According to the Internal Revenue Service, there are two new “business email compromise/business email spoofing (BEC/BES)” spear-phishing scams targeting tax professionals: the direct-deposit scam and the wire-transfer scam.
Since knowing what to look for can help tax professionals and their clients avoid becoming a victim, it’s important to review the information provided by the IRS. Remember, the criminals perpetrating these scams exploit the trust placed in company hierarchy and internal communications:
- Both involve criminals posing as someone within the organization
- Both target employees who handle finance-related requests
- Both can be difficult to identify at first glance
More targeted than wide-net phishing scams, these spear phishing emails rely on information gathered by the criminals to appear authentic, whether that’s the name of an employee or the different departments within the organization. Every data point in the hands of a criminal increases the likelihood that an employee will be fooled—even those who are normally vigilant for potential data risks.
For example, these criminals know whether the target company uses direct deposit payroll services, and they generally have information on at least one of the employees. As anyone who has implemented a direct deposit system is aware, employees change banks from time to time, and it’s a relatively routine request that’s submitted to accounting, human resources, or payroll staff, depending on the company. The direct-deposit scam involves a criminal posing as an employee making a change-of-bank request, but the banking information obviously does not belong to “Stella R. Employee.” The banality of that process and the accuracy of the supplied information is exactly why these scams are successful.
Instead of settling for a few pilfered paychecks—after all, the IRS says the direct-deposit scam is usually caught after a few pay periods—the wire-transfer scam swings for the fences by impersonating a company executive to request a wire transfer that can be as large as “tens of thousands of dollars.” This email is generally sent to an employee who handles major financial transactions, and, just like the direct-deposit scam, it looks legitimate at first glance.
If having information can help tax offices and their clients identify and avoid these scams, what are some of the “tells” found in these emails? The IRS says they often contain glaring grammar errors. Another common spear phishing tactic is to create a nearly identical email address (TheBoss@YourCompany.org instead of TheBoss@YourCompany.com), but you shouldn’t rely on this as a catch-all, since it’s entirely possible that the fraudsters somehow gained access to a real email account.
Finally, if you receive one of these phishing emails and manage to avoid falling victim to it, send it to Phishing@IRS.gov. The more information they have, the better they can prepare other tax professionals for avoiding this scam and others like it.
Source: IRS Newswire