College of Business News

"Think Bigger and Bolder"

Bears Business Brief: How to be prepared for tax scams

by

By: Shannon McMurtrey

Shannon McMurtrey
Shannon McMurtrey

I absolutely love this time of the year.  The Ozarks really starts to come alive with the beauty that many of us have probably come to take for granted over the years. I love the colors, the return of spring rains, spring turkey season, all of the new life, and the return of Cardinals baseball!

One thing that I really do not love, however, is the return of tax scams.

Many in the Ozarks, and all over the United States, have discovered that fraudsters have filed fraudulent tax returns in their name. It is a sickening feeling to learn that a criminal has somehow obtained your Social Security number and filed a return in your name. It is natural to wonder how in the world they obtained your data.

Unfortunately, that is a very difficult question to answer. With what seems like a new data breach being announced almost daily, there are a lot of potential avenues for a criminal to get your data. The IRS recently renewed its consumer alert for email schemes, after observing an approximate 400 percent increase in phishing and malware incidents so far in 2016.

I have written in this column in the past about “phishing,” the practice of sending an email to someone in hopes of getting them to click on a link or send information that they shouldn’t be able to access. There is another term that we should all be familiar with, “spear-phishing.” In a “spear-phishing” attack, the email that is sent is very personalized with information that would appear to be known only by those closest to you — friends, family, vendors, etc.

“Spear phishing” is the root cause of some of the most damaging cyber attacks currently being experienced by businesses of all sizes, many of them right here in the Ozarks. A couple of new variations on spear phishing attacks are starting to show up in the form of W-2 related scams and ransomware attacks.

In the W-2 scam, an email is sent to a payroll or HR professional — an email that appears to come from a senior executive (often the CEO or CFO). Of course, the email has been spoofed, but it will appear to be real unless it’s examined very closely. The email will request that the payroll professional send the CEO the individual W-2s for all employees, with an earnings summary for review.

Another variation that has been seen just asks for an updated employee list with name, Social Security number, date of birth, home address and salary. Unfortunately, because the request appears to be from the boss, in many cases this information gets sent to the requester without any questions asked.

This scam is particularly effective this time of year and has unfortunately already claimed many victims. If you receive anything requesting sensitive information, you should be extremely careful and diligent in verifying the identity of the person making the request and your need to provide it.

It should also be noted that email is not, at all, a secure channel of communication. Strong encryption should always be used when sending sensitive information via email.

Another attack that is having a devastating effect on small businesses are ransomware attacks. Ransomware attacks are also often initiated via a spear phishing email. These attacks typically involve tricking the user into clicking on a link and/or downloading software.

The software contains malware that encrypts the user’s (or company’s) hard drive, locking up all of their sensitive files and making them unavailable. The only options to retrieve the files are to either pay the “ransom” (typically with bitcoin, which creates an entirely new set of headaches for the victim) or be willing to commit the resources/money/time it will take to remove the malware from the computer and restore the files from a backup. The latter is, by far, the superior option.

Exercising extreme care when clicking on links or installing software can prevent each of these types of attacks.

Mature organizations that have mature security processes in place better protect their corporate assets and, more importantly, their people (through effective controls and end-user education). Unfortunately, mature security operations are quite uncommon.

Most organizations lack the cybersecurity leadership needed to address these problems. This is evidenced by the more than 1 million unfilled cybersecurity positions, worldwide, that exist right now.

Until we, as a society, address this lack of cybersecurity leadership, we will continue to be plagued by these issues.

Shannon McMurtrey, Ph.D., is director of Missouri State University’s master’s program in cybersecurity, as well as program director for the master’s in computer information systems in the department of computer information systems. Email:shannonmcmurtrey@missouristate.edu.

This article appeared in the May 13th, 2016 edition of the News-Leader and can be accessed online here.