Remember when phishing emails — fake emails designed to entice people to cough up valuable financial information — were sent by Nigerian "princes" who promised to send millions of dollars if the lucky recipient could kindly share a bank account number to deposit it in? They were wacky, outlandish and full of oddly colorful phrases and typos. Good times.
Phishing emails today are far more polished and well informed — phishers learn who does what in an organization and can send a realistic-looking message, say, to the chief financial officer of a company that appears to be from the chief executive. This tactic is sometimes called "spoofing," spearphishing, whale phishing, business-email compromise or "masquerading."
This tax season, a surge of phishing attacks are being launched on taxpayers and corporate employees. The Internal Revenue Service has reported a 400% surge in phishing and malware incidents so far.
The Financial Services Information Sharing and Analysis Center "is observing and is aware of higher levels of tax and IRS-related schemes during the peak tax season," said John Carlson, the Washington-based center's chief of staff.
One high-profile victim was Snapchat. At the end of February its payroll department fell for a scammer who impersonated the CEO and asked for employee payroll information. "Unfortunately, the phishing email wasn't recognized for what it was — a scam — and payroll information about some current and former employees was disclosed externally," the company said in an apology to its employees.
Tax season is an especially good time to target financial executives.
"If you're a finance executive at this time of year, you have a number of things competing for your time, from yearend processes around financial statements to financial planning for the next year, in addition to tax statements for employees, new contractors and other third parties," said David Pollino, deputy chief security officer at Bank of the West in San Francisco. "The life of a C-level executive is very busy. Sometimes it's difficult to thoroughly read through emails to ensure that the person sending them is the actual sender."
The IRS issued an alert this month warning payroll and human resources professionals to beware of phishing emails that purport to be from company executives and request personal information on employees. It said the scheme has already claimed several victims. Payroll and human resources staff have mistakenly emailed payroll data including W-2 forms containing Social Security numbers and other personally identifiable information to cybercriminals posing as executives.
"If your CEO appears to be emailing you for a list of company employees, check it out before you respond," IRS Commissioner John Koskinen said in a news release.
The IRS shared a few excerpts from recent fake emails it has caught.
"Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review," read one.
"Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)," was part of another.
"I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP," read a third.
The phishing schemes ask taxpayers about a wide range of topics, including refunds, filing status, personal information, transcripts and PIN information.
What's Different This Time?
Of course, phishing is not new, and even IRS-related phishing is tried every year. Phishing remains the top way cybercriminals break into banks. They use it to elicit information or get customers and employees to click on malware that can roam banks' networks and pick up information including online banking passwords and administrative passwords.
But this time, it is more effective than it has been in the past.
"We have seen the tactics and techniques of what we call 'masquerading' — where the email sender is able to impersonate someone the recipient knows, like the CEO — evolve over time," Pollino said. "They're very innovative at either gathering information they need to commit fraud on other channels or scamming someone into executing a financial transaction that ends up being fraudulent."
The difference in the latest crop of phishing attacks is that adversaries have gotten smarter and victims have not gotten smarter, said Milan Patel, managing director of the cyberdefense practice at K2 Intelligence.
Cybercriminals are putting extra effort into reconnaissance the way thieves case a bank before robbing it, he said.
"You wouldn't just pick any old bank on the street and run in and try to rob it," he said. "You most likely would try to find out who's going in, who's going out, who's related to it, employees' entrants and exits, the easiest way to get in. It's no different in cyber, in that everybody's got an online profile and loves to talk about themselves. The bad guys can go into these public pages and see who you are, who your friends are, who you connect with. They're able to easily craft an email to at least get your attention and find a way to get in and initiate the actual criminal activity."
The cybercriminals are able to make the email appear to be from someone the recipient knows and on a relevant topic. They've gotten uncannily good at making the messages look real, by buying look-alike domains that are just a letter or two off from the real thing (for instance, hypothetically, firstname.lastname@example.org vs. email@example.com). Not everyone knows to carefully examine email addresses, especially if the body of the email looks and feels appropriate.
"Filters and technologies that protect email will have to get smarter about where emails are coming from and looking at behavior patterns of employees and how they send emails," Patel said. If employees' emails fall outside of normal parameters, red flags should go up.
Avoiding the Fate of the Phishing Victim
Executives who could be targeted by hackers looking for employees' tax information should be extra careful any time they handle nonpublic customer information or financial information, Pollino notes.
Before sending such data, they should ask themselves if the recipient really has a right to the information, or if unnecessary fields should be stripped out.
"Whenever you're handling nonpublic information, special handling is required, so slow down and take your time," Pollino said. "Make sure you verify the details around the transaction and the legitimacy of that transaction."
Bank of the West educates customers and the public about the dangers of phishing through events, white papers, emails, YouTube videos, a blog and social media posts. This year it created a new hashtag, #becybersafe, for its security messages. Executives speak at external events and a team within the security department is dedicated to making end users aware of fraud and security risks.
When a fraudulent transaction is detected by one of the bank's fraud-detection systems, the bank tries to immediately get word out to employees and customers about how it happened.
"By utilizing that teachable moment, when somebody makes a phone call or comes into one of our branches, we've been able to stop many of these fraudulent transactions before they have a chance to leave the bank," Pollino said.
Technology and training are crucial to fighting phishing attacks, said Steve Durbin, managing director of the Information Security Forum.
"If we can increase the level of awareness of individuals not to click on emails, that's how we can begin to address the issue," he said. "We also have to make sure our filters are up to date, that our products are well patched and that we continue to protect the network perimeters."
One challenge is the fact that so many employees access corporate email on personal devices that are not as well protected as company-issued equipment.
Another is forgetfulness and multitasking.
"We're all very busy people, and sometimes we just click where we should think," Durbin said.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.