Get a Quote

New Email Schemes Target Small Businesses and Tax Professionals

The cybersecurity world continues to evolve, with new warnings arriving about email phishing campaigns and targeted ransomware scams. The Small Business Administration released an alert this week about bad actors impersonating the SBA and its Office of Disaster Assistance.

Meanwhile, the IRS and state tax agencies say tax professionals and taxpayers alike are being targeted thanks to increased remote work and economic impact payments related to the coronavirus pandemic. And in Canada, the Canada Revenue Agency (CRA) had to temporarily suspend its online services related to tax returns and the COVID-19-related Canada Emergency Response Benefit (CERB).

The goal in these cases is simple: cybercriminals are trying to collect personally identifiable information that can be used for malicious purposes. In the case of the SBA, applicants for federal aid related to COVID-19 through the Economic Injury Disaster Loan Program are being asked to verify their private information using a third-party online platform.

IRS Commissioner Chuck Rettig drew a direct line between email scams like this and data theft: “The vast majority of data thefts start with a phishing email trick,” he said in a security summit communication about protecting tax data at home and at work. “Identity thieves pose as trusted sources—a client, your software provider, or even the IRS—to lure you into clicking on a link or attachment. Remember, don’t take the bait.”

How can you protect your business? By learning how to identify, avoid, and report such scams.

1) Beware of any so-called urgent message.

Phishing emails purport to contain an urgent message about things like an expired account password or an unconfirmed piece of important information. These messages will encourage users to click on an official-looking link that redirects to a fake site designed to appear like a trusted one, where prompts will ask for usernames, passwords, or even private details like Social Security numbers or financial account information. If you see “urgent,” “action needed,” or similar statements in an email subject line or body copy, proceed with caution.

2) Do not open unknown or unexpected attachments.

Opening an illicit attachment in a phishing email can lead to immediate trouble, infecting a user’s computer or even spreading to a connected network. Unless you’re expecting a specific file from a specific, trusted co-worker, DO NOT open unknown PDFs, ZIP files, WAV or MP3 audio files, Word documents, or Excel spreadsheets. The same goes for links to collaborative files like Google Docs. If you do receive an unexpected attachment from a trusted source, verify its authenticity with that person before opening it.

3) Use the same level of caution with links.

Before you click any links in an email—even those from a trusted source—double check that what’s displayed is where the link directs. To do this, hover over the link with your mouse to make sure it’s legitimate. If the text contains long strings of nonsensical characters or looks suspicious, DO NOT click if it.

4) Look for misspellings, too.

This applies to the link check outlined above. If email copy says, the preview link should also say, not Additionally, check the From field of any email you’re unsure about to make sure the user’s display name and email address are correct: can look quite a bit like if you aren’t looking closely. Similarly, awkward phrases in body copy like “Dear customer” are immediate red flags. 

5) Take email security to the next level.

On the user level, you can mark phishing or scam emails with a Junk, Spam, or other tag, depending on your email application. But on a business-wide level, enhanced email security can offer you and your employees extra protection. Layers of network security and content filtering can stop some unauthorized phishing attempts, while reporting spam can make a big difference by training email applications to recognize illicit addresses. Employers should also take extra steps to notify their staff if critical communications are expected—when, and from whom. Even the highest levels of cybersecurity require intelligent human beings to beef up those automated systems.

Eliminating the threat of fraud or infection delivered via email is difficult, especially with fresh, topic-specific phishing attempts emerging every day. However, with proactive cybersecurity protection and the right education for employees, every business can increase its chances of keeping data safe.

At CMIT Solutions, we work 24/7 to prevent our clients from being harmed by phishing attempts, ransomware scams, data hacks, breaches, malware, and more. If you want to protect your information and prevent IT problems, contact CMIT Solutions today.


We can help. Whatever your technology problem is, chances are, we've seen it before.