Spear Phishing Emails

The Internal Revenue Service recently instituted a ten-part “Don’t Take the Bait” awareness campaign regarding cybercriminal tactics.  Part One covers Spear Phishing Emails.  This post summarizes the IRS’s information on this topic.

Spear phishing email is a common tactic used by cybercriminals to target tax practitioners. The security software firm Trend Micro reports that 91 percent of all cyber attacks and resulting data breaches begin with a spear phishing email.  If the criminal’s spear phishing strategy succeeds, the criminal will steal the practitioner’s client information and use the information to file fraudulent tax returns using the client’s name.

The most common spear phishing emails are:

  1. An email from a prospective client with an attachment that the recipient is asked to open.
  2. An email from a prospective client that asks the recipient to click on a hyperlink to get more information about the client.
  3. An email that identifies the sender as the IRS or a software provider and asks the recipient to update its information by clicking a link that goes to a webpage.

In a spear phishing email, if the recipient opens an attachment or clicks on a hyperlink, the criminal will then download malware onto the recipient’s computer.  The malware records the recipient’s keystrokes (for example, when the recipient enters a password) and sends the information to the criminal.  The criminal can then use the information to access the recipient’s password protected programs and documents.

Alternatively, a recipient may be asked to update information on a website.  The website is a site created by the criminal. In many cases, the fake website looks very much like the real website.  The recipient is then asked to update his or her information (reset passwords, reenter credit card numbers or ID numbers).  The criminal captures that data and uses it in its criminal activities.

The IRS provided an example of a spear phishing email that targeted a tax professional during the 2017 filing season.

The IRS recommends that tax professionals consider these basic steps to reduce the risk of becoming the victim of a spear phishing attack:

  1. Educate all employees about phishing in general and spear phishing in particular.
  2. Use strong, unique passwords. Better yet, use a phrase instead of a word. Use different passwords for each account. Use a mix of letters, numbers and special characters.
  3. Never take an email from a familiar source at face value; example: an email from “IRS e-Services.” Be particularly cautious of emails that ask you to open a link or attachment. Visit the e-Services website for confirmation.
  4. If an email contains a link, hover your cursor over the link to see the web address (URL) destination. If it’s not a URL you recognize or if it’s an abbreviated URL, don’t open it.
  5. Consider a verbal confirmation by phone if you receive an email from a new client sending you tax information or a client requesting last-minute changes to their refund destination.
  6. Use security software to help defend against malware, viruses and known phishing sites and update the software automatically.
  7. Use the security options that come with your tax preparation software.
  8. Send suspicious tax-related phishing emails to phishing@irs.gov

To learn more, visit https://www.irs.gov/newsroom/dont-take-the-bait-step-1-avoid-spear-phishing-emails.

Posted by Teresa Rankin Klenk, JD, LLM

Tags: , ,

Comments are closed.