Spear phishing is a type of “social engineering” attack that fools people into revealing logins, passwords, and other confidential information that allows a criminal to break into your systems. For an accountant, bookkeeper, or tax professional, this can result in exposing business and client data.
If a hacker is able to gain access to financial and bank information, or Social Security and tax records, this can lead to identity theft, fraud, and a loss of reputation for your business. That’s why it’s vital to protect yourself from an email spear phishing attack. Fortunately, it’s not as hard as you think.
What is a spear phishing email attack?
Spear phishing is a targeted email attack against a specific person, business, or organization such as an accounting or tax preparation firm. These emails appear to come from a trustworthy or authoritative sender and ask the recipient to visit a particular website, open a file or software, or otherwise share personal or sensitive information. Spear phishing attacks are deliberately designed to be used against the target rather than coming from a random hacker or appearing as a standard scam.
Because these emails seem to come from a trusted source, the recipients may be less vigilant and will inadvertently compromise the security of themselves, their clients, or their accounting business. If the recipient inadvertently shares information including logins and passwords, a hacker can use those details to log in, steal account, financial, or tax information, and carry out a data breach.
How can tax professionals protect themselves against spear phishing email attacks?
There are several steps you can take to protect you and your tax preparation business from this type of cyber attack. Because they are often engineered and customized to be convincing, it’s important to follow these steps.
- Train Your Tax Preparers, Electronic Return Originators, and Other Employees. User awareness training is the most effective way to identify and avoid spear phishing emails. Train your staff to look at the following areas to identify a problematic request:
- Check the domain that the email comes from. For example, if your business email is firstname.lastname@example.org, someone might spoof that address as coming from email@example.com. Note that the “a” in taxes has been replaced by an “e” and the “e” has been replaced with an “a” to spell a similar word.
- Check the information being requested in the email. If it asks you to click on something to enter your password, call the sender of the email and check to see if it really did come from them.
- Look at the links shared in the email to see if they are genuinely directing you to a real system or if it’s a scam domain setup to capture logins and passwords.
- Check the wording of the message to see if it’s something the “real” sender would have written.
- Introduce Technology into Your Tax Business to Reduce the Risk of Spear Phishing Attacks. You can also introduce some technology to reduce the risk of spear phishing attacks. This technology is known as two-factor or multifactor authentication. Your employees will have to authenticate themselves by entering their password and some other form of data to access the system.
For example, you may require that tax preparers and other employers use security tokens that generate a unique code every time they want to access the system. Because this code changes over time, and you need it to get into tax software and data, a password without the token is useless.
Other types of authentication include biometrics, like scanning a fingerprint or irispattern, and plugging a key into a computer to gain access.
TaxSlayerPro is committed to protecting our customers’ information and adheres to all standards applicable to the tax preparer industry. We utilize firewalls, encryption, access controls, network isolation, and many other security-related technologies. Biometrics, man traps, and security guards protect physical access to our datacenter. If you are unsure about any correspondence you receive from TaxSlayer Pro, feel free to contact our customer support team at firstname.lastname@example.org.
This article was last updated on April 25, 2019.