, for example, can help protect your clients using multiple layers of email security. Barracuda Essentials provides additional protection via technology like Data Leak Protection, Link Protection, and more.
To protect against more advanced phishing campaigns that can circumvent traditional security, Barracuda Sentinel uses artificial intelligence to detect corporate messaging anomalies that are the hallmarks of spear-phishing attacks and other types of fraud. This type of protection is especially critical for detecting attacks that leverage compromised email accounts that have been taken over by third parties.
When there’s a successful attack at a client site, Barracuda Forensics and Incident Response provides the tools you’ll need to respond and limit potential damage. Tax season will be challenging for your clients this year for several reasons — changes to the tax code, business disruption caused by coronavirus responses, and ongoing political and economic uncertainty, just to name a few.
It will be nearly impossible to predict market conditions and revenue over the next several months. MSPs can help relieve some of this burden by ensuring their clients don’t fall prey to cybercrimes this July.
Photo: Vitalii Vodolazskyi / Shutterstock