Tax time: High season for cyberattacks. Learn how to protect your business

Next story
By James Shepperd, ESET

In our contracted Covid-19 economy, some businesses will hurry to file their taxes and speed returns, while others will seek extensions. Either way, your top priority should be ensuring network and data security. Be sure to check out our best practices for protecting your business below.

From the paperless office to e-taxes
While the paperless office that was first proposed in the mid-1970s still hasn’t come to pass, the digitization of many government services and civic duties has had an impact. Tax filing—likely the most critical and perhaps the most digitized—is a great example. Electronic filing could be considered a form of FinTech and in many countries e-filing is nearly universal.

For example, in the United States, roughly 92% of citizens filed taxes electronically for the 2019 tax year – a 10% increase over 2018. In Fiscal Year 2019, nearly 9.5 million US businesses filed taxes electronically, a rate roughly five times higher than paper-filing businesses. So, as the US approaches tax filing for FY 2020, many eyes will be glued to the new stats. Will the percentage of electronic tax filings stay on par? Or, will it continue to grow?

The questions posed are much more than academic, as major economies are projected to have lost between 2.4% and 3% of the value of their gross domestic product in 2020, which will have an effect on the number of payers filing and the overall tax take for 2020. Regardless, the growing trend of e-filing is likely to continue, and as such payers will be encountering an increasingly hostile electronic tax-filing environment.  Even prior to impacts from the pandemic, there was appreciable growth in attacks, identity and data theft, and widespread fraud connected with tax season.

Tax dilemma: Convenience vs. security
Tax data is like manna from heaven for cybercriminals. Tax filing documents contain heaps of personal data including names and addresses along with various tax ID numbers, employees’ financial documentation and other critical data. They can also include salary figures, data on dependents, bank details, investment data and more.

If data handling is not up to par, some documents could potentially contain enough personal information to allow hackers to gain direct access to accounts, execute spearphishing campaigns, steal employee identities or penetrate business networks.

Home, aka your pandemic office
Simply put, home networks and private devices can’t compete with corporate-level protection, which is at a minimum composed of some form of heightened network security featuring a combination of firewalls, anti-spam and anti-malware technologies, and VPNs. The greater the value of the network and its data, logically the more comprehensive protection against cyberthreats it will feature.

However, Covid-19 has pushed execution of many business processes home, and regardless of the size and scope, the reality is an increase in these less secure back-office operations—including for many, finance. Concern is valid. The fact is, home networks have less protection and less expert scrutiny; when home and corporate networks connect, risk is increased.

It’s on this stage that malicious actors pursue many tactics and techniques to intercept data; for example: employing man-in-the-middle attacks or various types of malware. Not only does their data chase include tax records, but any other data seen as potentially useful or valuable being sent between corporate networks and less secure devices.

Tax year 2020 – Covid & chaos
Reduced tax take? Recession? Covid? Whatever the order, everyone expects tax time to show the harsh reality of 2020. If any indications can be taken from the increases seen in malware campaigning in 2020, we can be sure that hackers will multiply their opportunities this tax season.

With fresh data assembled from 2020 Covid-19 scams, and past tax season campaigns, we are likely to see phishing and spearphishing – social engineering emails – along with subject lines like: “Covid-19 SMB Tax Relief.” These can lead you to fraudulent websites mimicking corporate websites or national tax authorities as we saw happening in Spain in 2020. In that case, the threat actors behind Grandoreiro attempted to impersonate governmental organizations, such as the Agencia Tributaria – the official tax agency of Spain.

Image 1. Malicious PDF

With this level of effort invested, it’s not difficult for large numbers of users to expose personal data and systems to cybercriminals.

How to protect your business this tax season

Consider both your and your employees’ use of home networks. Also consider that your corporate network now shares the additional burdens and risks brought by remote work. Carefully review how to file taxes and any changes for the 2020 tax year applicable to your situation. 2021 will feature a lot of change, but if you get your security and tax processes right, you’ll be in a great position to face the uncertainties sure to come. Here’s a list of best practices to follow: