Ransomware has dominated the headlines the last couple of years. But it might surprise you to hear that another scourge—business email compromise (BEC)—accounted for 49 times more in losses in 2021. As reported in the FBI’s latest Internet Crime Report, BEC cost organizations and individuals $2.4 billion versus $49.2 million for ransomware. In fact, more than a third of total cybercrime last year can be attributed to BEC. The FBI notes that even if ransomware is under reported, BEC is still a substantially larger crime.  

The FBI defines BEC as a sophisticated scam targeting both businesses and individuals performing transfers of funds. Bad actors send an email message that appears to come from a known source making a legitimate request for money but, upon transfer, the funds are steered to an account controlled by a cybercriminal.  

With filing deadlines for 2021 U.S. federal and state income taxes just around the corner, everyone should be on high alert for these types of scams. Researchers have recently found two tax season scams. The first tax scam was a malicious email pretending to originate from the IRS, that embeds Emotet malware in a maliciously crafted Microsoft Excel file. The second is a phishing scam that asks a recipient to send personally identifiable information (PII) via written correspondence to a fax number.

What can security professionals do?

For security professionals, keeping abreast of the latest threats and their tactics, techniques and procedures (TTPs) from the many various open-source tools available is a good start to mitigate risk. Open-source threat feeds and intelligence sources provide important information and preventative measures for defending against existing and emerging threats. For example, this alert from the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISCA) provides technical details, detections and mitigations for Emotet malware. Much of this information is sourced from the MITRE ATT&CK framework which takes an even deeper dive into Emotet. 

The ThreatQ Platform easily integrates with the multiple threat data sources security teams subscribe to – open source, commercial, government, industry and existing security vendors – as well as open-source frameworks like MITRE ATT&CK. When you augment and enrich events from your internal data sources (i.e., your SIEM system, log management repository, case management system and security infrastructure) with this external data, you start to see the bigger picture of what’s happening in your enterprise. 

What’s more, when scams take advantage of seasonal or current events, much of the information and preventative measures that flood the security community come from a variety of open sources and in a variety of formats—including research blogs, commercial and government reports, news websites and GitHub repositories. The ThreatQ Platform also includes out-of-the-box connectors to make importing this information easy. Custom connectors can be written and deployed within hours that allow you to ingest data from additional sources of threat data as they become available so you can deepen your understanding of the threat and how to mitigate risk to your enterprise.

What can individuals do?

Even if you’re not a security professional, there are steps you can take to protect yourself and others from these types of attacks.

The best tool at your disposal is user reporting. When messages are marked as spam or phishing, not only are you training your email system’s spam and phishing detection algorithms, but you’re also alerting your organization’s security team of the incident so they can take preventative action and tune their configurations. This training and reporting can be done easily through the web interface of your email tool.

It’s also important to remain on alert and think before you click. Tax scams capitalize on the fact that tax season can be stressful and confusing for many of us. If an email demands urgent action from you related to filing taxes, think carefully about what’s being requested and by whom. Bad actors may pose as tax preparers, the IRS, or even auditors or executives asking human resource and payroll professionals for tax documents, all under the guise of increasing your refund or avoiding a tax penalty. 

Keep in mind:

• The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts. 
• Never respond to an email, text or fax with your personal data.
• The IRS or an auditor would never demand payment in the form of gift cards, and neither would a legitimate tax preparer. 
• Check the email address or link. You can inspect a link by hovering your mouse button over the URL to see where it leads. Sometimes, it’s obvious the web address is not legitimate. But scammers can create links that closely resemble legitimate addresses so beware of that possibility. If you have any doubts as to the legitimacy, report the message as a phishing attempt.
• Watch for spelling and grammatical mistakes. If an email includes spelling, punctuation, and grammatical errors, it’s likely a sign you’ve received a phishing email. Mark as phishing / spam. 
• Look for generic greetings. Phishing emails are unlikely to use your name. Greetings like “Dear sir or madam” signal an email is not legitimate.
• Avoid emails that insist you act now. Tax scam emails often try to create a sense of urgency or demand immediate action. The goal is to get you to click on a link and provide personal information — right now. Don’t click on links, download attachments or reply in any way. Instead, mark the message as a phishing attempt.

Working together, security professionals and individuals can remain informed and spread the word to coworkers, family and friends to make sure they’re aware of the heightened risk and how to avoid falling victim to these types of scams this tax season.