Security pros need be on high alert from now until Tax Day on April 15. Here are seven ways to help keep your company safe.
Security pros need to impress upon the staff that high-profile hacks can and do happen during tax season. The most famous one – the Office of Personnel Management (OPM) hack – happened during the 2014 and 2015 tax seasons. Some 21.5 million people had their social security numbers and employment, health, and financial histories exposed.
In preparation for tax season, the IRS has posted its Identity Theft Central page, which serves as an excellent resource for individuals, professional tax professionals and businesses. The site offers step-by-step instructions on what to do if you receive a suspicious IRS-related email or phone call.
Read on for ways to help keep your company and staff secure during tax season.
Hold a tax-season training session early in the year.
Monique Becenti, product and channel marketing specialist at SiteLock, says companies should schedule a security awareness session just before the start of tax season – right after the holidays in early January. Most tax scams happen during the first part of tax season in late January and around the April 15 deadline day.
Eva Velasquez, CEO of the Identity Theft Resource Center, advises that at those training sessions companies also need to celebrate the people who question an email that appeared suspicious but actually was legitimate. “We celebrate the people who catch a phishing attempt,” she says. “But we also need to create a culture where people feel they can report suspicious activity without fear of retribution.”
Teach the staff about Business Email Compromises (BECs).
SiteLock’s Becenti says one of the more common business email compromise (BEC) attacks during tax season is one where a lower-level person in the accounting department receives an email message posing as the CFO or CEO asking for all the W2s for the staff. In another scam, fraudsters send links to employees claiming that they need to update their tax information. Clicking on the link could lead to identity theft or worse – a company-wide ransomware attack. Coveware reports that the median ransomware payment in Q4 2019 was $41,179.