Tax season is no time to let your guard down against cyber crime. Every year, the stressful build-up to tax filing deadline day (April 30, 2019, for individuals; June 30, 2019, for businesses) turns into a feeding frenzy for cyber crooks trying to scam people into dishing up their personally sensitive data – and 2019 will be no different.
One of the biggest risks Canadian businesses face during tax season is social engineering. Businesses will likely see a huge proliferation of phishing scams as attackers prey on the time-sensitive nature of tax requirement items and attempt to convince employees to send information or payments to the incorrect recipients (typically using a ‘masked’ email). Furthermore, CEO fraud is a specific type of social engineering where the attacker imitates an internal corporate executive and requests copies of sensitive information (i.e. SIN, T4 documents, paystubs, etc) from employees. The attacker then uses that information maliciously for identity theft, filing fraudulent tax returns, and to sell on the dark web.
“Tax season means there is more highly sensitive and personally identifiable information being shared within and between organizations. For cybercriminals looking to profit off of this information, tax season is phishing season,” said David Hamilton, president and CEO of Front Row Insurance. “One of the biggest cyber security risks Canadian businesses face is not what you would expect. Most cyberattacks are successful due to employee negligence. A lack of policies, procedures, or adequate training can result in employees inadvertently opening the door to a cyberattack. Sometimes, simple distraction, overwork, or multitasking can lead employees to mistake a phishing email, link, or phone call for a legitimate request for sensitive information.”
In addition to social engineering, commercial entities should also be on the look-out for tailored ransomware attacks, according to Kyle Gray, director of underwriting at Ridge Canada. During the tax season, criminals may customize their ransomware attacks with email attachments that reference pay stubs, T4s, or other sensitive information. Gray told Insurance Business: “As humans, we’re innately curious, and especially so when it comes to income and benchmarking. Attackers are playing on this curiosity by indicating the bad attachments they’re sending may contain some of this information. This can lead to an increased open-rate, and, therefore, to an increase in ransomware attacks.”
Mitigating cyber risk during the tax season should really be business as usual, according to Gray and
Hamilton. Businesses should provide regular, ongoing cybersecurity training for all employees in order to help them recognize phishing attempts and malicious links. Hamilton provided five basics that he thinks everyone should be aware of:
- Look for the “S” for encrypted “https” websites
- Use strong passwords and change them regularly
- Do not click links or respond to emails claiming to be from Revenue Canada or banks – go directly to their websites
- Use security software and allow it to update automatically
- Secure your wireless network and be cautious when using public networks
“Employers should understand that cybersecurity is an arms race. For every best practice put into place, there may be a counterattack that seeks to exploit it,” Hamilton added. “Even the best, most secure systems may fall victim to a cyberattack, which is why insurance should be a part of every business’s cyber risk management strategy. A good cybercrime insurance policy will include coverage for direct losses, as well as business interruption, restoration expenses, and third-party liability. Some will even have a ‘response team’ that will help guide the insured through the difficult and complex process of restoring their data, their security, and their reputation.”
In addition to consistent internal cybersecurity monitoring, companies should also carry out diligent third-party vendor review if they plan to outsource some of the burden of tax season. According to Gray, asking for proof of adequate security protocols as well as proof of cyber insurance are great steps in evaluating vendors.
When it comes to cybersecurity, it’s the same story on the individual risk side. Those who use online tax fling software may receive phishing emails imitating their legitimate tax filing provider and prompting them to unwittingly provide criminals with access to significant personal data, such as SIN, bank account information, address, and salary information. In the past, fraudsters have even tried old-school tactics, impersonating the Canadian Revenue Agency (CRA) over the telephone and demanding urgent action (aka, hand over your details) to prevent threatening action.
“As April 30th approaches far faster than we would like when it comes to personal taxes, stress can influence some to throw caution to the wind in the face of a looming deadline,” said Brooke Hunter, president and CEO at HUNTERS International Insurance. “At this time of year, our clients can expect increased phishing emails to personal and corporate email accounts. If it looks remotely weird, even if knowing the source, it’s best to delete without clicking on any links.
“Public wireless networks are not secure. Cybercriminals can potentially intercept internet connections while you are filing highly personal information on public Wi-Fi. In fact, sending sensitive information over email that includes for example a social insurance number isn’t a good idea at any time. If your clients use third parties to manage their taxes, they should be uploading to private sites to exchange information.”
While it may be convenient to file your taxes online, this also exposes you to a variety of risks, explained Mike Tanenbaum, executive vice president, head of Chubb Cyber North America. Canadian taxpayers should be vigilant and know how to recognize scams and identify legitimate communications from the CRA, he added.
“The CRA never communicates with taxpayers by using text messaging or instant messaging tools associated with social media platforms,” said Tanenbaum. “And, the agency warns against scams that try to obtain personal information such as a social insurance number, credit card number, bank account number, or passport number. Individuals should ensure that they visit legitimate web addresses, especially when filing taxes. Cyber criminals will often create spoof URLs that closely resemble the real ones. These sites are then used by scammers to acquire sensitive information.
“Canadians should also remain vigilant to potential malware attacks. For example, be wary of emails that instruct you to download tax software or updates to tax software. Many times, these are attempts to install harmful malware onto your computer to steal your information. Always check with the actual software company to make sure the software is legitimate.”