You’ve probably heard about businesses that have fallen victim to successful spear-phishing attacks leading to the theft of employee W-2s. But, the IRS began warning tax professionals in January they are under attack, too!
In one phishing attack, a tax professional is emailed by a “prospective client” – really the attacker. Attackers may use a friend or associate’s name – who’s also been phished – as a reference in their email to avoid suspicion. The email includes a link to a website or a file attachment with a link, supposedly for their tax forms and additional financial information. The link – while providing false financial data – also pilfers the tax professional’s email address, user name, password, and more. Plus, the attackers will send out another phishing email to the tax professional’s clients – like it’s coming from the tax pro – requesting their financial information again. When a client falls for this phishing attack, their information is stolen and tax return is claimed by the attacker using their purloined tax and financial data.
Another phishing attack underway forced the IRS to send another alert out to tax professionals. This time, a tax professional receives an email indicating they’ve been locked out of their tax preparation software due to “security issues”. The email includes a link to unlock the software. But, the link leads to a phishing web site requesting their user name and password for the tax preparation software, ostensibly to unlock it. Once their user name and password is entered, the attackers have the information to break into the tax preparation software and steal the financial and tax information of the tax pro’s clients!
What can be done to stop these attacks?
The patented, cloud-based Menlo Security Isolation Platform (MSIP) and its Adaptive Clientless Rendering™ (ACR) technology protects against phishing, credential theft, ransomware, and other attacks, while maintaining a familiar user experience. With no endpoint software, new browsers, or browser plug-ins necessary, MSIP allows users to use their native web browsers, like Chrome and Internet Explorer, while ensuring only safe, malware-free web content is sent to the user’s device.
If the tax professional deploys Menlo Security’s public cloud-based Phishing Isolation service, they and their client’s information will not fall victim to these phishing attacks. When a tax pro clicks on the link in a phishing email, Menlo Security’s Phishing Isolation service safely isolates the returned web page. Menlo Security’s Phishing Isolation service accesses the web for the user and executes their web session in the cloud, isolating any embedded malware, returning only clean, malware-free web content, with negligible latency. The phishing web page can also be returned in read-only mode, with restrictions like not allowing the tax professional to enter their user name, password, or other information into a web form, while simultaneously receiving anti-phishing training messages in real-time, to help solidify the experience.
So, if your tax professional’s deployed Menlo Security, your financial security is ensured. But, if they haven’t, you might want to tell them about it before filing your taxes with them!