Click Here for PDF Newsletter

March 2017 | Criminals plying their trade on the Internet are engaging in more sophisticated phishing and blackmail scams.

Background

Now that the tax season has begun, confidential documents are flying between tax preparers and clients. You will see news stories about hackers gaining access to databases and stealing personal information that can later be used for identity theft. While individuals have no control over how businesses with which they interact safeguard information, they can take action to prevent theft of data from their own computers and networks.

This article discusses some recent scams that attempt to fool individuals into voluntarily surrendering confidential personal information, and what can be done to prevent this.

What are the criminals’ goals?

It’s all about the money. Hacking for recreation has been replaced by the profit motive.

  • With personal information, credit cards can be set up in your name to purchase goods.
  • Income tax returns can be filed fraudulently to obtain refunds.
  • According to the IRS, between 2012 and 2013 $4 billion of fraudulent tax refunds were issued. The IRS sent a total of 655 refunds to a single address in Lithuania, and 343 went to a single address in Shanghai.
  • Financial accounts can be accessed to request electronic withdrawals.

The Common Theme – a would be legitimate purpose

Hacking occurs at the intersection of trust, inquisitiveness, and laziness. To appreciate this, you have to think about the ways that criminals can gain access to your computer systems.

  • Active access (phishing)
  • The hackers come to you, usually via an e-mail or a pop-up. Sometimes the e-mail has a link to a location on the Internet. Other times the virus is contained in a file attached to the e-mail.

    Phishing using spoofing techniques takes advantage of the trust of individuals. An e-mail from a known business, bank, or friend must be legitimate, right? Perhaps not. We have all got accustomed to receiving e-mails from hacked Yahoo and AOL accounts.

  • Passive access
  • Here the criminals place a virus on the Internet with a description that will attract the attention of web browsers. These would include advertisements, web sites, and games. The viruses are there like ambush predators, waiting for someone to happen on them. Individuals who use the Internet extensively are most at risk. Inquisitive people are also the ones that open e-mail attachments.

    The common theme is that the criminals are enlisting the computer’s user to gain access. The user has to be induced into believing that an information request has legitimate purpose, and is from a trusted source. The list of scams is constantly evolving . . .

  • Bogus program or application update notifications
  • What if an e-mail has a link to a place on the Internet where a virus is waiting to be downloaded? Examples of applications that have wide usage and are updated over the Internet are Adobe Acrobat, Internet Explorer, and Microsoft Office.

  • Password resets
  • To beef up security on on-line banking, passwords periodically expire. Resets are requested when you try to log on to the account. Criminals e-mail fraudulent requests so the information can be redirected. You get an e-mail that notifies you that a password has to be reset. In order to do the reset, you have to provide the current password. Oops.

  • Credit card fraud notification
  • Criminals phish using both e-mail and phone where you will be asked to provide confidential information. The e-mailer/caller may state that there has been unusual account activity. However before this can be checked, you must provide information to prove your identity.

  • Fraudulent e-mail communications
  • Scam artists have become experts at duplicating letterhead or company e-mail headers and footers. These can have the look of an official communication. Bogus domains are set up that appear to be legitimate because only the suffix is changed (IRS.gov to IRS.com).

    They also use tricks to get you to download documents and click on links where bad things will happen.

    • CPAs actually get e-mail requests to download files from unknown sources requesting tax preparation services, usually having a hyperlink to tax return information . . . or perhaps something else
    • An ordinary looking file (a JPEG file or PDF) that looks interesting can contain a Trojan or ransomware.
    • Offers to try games for free can contain viruses.

    What should you be doing to limit your exposure

    1. Use common sense and be suspicious. These criminals prey on laziness and trust.

      • If something arrives with grammatical errors, it’s probably a phish.
      • Only use web portals that are password protected where you control the password
      • Limit your use of e-mailed attachments containing confidential information. If you must send something by e-mail attachment, password protect the file.
      • Do not give out bank and credit card information if solicited.
      • Call the credit card company at the phone number on your bill, not the phone number on the phish.
      • Be suspicious of free anything.
    2. Look at e-mails carefully to guard against spoofing.

      • Look for the correct spelling and make sure the suffix is correct (.com; .net; .gov; .org).
      • Never respond to an e-mail from the IRS. Understand that the IRS will never e-mail you. All correspondence comes via US mail.
      • Don’t open e-mail attachments from sources you don’t know.
      • Check (verify) links embedded in e-mails or web pages. You can see the hyperlink by hovering the mouse arrow over the link that is displayed. If the display and the hyperlink don’t match, that’s an indication there may be trouble. Try this next time you are on the Internet.
    3. Don’t get lazy with passwords.

      Create difficult passwords with a combination of uppercase and lowercase letters, numbers, and special characters. Use 2-step authentication where available (password + question about something you have).

      How many people have no-step authentication? They have computers that are not locked, and store passwords as cookies in their browsers.

      For things where there is financial risk (bank and brokerage accounts), create unique passwords, not just small variations. Do not store user names and passwords for these accounts as cookies in your web browser.

    4. Only do password resets for financial accounts as YOU try to log on to the account.

      Never do a password reset that originates in an e-mail. Verify that that URL is https://, indicating that the data is encrypted.

    5. Program updates

      Only do program or application updates when prompted by the program when you log on to it. Never do an update that originates via an e-mail.

      Keep programs (including Windows and browsers) up to date. Security on these is constantly being updated to patch security vulnerabilities.

    6. Keep physical control of your computer hardware.

      Now more than ever with mobile devices, but don’t forget about the physical security of desktops and servers.

    What we are doing to keep client data secure?

    The following practices reflect our commitment to client data security.

    1. Exchange of documents by password protected web portal.
      (We will continue to discourage e-mail transmission of confidential information.)

    2. Office portal and tax software access is 3-step.

    3. Access to the e-filing software is 4-step.

    4. Cloud computing services with the following—

      • Encrypted transmission of data
      • Anti-virus protection for applications and data, updated daily
      • Daily redundant backup
      • Data located in secure facilities in two states with redundant firewalls

    5. No client information is disclosed to 3rd parties.

    Addendum – Definitions

  • Phishing
  • The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

  • Spear phishing
  • The fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information

  • Spoofing
  • Spoofing is a type of scam where an intruder attempts to gain unauthorized access to a user’s system or information by pretending to be the user. The main purpose is to trick the user into releasing sensitive information in order to gain access to one’s bank account, computer system or to steal personal information, such as passwords.

  • E-mail spoofing
  • Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. E-mail spoofing is a tactic used in phishing campaigns because people are more likely to open an email when they think it has been sent by a legitimate source. The goal of email spoofing is to get recipients to open, and possibly even respond to a solicitation.

  • Virus
  • A virus is a self-contained program that attaches itself to an existing application in a manner that causes it to be executed when the application is run.