Beware Tax Season Scams

Beware Tax Season Scams

Tax season is upon us again and the hackers have been busy with a slew of old and new tricks to try to steal tax refunds. Here are some of the new and old tricks that hackers are employing this tax season and some tips on how you can avoid being taken advantage of by cyber-criminals.

A New Twist to an Old Game

Who wouldn’t be happy to get a bunch of money deposited in their bank account by surprise from the IRS?! Unfortunately for us, the IRS is not just giving us all money and it is a new elaborate scam by hackers to try to swindle you and the IRS out of money. Hackers are using your personal information to file a fraudulent tax return on your behalf but also having it deposited in your bank account. Then they fall back to their old scam of calling or emailing you, claiming to be the IRS and demanding that you send the money back.

Thanks, Equifax…

Due to the massive Equifax data breach, the IRS is expecting a huge uptick in the number of fraudulent filings. To try to help combat some of the fall-out, each employer has been assigned a special Employer Code that is found on the W-2 form to try to make sure that fake W-2s are not used to file claims.

The IRS also has encouraged everyone to try to file their claims as quickly as possible as to not allow hackers a chance to put in a fake claim before you do. If two (or more) claims are filed with your social security number, the IRS will notify you by snail mail (The IRS does not email or call).

If you try to eFile and a claim has already been filed, your claim may be rejected and you will need to contact the IRS (also because of the Equifax data breach, contact the FTC).

Even Children are Affected…

A worrisome discovery this tax season has been the sale of infant and child personal information on the Dark Web. Hackers even are eliciting sale of the information by advertising that it is tax season and buyers should get the information before it is used. The troublesome aspect of having children’s personal information for sale on the Dark Web is that very few parents actually monitor the credit of their youngsters and they may not discover a fake identity for years or even 16-17 years down the road when the child is grown and starts applying for college or credit.

The ol’ W-2 Phishing Scam

Despite IRS warnings and tons of news the past couple of years, hackers are still tricking businesses into sending their employee records. A few years ago, the IRS warned companies of falling for the W-2 scams but despite the continued warnings, businesses (and even government offices like the City of Keokuk,Iowa and Batavia, Illinois) are still falling for phishing scams posing as the company CEO or executives asking for employee summaries and W-2’s.

Employees may be your business’ greatest weakness but they also can be your greatest defender if you take the time to educate them. Inform your employees who have access to sensitive employee data about these types of scams. Don’t just assume that they know.

Teach your employees how to identify phishing scams and when it comes to sharing sensitive data, you can encourage them to seek verbal approval from the requestor. Even though scammers state there is extreme urgency in receiving the response, getting a verbal confirmation from the sender is the best way to protect sensitive information (the same goes for urgent requests for wire transfers to the Finance Department!)

Lastly, sensitive employee data should never be transmitted unencrypted (even if it’s thought to be internal).

What is Cryptojacking and Why Should I Care?

What is Cryptojacking and Why Should I Care?

If you pay attention to the latest cybersecurity news, you may have heard that something called cryptojacking is quickly taking the hacker world by storm as the newest cyber threat, possibly becoming even more popular than ransomware.

So what on the earth is cryptojacking?

Cryptojacking is a method of hijacking computers to mine cryptocurrency without the victim’s knowledge or permission.

If you are not familiar with the world of cryptocurrencies, the act of mining simply means performing complex calculations to add them to the blockchain (Another term?! The blockchain is the distributed ledger of recorded transactions for the cryptocurrency).  For instance, the popular Bitcoin cryptocurrency says that there will only ever be 21 million Bitcoins in existence but not all of them have been created yet. Bitcoin mining essentially is creating new Bitcoins and bringing them to light.

But back to cryptojacking…hackers are essentially stealing the processing power of victim’s computers to run the complex calculations to be awarded with new cryptocurrency. They do this by infecting website plugins and stealing your processing power while you visit legitimate websites, they do it while you are connected to the Wifi at your coffee shop, and they also get you through malware that steals your processing power all the time.

