6 minute read
Have You Been “Phished” Before? The Value of Phishing Awareness Trainings
By Kenny Kang, CPA (in CA), CGMA, CFE
Have you ever opened email attachments from people you do not know? Do you reply to emails that are unusual or out of character? Do you open email attachments or click on links that you did not expect or ask for? Do you overshare on social media, constantly posting your locations and answers to personal questions?
Advertisement
If you answer “yes” to many of these questions, you are more prone to fall into a phishing scam. A successful phishing campaign often leads to user credential thefts, installation of malwares and ransomwares and data breaches.
According to the Federal Bureau of Investigation’s 2021 Internet Crime Report1, the FBI received 847,376 complaints, resulting in $6.9 billion in losses. In 2021, phishing, vishing, smishing and pharming scams ballooned to 323,972 complaints versus 25,344 complaints merely four years prior. That is an increase of over 1,100% from 2017 to 2021.
Fast forward to 2022, Agari and PhishLabs released their Quarterly Threat Trends & Intelligence Report2 in May 2022. This report covers the first quarter of 2022 analyzing hundreds of thousands of phishing and social media attacks targeting enterprises, employees and brands. This report announced a 4.4% increase in phishing volume in Q1 2022 versus Q1 2021. Furthermore, the authors anticipate high-volume attack campaigns to spike throughout 2022 as bad actors target vulnerable enterprises and brands. The report further detailed that almost 59% of all malicious reported emails targeting corporate inboxes were credential theft attacks, which is the top threat to employees.
Common Types of Social Engineering
• Phishing exploits human error and our reliance on email communication. Attackers send an email to their potential victims, usually in bulk, posing as a trusted source or contact to manipulate victims into handing over sensitive information, such as banking information or login credentials.
Example: People are interested in your latest _[fill in your favorite social media platform] _ post! Click here to view it. • Vishing, or voice phishing, is a type of phishing that utilizes a phone to manipulate potential victims into handing over sensitive data. Attackers often employ deadlines or time limits to create a sense of urgency, or they impersonate someone with authority, such as an IRS agent, to intimidate victims into handing over banking information. The phone number is typically spoofed to pretend the call is from an internal line or a phone number associated with a geographic region, such as Washington, D.C.
Example: Hello, may I speak to _[victim’s name]_. This is _ [threat actor]_ agent number 123455, with the IRS Criminal Division in Washington, D.C. The purpose of this call is to let you know that you are currently under investigation for underpayment of your _[tax year]_ tax. • Smishing uses fraudulent Short
Message Service (SMS) messages.
The text message encourages potential victims to open a URL that would take the victims to a fraudulent credential log-in page or download a malicious payload into your phone. The text message can also request victims to call a specific number, which leads to a criminally organized call center.
Example: Dear User, Your _[financial institution]_ account is delinquent and will be terminated in the next two days. Please visit http:_[xyz company.com]_or call _[telephone number]_ to request our representative to assist you.
• Pharming typically involves two stages. At the first stage, attackers install malicious codes on potential victims’ computers or servers. Once the malicious codes are installed, potential victims are automatically redirected from a genuine website to a seemingly identical spoofed page to steal victims’ information.
Example: You entered “https:// office.com” (the genuine website), and your computer or server would direct you to “http://office.com” (http, not https) or “https://0ffice. com” (the number zero instead of the letter “o”).
Phishing Awareness Training
During tax season, tax professionals are hectically serving their clients’ needs. Attackers often start their phishing campaigns during that time, knowing tax professionals and staff are often physically and mentally tired. Through human error, attackers expect a certain number of victims to fall into their trap, causing havoc during the busiest time of the year. Once a fraudulent link is clicked, victims are typically faced with data exfiltration, data loss and ransomware extortions. Therefore, phishing awareness training (PAT) should be done throughout the year, especially during tax season.
PAT should include training all employees, owners and administrative staff; conducting phishing simulations; analyzing the results; and reinforcing the results with positive feedback. PAT reduces the chance of malware and ransomware infections; lays the groundwork for more competent staff and increases their productivity; promotes cybersecurity to protect the value and the brand of your firm; and saves time and cost in avoiding data breaches and at incident responses.
Form W-12 Compliance
Form W-12 IRS Paid Preparer Tax Identification Number (PTIN) Application and Renewal instruction4 (Rev. May 2021) Box 11 requires PTIN holders to check the box to confirm awareness of your responsibility to protect taxpayer information3. The instructions for Form W-12 includes a reference to the latest Publication 4557 Safeguarding Taxpayer Data (Rev. July 2021)4, which requires tax return preparers to create and enact written information security plans to protect client data. The word “written” was added to this revision emphasizing the importance of documenting an information security plan. You should include and document any phishing awareness trainings that you have conducted over the year.
Conclusion
Cyber criminals know humans make mistakes. We are more prone to mistakes when we are in the midst of stressful events, being physically and mentally tired. While the latest technology can safeguard us from many of these threats, ultimately attackers are chancing that one of us would click on that malicious link or attachment. With frequent phishing awareness trainings, we can secure the human layer of our cyber security. l
Form W-12 IRS Paid Preparer Tax Identification Number (PTIN) Application and Renewal instruction 4 (Rev. May 2021) Box 11 requires PTIN holders to check the box to confirm awareness of your responsibility to protect taxpayer information 3 . The
Footnotes: https://www.ic3.gov/Media/PDFAnnualReport/2021 _IC3Report.pdf https://info.phishlabs.com/hubfs/Agari%20 PhishLabs_QTTI%20Report%20-%20May%20 2022.pdf https://www.irs.gov/pub/irs-pdf/iw12.pdf https://www.irs.gov/pub/irs-pdf/p4557.pdf
Kenny Kang is a Certifi ed Public Accountant (in California), Chartered Global Management Accountant (CGMA) and Certifi ed Fraud Examiner (CFE). He is the owner of Kenny Kang CPA and has over 19 years of public and industry experience. Kang specializes in forensic accounting, fraud examination and fraud prevention & detection. He also provides consultation services in fraud risk assessment, internal control assessment, accounting processes review, cybersecurity policies & procedures documentation and phishing awareness training. This article does not constitute any professional advice, and the content is intended for general informational purpose only. Circumstances may diff er from situation to situation. Kenny Kang CPA is not liable for any errors or omissions in this article nor any losses, injuries or damages from the consumption or use of this information.
