Phishing attacks are getting more sophisticated, even forcing many businesses that fall victim to them to close. The sad truth is that 60% of small businesses are shut down within six months of a significant cyberattack because of the financial losses involved (an average of $200,000, in fact).
At the beginning of 2020, during the early days of the pandemic, phishing attacks spiked 667%. We’re no experts on security or IT, but attacks like phishing concern us deeply. After all, Our Job is To Put Money in Your Pocket!® Saving on taxes and other business expenses can only get you so far when your hard-earned money is stolen away by criminals. Many of these attacks involve IRS impersonators as well as phishing attempts using your bank, credit card, Social Security number (SSN), or even payroll information. Some activity can even go on for years until a forensic audit uncovers the fraud.
What Do Phishing Attacks Look Like?
Phishing is a specific type of cyberattack that involves counterfeit communications. It often involves emails or text messages aimed at tricking you into giving personal information like a password, account number, or SSN. Others include a link that results in ransomware or another malware infection. The communication is cloaked to look as if it’s coming from a trusted source like a company or vendor you use, the IRS or another government organization, or even a person from within your organization.
The FTC warns that phishing emails most often involve the following claims:
- They’ve noticed some suspicious activity or log-in attempts (and will often ask you to follow a link to enter or to “confirm” sensitive password information).
- There’s a problem with your account or payment information (again, they’ll ask you to “confirm” the information).
- You must “confirm” some personal information.
- You need to pay an invoice (but the attached invoice is fake).
- Click on a link to make a payment.
- You’re eligible to register for a government
- You just won something but need to take an action to receive it.
A famous phishing attack involved a Lithuanian man who fleeced Google and Facebook of $100 million in a scheme that involved a fake company, fake emails, and fake invoices. In June 2021, a San Francisco-based homelessness charity Treasure Island lost $625,000 after a phishing scam infiltrated the bookkeeper’s email system. Toymaker Mattel nearly lost $3 million in a CEO impersonation phishing attack (called CEO spear phishing): A finance executive fell for an email that looked like it came from the newly installed CEO, requesting a new vendor payment to China.
IRS Scams to Watch Out For
When it comes to IRS phishing attempts, a recent surge of fraudulent Economic Impact Payment messages highlights the importance of staying vigilant.
“We saw phishing scams surge this summer,” says Jim Lee, Chief of IRS Criminal Investigation. “The number of reported scam attempts reached levels we haven’t seen in more than a decade. More than ever, it is important for taxpayers to continue to protect their personal information and not fall victim to these scams.”
The IRS says that the most recent phishing attempts include:
- Text messages stating that a taxpayer is eligible for a “stimulus payment,” and they must click on a link to complete the necessary information to claim it.
- Phishing emails claiming the IRS has calculated a taxpayer’s “fiscal activity” and they are eligible for an Economic Impact Payment in a specific amount.
The agency wants to emphasize that it does not send unsolicited texts or emails. Beyond that, many of these messages contain grammatical, capitalization and spelling errors in emails and texts, which they say serve as fraud indicators, too. Taxpayers should also exercise caution when clicking shortened URLs, which can lead to fraudulent web pages, the IRS adds.
Steps to Take
Human behavior stands in the way of protecting most businesses from scams like phishing. Curiosity, greed, fear of letting down your boss (in the case of CEO spear phishing), and other factors can be hard to resist, especially when the message seems to be coming from a trusted source. For this reason, it’s important to create layers of protection, which can include:
- Talking to your IT support about how to protect your business, including these steps from the FTC: back up your data, keep security patches up-to-date, educate your staff, and deploy safety nets like email spam filters and authentication technology.
- Learning more about phishing, like these tips from Cisco, including being skeptical of popup windows and wary of social, emotional lures. Take the organization’s Phishing Awareness Quiz to test your savviness.
- Following steps from the IRS to take if you’re emailed or texted a potential phishing message. The advice includes what to do if you believe you already have malware on your computer due to a phishing scam.
We can help you with your money and protecting your assets from unnecessary taxes and business expenses, but resisting the urge to click on a phishing link? That’s in your court. It’s equally important to understand, though, so be careful. Feel free to contact us if you have any questions about IRS phishing scams or related financial risks.