IDG Contributor Network: Tax scams target businesses, too: attacks just the tip of the phishing spear

It’s tax time again and an opportunity for cybercriminals to take advantage of unknowing consumers and businesses. While many of us are aware of this con impacting consumers, the simple truth is that this scam (and the underlying social engineering beneath it) is a huge danger to businesses and municipalities.

Big bets on business

As recently as this January, the United States Internal Revenue Service issued a new alert about a surge in income tax cyberscams. Part of the alert focused on the targeting of businesses. The government agency suggested that criminals were making serious attempts to pose as company executives or human resource and payroll officials to abscond with employee W-2 forms. With those forms in hand, the criminal gangs can file fraudulent returns and effectively have the government cut them a check for their wayward efforts.

Tax professionals, accountants and accounting firms are also a significant target for the same reason – data. If the criminals get hold of the E-File account number of the provider, or the CAF number (a unique nine-digit identification number and is assigned the first-time third-party authorization is filed with IRS), the scammers can redirect every income tax return to their own banking accounts. This is such a concern to the IRS that it has partnered with state tax agencies and the private-sector tax industry to form the Security Summit – a unique partnership formed to fight the crime and the potential financial fallout that can occur from this type of fraud.

The risks

But are they making a difference? While an informed populace is in less risk, the mitigation efforts can only go so far. There are too many people unaware of the issue and too many organizations that believe they are immune or that your business won’t be a target. That belief is human – and that is the very problem. The actual crime (such as the release of information or the transfer of funds) occurs within the authority of the scammed user and outside of the organizations’ security grid. Here’s what the typical crime looks like: