Over the next few weeks, 23 million small businesses will file their taxes.[1] While many of these companies are investing time and money to identify their 2013 tax deductions, most don’t realize that small businesses like theirs are being identified as online targets—an oversight that could result in devastating financial loss for their business. And at tax time, small businesses are especially lucrative targets for cybercriminals, particularly in the BYOD era where work and personal data is accessed on the same device, including bank records and sensitive emails.
In today’s interconnected world, organized crime syndicates utilize a variety of malicious tax-themed scams designed to lure victims and steal important financial information. For example, Symantec has detected a rise in tax-season-specific ‘phishing’ scams—referring to the attempted theft of sensitive information such as usernames, passwords, or credit card details by impersonating a trustworthy source, such as a bank.
Cybercriminals are also sending fake emails this season with HTML attachments that, when opened, infiltrate the user’s PC and capture personal data before sending it to an attacker-controlled server. This can be damaging to small business owners and their employees, as both business and personal information is then compromised and vulnerable. Below is a screenshot of one such HTML phishing scam, impersonating the HMRC (“her majesty’s revenue and customs,” the UK tax office):
We have also seen a variant of famed financial Trojan Zeus – known as Citadel – being used to steal financial credentials by leveraging trusted company names, such as TurboTax, to target victims:
And, while we haven’t yet seen malicious Ransomware threats, like Cryptolocker, used in these campaigns, we strongly encourage small business owners and employees to be especially cautious when opening any email messages sent from an unknown or questionable source throughout the tax season. Once Cryptolocker gains access to the system, important files on the device become encrypted, and only the cybercriminals can decrypt them. The data is then held for “ransom” with the criminal demanding payment in a digital, untraceable currency. Sadly, whether the ransom is paid or not, the victimized company rarely regains access to their files.
But all of these targeted attacks and phishing scams can all be avoided! To prevent cybercriminals from attacking your small business this tax season, Symantec offers the following tips:
Quick tips to help you protect yourself and your business:
- Make sure you have internet security software. Security software is the first line of defense you need between cybercriminals and the sensitive/financial data you keep on your computer, in your network, or in the cloud. And traditional antivirus software is no longer enough. Shop security products.
- Internet security software alone is not enough; you also need to back up your important data. Having a digital copy of your critical business information ensures that you can recover your critical data in the event of an attack or a system crash. Shop backup and recovery products.
- Utilize encryption for sensitive data. If you plan to use a wireless network to electronically file your taxes, be sure to use a secure Internet connection – never use public wireless hotspots. Shop encryption products.
- Be suspicious! Scammers are quite good at making emails and links look legitimate, and the most lucrative tax return schemes are based on identity theft, so ensure your email is truly sent from the advertised source before opening it. Also, always be apprehensive about providing financial information, such as your Social Security Number (SSN), bank or credit card account numbers, or security-related information like your mother's maiden name, online—look for trust identifications like the Norton Secured Checkmark before submitting.
- Require Password Protection. Password protect directories and accounts to ensure your data is defended from outside threats. Choose passwords with care—don't select a recognizable word, or something obvious, such as "password" or your name. Make your passwords as long and as complex as you can.
- Always log out completely. Whether you're on a tax site, an online store, or any site in which you've entered personal information, remember one step: log out when you're done. If you don't, you're exposing identity information to cyber thieves. This is especially true if you're using a public computer or a shared work computer.
- The IRS will never email you. Ever. If you get an email from the IRS or EFTPS (Electronic Federal Tax Payment System), don't respond. Instead, forward it to phishing@irs.gov. You should also know that the IRS will never call you by phone. Email threats about consequences for failing to respond or blocking access to your funds are always fraudulent.
- The postal system is not the safest way to receive checks from the IRS. Criminals look for unlocked mailboxes at tax time to steal tax return envelopes. Always have your refund directly deposited into your bank account to help ensure your money reaches you.
For more information on small business security products, visit: http://www.symantec.com/small-business and follow Symantec on Twitter, at @Symantec.