Not your Father’s Phishing
As we approach Tax Day, it’s a great time to talk about personal information security, and specifically, how to avoid phishing scams.
Scams Increase during Tax Season
For those who don’t know, phishing is a form of fraud where the scammer attempts to gain access to your personal information by posing as a reputable source in an electronic communication, i.e. that email scammer who claims to be from your bank but really just wants to scrape your password and other key information.
Most of the time, scammers pose as “Security” assistance. They use their supposed authority to encourage you to share information with their team. To regain access, simply provide your critical information, and the scammer can reset your account’s security measures. Many times, these scammers have created associated emails and realistic-looking content that mirrors what your bank or organization might actually send. For example, a scammer posing as a bank could send an email with the address along these lines: email@example.com or firstname.lastname@example.org.
Peak Phishing Season
While scammers don’t have an offseason, there are definitely peak periods where users should be extra vigilant. Tax season is one of those times because scammers are looking for easy access to your information, so they can claim your tax returns.
Per Krebs on Security, once a scammer has claimed your return, you won’t be entitled to that money. Scammers also target individuals after a return has been submitted, claiming the filer submitted the information incorrectly. They’ll pose as an agency looking to help you, and will lie, telling you that you could face the threat of criminal charges if you don’t comply. These tactics are designed to make the scam seem official. This results in scared and vulnerable users.
What can you do to recognize and prevent phishing scams?
First and foremost, pay attention to all requests for personal information, especially if they look genuine. Be a skeptic, and watch out for the following warning signs:
- The incoming message is unsolicited and asks you to either update, confirm or reveal personal information – passwords, SSN, account numbers, etc.
- The message has a “Must Complete By ___” component. Only scammers need information immediately, so this urgency is a big red flag.
- The message has broken or false links. This includes URLs that don’t include an “s” after “http//:” which indicates a link that is not secure.
- The message is not personalized or could have been sent out to a mass audience.
- There are grammar mistakes!
And in general, if you’re unsure if a message is legit, DON’T RESPOND! Instead, contact your trusted IT advisor, maybe that’s us, and let an expert check it out for you!
If you’re looking for ways to help your entire office, consider a service like KnowBe4. The simple security awareness training program helps your team become better at preventing phishing scams. The KnowBe4 team tests your defenses, trains your staff in ways of improvement, and then follows-up with another test scam a few months later. This approach has significantly helped a number of enterprise-level organizations develop a more secure network of users, greatly reducing phishing problems over time.