So why should I care about cryptocurrency mining malware?

More often than not, you may not even realize that you have been infected with cryptocurrency mining malware. You may experience a slow-down of your computers or lag while using the internet. The same goes with your mobile devices as cryptojacking has started exploiting the processing power of Android phones through malicious websites. There even was a nasty version of Android cryptojacking malware called Loapi that could cause the phone to use so much processing power that the phone would physically melt.

Other than melting your phone, there are other cases when cryptocurrency mining malware could cause real havoc. In a race to find more processing power, hackers have looked to utilities and have successfully infiltrated a water utility in the United Kingdom to mine cryptocurrency. If the cryptocurrency mining operation would have consumed enough processing power, it could have caused system failures and truly impacted the operations of the utility. Perhaps even more stunning is that a handful of scientists in Russia have been arrested when they attempted to connect a supercomputer at a nuclear facility to the internet so they could use the computer’s processor power to mine cryptocurrency.

How to prevent cryptojacking?

There are a couple of steps that you can take to prevent cryptocurrency malware infections.

  • Install an anti-cryptocurrency browser extension like NoCoin or MinerBlock
  • Use a pop-up/ad blocker (some even have cryptocurrency blocking built in)
Are you PCI Compliant?

Are you PCI Compliant?

Does your business process credit cards? Would you be able to continue operating if you lost the ability to process cards?

If your business relies on credit cards to conduct business, there are certain cybersecurity measures you must implement to comply with the Payment Card Industry Data Security Standard (PCI-DSS). A common misperception of PCI-DSS is that if you don’t store credit card information, you don’t have to be PCI compliant but that simply is not true. The PCI standards also apply to handling of data while it is processed or transmitted over the computer network, phone lines, and even fax. So unless you are using point-to-point encryption AND tokenization, you will need to comply with PCI-DSS.

Another misconception is that payment card processors do not fine small companies when they have a breach and while fines are typically levied with merchants that process more than a million transactions a year, if you suffer a breach of cardholder data you will be liable for chargeback amounts, credit monitoring costs, and could be on the hook for compliance auditing costs as well as lose your ability to process credit cards.

The PCI-DSS requirements mirror data security best practices and a few of key requirements are:

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 1 requires that businesses that process or transmit credit card data to have a firewall to protect the cardholder data. It further dictates that the firewall configuration needs to be reviewed every six months and that you must block bogus IP addresses (Bogons) from accessing the network from outside.

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

Requirement 5 requires that the business implement anti-virus software on all computers that could be compromised (5.1) and also that the anti-virus is able to detect, block, and remove known malicious software (5.1.2). While there are free anti-virus options available, many are limited in their capabilities and also do not provide the same level of protection as paid anti-virus. Additionally, anti-virus programs are not expensive (as low as $2.50 per computer per month from Axiom) so why would you take the risk that your computers could be infected by credit card stealing malware or locked up by ransomware?

Requirement 5 also states that you must ensure that the anti-virus programs are kept up-to-date, perform regular scans, and that you maintain an audit log (5.2) And anti-virus programs also cannot be disabled by users (5.3) unless justified and approved by management.

Requirement 6: Develop and maintain secure systems and applications

Requirement 6 guides companies to establish a method of conducting security assessments (6.1) to identify vulnerabilities and assign a risk rating (low, medium, high, critical) to found vulnerabilities. The requirement also requires that companies install security patches for known vulnerabilities within one month of the patch being released (6.2).

How Axiom can help with PCI Compliance

Axiom is able to assist with fulfilling all of the PCI-DSS requirements listed above through our combination of hardware and software services. If any of the requirements give you pause, contact us today for a free consultation at (800) 519-5070 Ext. 7

For more information on PCI-DSS, you may find the official PCI DSS Quick Reference Guide helpful.