The cybersecurity world continues to evolve, with new warnings arriving about email phishing campaigns and targeted ransomware scams. The Small Business Administration released an alert this week about bad actors impersonating the SBA and its Office of Disaster Assistance.
Meanwhile, the IRS and state tax agencies say tax professionals and taxpayers alike are being targeted thanks to increased remote work and economic impact payments related to the coronavirus pandemic. And in Canada, the Canada Revenue Agency (CRA) had to temporarily suspend its online services related to tax returns and the COVID-19-related Canada Emergency Response Benefit (CERB).
The goal in these cases is simple: cybercriminals are trying to collect personally identifiable information that can be used for malicious purposes. In the case of the SBA, applicants for federal aid related to COVID-19 through the Economic Injury Disaster Loan Program are being asked to verify their private information using a third-party online platform.
IRS Commissioner Chuck Rettig drew a direct line between email scams like this and data theft: “The vast majority of data thefts start with a phishing email trick,” he said in a security summit communication about protecting tax data at home and at work. “Identity thieves pose as trusted sources—a client, your software provider, or even the IRS—to lure you into clicking on a link or attachment. Remember, don’t take the bait.”
How Can You Protect Your Business?
By learning how to identify, avoid, and report such scams.
Phishing emails purport to contain an urgent message about things like an expired account password or an unconfirmed piece of important information. These messages will encourage users to click on an official-looking link that redirects to a fake site designed to appear like a trusted one, where prompts will ask for usernames, passwords, or even private details like Social Security numbers or financial account information. If you see “urgent,” “action needed,” or similar statements in an email subject line or body copy, proceed with caution.
Opening an illicit attachment in a phishing email can lead to immediate trouble, infecting a user’s computer or even spreading to a connected network. Unless you’re expecting a specific file from a specific, trusted co-worker, DO NOT open unknown PDFs, ZIP files, WAV or MP3 audio files, Word documents, or Excel spreadsheets. The same goes for links to collaborative files like Google Docs. If you do receive an unexpected attachment from a trusted source, verify its authenticity with that person before opening it.
Before you click any links in an email—even those from a trusted source—double-check that what’s displayed is where the link directs. To do this, hover over the link with your mouse to make sure it’s legitimate. If the text contains long strings of nonsensical characters or looks suspicious, DO NOT click on it.
This applies to the link check outlined below. If the email copy says http://www.website.com, the preview link should also say http://www.website.com, not www.webslte.com. Additionally, check the “From” field of any email you’re unsure about to make sure the user’s display name and email address are correct: email@example.com can look quite a bit like firstname.lastname@example.org if you aren’t looking closely. Similarly, awkward phrases in body copy like “Dear customer” are immediate red flags. On the user level, you can mark phishing or scam emails with a Junk, Spam, or another tag, depending on your email application. But on a business-wide level, enhanced email security can offer you and your employees extra protection.
Layers of network security and content filtering can stop some unauthorized phishing attempts while reporting spam can make a big difference by training email applications to recognize illicit addresses. Employers should also take extra steps to notify their staff if critical communications are expected—when, and from whom. Even the highest levels of cybersecurity require intelligent human beings to beef up those automated systems.
Eliminating the threat of fraud or infection delivered via email is difficult, especially with fresh, topic-specific phishing attempts emerging every day. However, with proactive cybersecurity protection and the right education for employees, every business can increase its chances of keeping data safe.
At CMIT Solutions, we work 24/7 to prevent our clients from being harmed by phishing attempts, ransomware scams, data hacks, breaches, malware, and more. If you want to protect your information and prevent IT problems, contact CMIT Solutions today.