[Don't] Get Hooked
Updated: Apr 23, 2020
Whilst the internet allows us to travel the world from our desk, interestingly some global trends stick to specific geolocations. If you monitor Phishing trends, you'll soon realise not only does the frequency of emails increase depending on the day of the week, but also monthly; Phishing tends to follow the North American tax season.
In the months leading up to filing your taxes, be mindful that there's a consistent rise to the number of emails sent. This year is especially important; this is the first tax season since Equifax was breached.
Whilst not the largest breach, the sensitivity of the stolen information and the ongoing updates of more and more persons affected, makes this one eventful story. So what can we do to prepare for this tax season? Don't feel hopeless, there are steps both people and organisations can take to protect themselves:
(1) Be mindful of Phishing attacks to both you, and for organisations that assist persons with filing taxes. Encourage staff to just take a moment to think about any incoming communication, and check that it "feels" right.
(2) Realise social engineering attacks come in many forms, not just email. If an unusual call comes in or a suspicious email, have a process in place of confirming the veracity of the message with the customer, their supervisor, or your security team
(3) Feel free to stop and take a minute. One tactic Phishing uses, is instilling a sense of urgency to respond or take action. If something doesn't seem quite right, ask yourself why you're feeling rushed, and if you may want to verify with someone before proceeding.
Take CFO fraud for example: this is where a malicious actor attempts to fool the accounts person into believing they are a legitimate partner, or person of power, and require an immediate transfer of funds. One layer of protection against CFO fraud, is making it standard practice that the accounts person verifies on multiple channels before taking action. i.e. receiving an email, but phoning the partner requesting funds directly to confirm legitimacy.
Remember, it's okay to ask questions. If something doesn't feel right, investigate. Spending a minute calling someone, on a number you have independently of the email you've just received, might save the company thousands.