Vestige and McGuireWoods law firm are presenting to the SAME BOSTON POST on October 3. Topic: What to Know Before the CMMC Auditor Arrives.


Tax Season Alert


Tax Season Alert

Author photo
Vestige Digital Investigations, CTO and Founder

It is the beginning of a new year (new decade as well) and with the new year, football is wrapping up, college basketball is nearing March Madness and of course, we are heading full steam into tax season.  You know what that means?

Prime business scam season! Continue reading to learn some ways to avoid scams during tax season.

Tax Season Alert – Beware of Scams

At this time of year companies are issuing W-2 forms, there are new enrollments for insurance, company and personal taxes are being prepared and filed.  You may even be switching contractors, vendors and accountants.  With all of these changes come requests for data.  Requests for payroll information, employee census information, and other data.  Changes in vendors, contracts and professional services mean changes in payment information.

The bad actors know this, count on it and are ready to capitalize on it.

What can you do to protect you and your company?  Let’s first talk about what the bad actors are doing and then finish up with some tips.

Most of these incidents start with a phishing scam.  The bad actor may register an email address that is very similar to someone of importance.  Maybe your accountant is accountant@PAYROLL.COM.  The bad actor may register accountant@PAYR0LL.COM.  Did you spot the change?  Look at again at the letter “O”.  The bad actor will then try to coerce you into sending W-2 forms or some other type of employee information under the guise of doing taxes but in reality the bad actor will use that to steal your employee’s identity.

The bad actor may go further.  The phishing email may not be from your accountant but may be an email tricking you into signing into your Office 365, Gmail or other account.  The email and subsequent website may look legitimate but in reality it is a front for the bad actor to steal your username and password.  If they have your email, they will use that to change passwords on financial accounts, make transactions, etc.  That’s ok, you say, because you’ll get those email notices of any changes and catch them in the act.  Nope, because the bad actor has set up rules in your mailbox unbeknownst to you to delete or forward those notices.

Be on the lookout this year for “deepfakes”.  Namely you may find yourself on the other end of a phone call where a voice that sounds just like someone of authority is giving you new directions for payments or transfer of data.

It isn’t just company accounts to be worried about either.  Personal accounts are at risk.  With the blending of everyone’s personal and business lives, those personal accounts may lead to a compromise of business information too.  The same tactics explained above may be used.

Cyber Protection Tips

So, what can you do to protect your company against tax scams? A few things.

First, protect your accounts, whether they are email accounts or banking accounts.  Set up two factor authentication (2FA).  Most, if not all online accounts allow for it and if they don’t, you may need to reconsider their usage.  It really takes nothing to enter in your username and password and wait 5 seconds for a text to your phone.

Second, do a review of your accounts.  Have you changed your password lately?  What about security questions, are those set up?  With the prevalence of social media, however, it isn’t often difficult for someone to guess your mother’s maiden name, your first school or first pet.  What I like to do is give a nonsensical answer to security questions.  If the question is “What is the name of your elementary school”, answer it with your favorite food or sports team.  Keep this information stored in your password keeping app.

Third, review procedures in place for authorizations on:

  • Financial transactions
  • Changes to payment addresses or account numbers
  • Requests for employee information

At the very least you should consider confirmation over the phone.

Next, are you alerting your staff to be extra vigilant this time of year?  Send them a link to this blog post.  Discuss in meetings with your employees.  As I tell my staff, I’d rather be interrupted numerous times a day with questions about the legitimacy of emails versus getting caught sideways with a virus or phishing scam.

Last, but definitely not least, have you considered an IT audit of your systems?  Done the right way, an IT audit would consider the entire process involved in situations such as this to see that you are doing the right thing to protect your money and your data.  In the past year we have seen schools, manufacturing companies, health providers, churches and individuals fall victim to a wide range of tax scams that cost from tens of thousands to over a million dollars in hard costs (lost money, attorney fees, investigation fees) and even more in soft costs (reputation).  In some of those cases, insurance assisted in the fees, in others, there was no assistance, even in recovering the money.  In all cases, an IT audit that would have cost a fraction of what was lost, most likely would have stopped or considerably mitigated the attack.

by Greg Kelley, EnCE, DFCP,
Chief Technology Officer at Vestige Digital Investigations
For more information about proactive Cybersecurity Services, including IT Audits, CONTACT US.

  Follow Vestige on Linkedin