09/ 20/ 2007
by Kay Bell
How do e-mail con artists known as phishers continue to net victims? One tactic is to take advantage of tax worries. Here’s how to make sure your company doesn't fall prey.
Phishing, the e-mail scam in which con artists try to get financial data that can be used to empty bank accounts or max out credit lines, is not restricted to individual victims. Phishers realize that even limited success on a corporate level is potentially much more lucrative than thousands of attempts aimed at individuals.
In fact, 2005 data from the Federal Trade Commission shows that malicious electronic messages produced business losses of $2 billion.
Given the publicity that phishing has received in recent years, just how do the scams continue to succeed? Part of the reason is the phishers' lure. And one of the most powerful hooks is taxes.
In May, electronic criminals went “spear phishing.” In this selective con, business executives received e-mails purporting to be from the IRS Criminal Investigation division. The fake messages told recipients their companies were under investigation for submitting a false tax return to the California Franchise Tax Board. Concerned about being incorrectly labeled a tax delinquent, some recipients clicked on the message’s link or opened its attachment to get more details.
Instead, they let loose a Trojan Horse program that took over company computers.
Technology experts don't see phishing season ending any time soon. Symantec, the online security software company, conducts a semiannual Internet Security Threat Report. Its latest examination covered security concerns from July 1, 2006, through Dec. 31, 2006. During that period, Symantec found, on average, that 904 unique phishing messages were sent each day. That’s a 6 percent increase over the first six months of last year.
Symantec also noted a new trend. Substantially more phishing messages last year were sent Monday through Friday, indicating that phishing activity is now more closely mirroring the business week.
That means employees are even more likely to get such scam e-mails. And when an individual takes the phishing bait at a company computer, a business’ entire network can be compromised. Confidential corporate data, customer records, network passwords or trade secrets, not to mention access to financial accounts, could soon be at the criminals’ fingertips.
To ensure that your company isn't caught in the next phishing net, here are some things security experts and the IRS say you should keep in mind:
- Make sure your employees know that the IRS doesn't send out reminder e-mails. That means any such messages about tax-filing responsibilities, problems with a return or reporting requirements are not from the federal government and should be ignored.
- If you have any concern or reason to believe your company might have a tax issue, call the IRS directly for clarification.
- If you or an employee has a legitimate reason to seek online tax information, make sure the site is legitimate. The only IRS site is www.IRS.gov. Any other URLs with extensions such as .com, .edu or .org might well be useful Web sites, but they are not the official online IRS presence. In a worst-case scenario, these other “IRS” sites could be fake ones established solely to dup users in order to infect or access a computer or network.
- Make sure your employees know company policy regarding use of office computers for personal business. If you have not created and disseminated such a policy, do so immediately. All it takes is one employee to bite on a phisher’s tax message to jeopardize your company’s network.
- Install security software on your network and keep it up-to-date. Make sure it includes spyware as well as virus protection and a firewall to keep intruders from accessing your office system. Install spam filters on your network to screen out the bulk of unsolicited e-mails.
- Require employees have passwords that incorporate different uppercase and lowercase letters and characters and that they change passwords periodically. For added security, consider implementing adding authentication procedures.
- Use encryption software to safeguard sensitive company files.
- If your employees use wireless networks while traveling, remind them to make sure any off-site connection is legitimate. Some phishing scams lure victims by setting up fraudulent Web sites that appear to be log-in sites for legitimate wireless hotspot vendors.
If any phishing e-mails claiming to be from the IRS show up in your company’s e-mail system, the tax agency wants to know about them.
Forward the scam messages to phishing@irs.gov. Since creating the mail box in 2006, the IRS has received almost 18,000 e-mails reporting more than 240 separate phishing incidents. Investigations by the Treasury Inspector General for Tax Administration (TIGTA) have identified host sites in the United States and at least 26 other countries. The IRS and TIGTA are working with the U.S. Computer Emergency Readiness Team (US-CERT) and various Internet service providers and international CERT teams to take the phishing sites off-line as soon as they are reported.
