New cybersecurity tax scam hits New Hampshire during tax time

Thwart hackers and stay vigilant to protect against a cybersecurity tax scam.

Email is an essential part of modern communications and is ubiquitous for most of us. News of recent email schemes targeting accounting firms and other companies during tax season is only the latest reminder that nobody is immune to sophisticated and dangerous scams.

In New Hampshire, we’re seeing a heightened threat using email that gives the attacker full access to your emails and address book. The scam uses the tactic to impersonate you to others in your network. In many cases, the attacker then uses your compromised email address to email requests to wire money or pay an attached invoice.

Phishing for information

The details of the schemes change all the time, but the general approach is the same. It’s called phishing, a form of social engineering. Cybercriminals use tactics over phone and email to make you trust their identities and give up one or more pieces of you or your company’s personal information. This includes bank account numbers, network passwords, or even the name of your company’s payroll provider. That information, combined with databases of stolen information that exists on the dark web (think of it as the black market of the Internet), essentially becomes the keys to access every aspect of your online and offline life.

A growing percentage of cybersecurity breaches are going undetected by the security teams at businesses. Companies often learn of the hack when law enforcement or victims of the breach (usually your customers or clients) discover it and come calling. In its convenience and ubiquity, email is by far the most common vehicle cybercriminals use to try to trick unknowing individuals. The email might look like it comes from an official source, with logos and email signatures included to get you to let your guard down. But once you click that link, you may have opened the door to sensitive personal data.

If your e-mail is compromised this could mean that your data has been breached. If you have a data breach, you are responsible for adhering to state privacy laws along with any compliance requirements that your business may fall under. You could be subject to fines, penalties and reporting requirements based on the breach. Just troubleshooting the incident can be very expensive when you engage with the necessary technical, legal and forensic resources.

Eight ways to protect yourself from phishing scams

The best way to avoid falling for a phishing scam is by practicing defense in depth. Here are a few layers of protection against cybercriminals and a cybersecurity tax scam.

1. Never click links in emails. It may seem drastic, but is the most effective way to not have your email account compromised.
   
2. Never sign in with your credentials unless you are 100 percent sure you know what system you’re connected to.
3. Never enter personal information, usernames, or passwords over an unsecured Wi-Fi network.
4. Be suspicious of anyone who calls asking for personal details. Comcast won’t call asking for your account number, and the IRS will never email you looking for your social security or bank information.
5. Enable multi-factor authentication on any account that stores personal information. Multi-factor authentication requires more than one authentication requirement (e.g. a secondary code, a fingerprint, etc.) in order to access an account.
6. Not only use complex passwords, but the most critical step is to never reuse the same password for different accounts. If you do, you’ve essentially created a master key for your private data.
7. Notify your IT support if you think you received (or worse, were tricked by) a phishing scam. Report every suspicious email.
8. Identify every physical device where your sensitive data is stored and implement proper device or drive encryption. 

Hacking is a profitable industry for cybercriminals. If you haven’t been hit yet, it’s only a matter of time before your defenses are tested.

Ask yourself the following questions:

• Are your employees trained to recognize suspicious calls or email requests?
• Does your team understand the importance of adhering to your company’s information security policies?
• Do you have an incident response process and has it been tested? 
• Are you monitoring your security logs and managing your mobile devices?

We recommend all organizations consider working with information security specialists to assess risk across your organization and put up a strong defense. Each incident must be treated as the biggest threat to your company and clients out there.

Because it is.

Jason Golden is Chief Information Security Officer at Mainstay Technologies, an IT and Cybersecurity firm that serves businesses throughout northern New England.