It’s not like phishing attacks are anything new, but now is a particularly potent time for them to find their way into your inbox. Why? Hackers and scammers always take advantage of opportunities, no matter how despicable they are. Tax season is a golden opportunity for identity theft since there’s so much personal information flowing between individuals, tax consulting firms, and the IRS.
Phishing attacks and scams are messages from criminals posing as legitimate sources attempting to trick you into sharing private information (passwords, account numbers, Social Security numbers, etc.).
Whenever you receive an email, quickly go through the following checklist:
- Does this message include hyperlinks or attachments?
- Is this message telling me to take urgent action? (“Update your account now!”)
- Is the sender requesting any personal or sensitive information?
If the answer to any of these is yes, a warning light should go on in your head. Let’s look at why each of these questions is important to your cybersecurity.
Right off the bat, hyperlinks (“Click here to secure your account”) and attachments (“Invoice.html”) are one way that scammers can steal your information. In the case of hyperlinks, they might direct you to a phony but authentic-looking website, such as a log-in page, that records what you type and sends it to the scammer. Suddenly, your account is compromised.
A good practice is to never start a web session using the links provided in an email. Did you get an email from your credit card company saying you need to verify some information? Navigate on your own to the company’s website or app and go to “Account Settings.” If the request is genuine, then you can take care of it. The same goes for any other type of request.
Attachments should always be a red flag, as well. While most attacks are now malware-less, tricking you into downloading a file is a classic way to get malware onto your device.
So, if most attacks are without malware, then what do they look like? The last few years have seen huge losses as a result of business email compromise (BEC) attacks. As you might expect, BEC attackers use compromised official email accounts to trick other employees or customers.
How do you identify compromised email accounts? One tipoff is when the sender’s voice or writing style is different than how it usually is. Does the sender normally communicate in perfect, complete sentences, but this new message has broken, typo-ridden sentences? That’s another red flag. Questions 2 and 3 are also red flags. Let’s look at them.
Scammers only need to trick you for a few seconds to do damage, and creating urgency is one way of doing that. By creating urgency, the sender takes authority or scares you so that you won’t doubt their identity. Imagine how you would feel getting a message saying, “Dear user: A mysterious purchase was made with your credit card. Click here to stop it.” You want to solve the problem right away, so you click the hyperlink and enter your log-in credentials.
As we have seen, attackers are looking to steal your personal information. When you receive a message that is looking for your data, ask, “Was I expecting this?” and “Is there anything fishy about this request?” For instance, even though it’s tax season, does it make sense for the IRS to text you? No, it doesn’t, but what about email? In this case, a quick Google search will tell you that the IRS will never “initiate contact with taxpayers by email, text messages, or social media channels to request personal or financial information.”
So, is it safe to click a hyperlink from your boss’s email address? Probably, but make sure that 1) it really is their email address, and if it is, 2) you were expecting the message (or it seems reasonable that it was sent by them), and 3) the message reads like your boss wrote it.
If there’s any doubt—especially if you’re being asked for a password, a Social Security number, or something similarly private—then confirm the identity of the sender with a phone call or other method before moving forward.