Tax Time, a Season for Cyber Attacks: How to protect your business?

Next story
James Shepperd

 Death, taxes and cyberthreats in a COVIDian world

In our contracted COVID economy, some businesses will hurry to file their taxes and speed returns; others will seek extensions. But this tax season, the real money is on network and data security.

From the paperless office to e-taxes
While the paperless office that was first proposed in the mid-1970s still hasn’t come to pass, significant progress with going “paperless” has been made with digitization of many government services and civic duties. Among them all, tax filing – likely the most critical and perhaps the most digitized – stands out. Some may even consider it a form of FinTech and much like the internet itself, in many countries e-filing is nearly universal.  
 
For example, in the United States, roughly 92% of citizens filed taxes electronically for the 2019 tax year – a 10% increase over 2018. In Fiscal Year 2019, nearly 9.5 million US businesses filed taxes electronically, a rate roughly five times higher than paper-filing businesses. So, as the US approaches tax filing for Fiscal Year 2020, many eyes will be glued to the new stats. Will the percentage of electronic tax filings stay on par? Or, will it continue to grow? With COVID further accelerating digitization, due attention must be paid to securing the digital tax environment.
 
The questions posed are much more than academic, as major economies are projected to have lost between 2.4% and 3% of the value of their gross domestic product in 2020, which will have a knock-on effect on the number of payers filing and the overall tax take for 2020. Regardless, the growing trend of e-filing is likely to continue, and as such payers will be encountering an increasingly hostile electronic tax-filing environment.  
 
Even prior to impacts from COVID, there was appreciable growth in attacks, identity and data theft, and widespread fraud connected with the tax season. Despite the revenue streams of many cybercriminals changed by COVID (mostly improved), we are still likely to see a considerable upswing in malicious activity directed at payers and tax authorities.
 
Tax dilemma: Convenience vs. security  
Tax data may very well be manna – food falling from heaven – for cybercriminals. Tax filing documents contain heaps of personal data including names and addresses along with various tax ID numbers, employees’ financial documentation and other critical data. Let’s add salary figures, data on dependents, bank details; in some cases we can add investment data and more.

If data handling is not up to par, some documents could potentially contain enough personal information to allow hackers to gain direct access to accounts, execute spearphishing campaigns, steal employee identities or penetrate business networks. All of this is on tax season’s menu.   
 

Home, AKA COVID back office  
Simply put, home networks and private devices can’t compete with corporate-level protection, which is at a minimum comprised of some form of heightened network security featuring a combination of firewalls, anti-spam and anti-malware technologies, and VPNs. The greater the value of the network and its data, logically the more comprehensive protection against cyberthreats it will feature.  

However, COVID has pushed execution of many business processes home, and regardless of the size and scope, the reality is an increase in these less secure back-office operations – including for many, finance. Concern is valid. The fact is, home networks have less protection and less expert scrutiny; when home and corporate networks connect, risk is increased.

It is on this stage that malicious actors pursue many tactics and techniques to intercept data; for example: employing man-in-the-middle attacks or various types of malware. Not only does their data chase include tax records, but any other data seen as potentially useful or valuable being sent between corporate networks and less secure devices.

Tax Year 2020 – COVID & Chaos
Reduced tax take? Recession? Brexit? COVID? Whatever the order, everyone expects tax time to show the harsh reality of 2020. If any indications can be taken from the increases seen in malware campaigning in 2020, then we can be sure that hackers will multiply their opportunities this tax season.  
 
With fresh data assembled from 2020 COVID-19 scams, and past tax season campaigns, we are likely to see phishing and spearphishing – social engineering emails – along with subject lines like: “COVID-19 SMB Tax Relief,” for example. These can easily bring you to fraudulent websites mimicking corporate websites or national tax authorities as we saw happening in Spain in 2020. In that case, the threat actors behind Grandoreiro attempted to impersonate governmental organizations, such as the Agencia Tributaria – the official tax agency of Spain.

<<Image 1. Malicious PDF>> With this level of effort invested, it’s not difficult for large numbers of users to expose personal data and systems to cybercriminals.

How to protect your business this tax season
They say, “Nothing in life is guaranteed but death and taxes.” This tax season we can add COVID’s intensification of the digital and threat landscapes. This is the new normal. As such, all businesses have to lay down concrete plans for network and data security. Tax season is your cue to get serious. 

Consider both your and your employees’ use of home networks. Also consider that your corporate network now shares the additional burdens and risks brought by remote work. Carefully review how to file taxes and any changes for the 2020 tax year applicable to your situation.

2021 will feature a lot of change, but if you get your security and tax processes right, you’ll be in a great position to face the uncertainties sure to come. Consider this as a cornerstone moment on the financial and security calendar and ensure you consider the following best security practices:

•    Check that you are using a reputable and properly scaled solution security solution – and/or that current antimalware software is up to date
•    Secure all online accounts with unique, robust passwords. Need to revamp your passwords? Try our Password Generator
•    Protect network connections with a virtual private network (VPN) and a properly configured firewall
•    Check your Remote Desktop Protocol (RDP) settings
•    Use two-factor authentication and other account security tools like password managers
•    Have a robust and user-friendly encryption solution in place for data on local and cloud storage drives
•    Make secure backup copies of critical data
•    Review spam filter settings in your email clients and mail security solutions
•    Scan files and links before opening or clicking on them