| Individuals April 2, 2020

April 2, 2020

When it comes to tax season, there is no safe haven from phishing attacks

By Steve Banda

With COVID-19 and the new realities of social distancing, the IRS announced that it is extending its April 15 deadline to file taxes by 90 days. Make no mistake, just as malicious actors have capitalized on fears of coronavirus to spread malicious apps, they will likewise take advantage of this news as well. From scams targeting consumers, to those targeting finance and HR departments, these attacks have become so pervasive that the IRS issued an annual advisory as a warning to businesses and consumers.

The extension is a welcome reprieve in this uniquely challenging time, but presents a new opportunity for cyberattackers. This is because it gives attackers more time, and many finance and HR departments may be unaccustomed to working remotely. One of the most common tax-related phishing attacks is for malicious actors to request W-2 forms from finance and HR departments, which they use to commit identity theft and file fraudulent tax refunds. 

In the best of times, finance and HR professionals are aware of these attacks and remain diligent in protecting their employees’ personal information. However, many of these same professionals are now isolated from their colleagues while they work from home, and likely feeling immense pressure from this unfolding crisis. Normally, these professionals could easily turn to their colleagues to verify a suspicious message, but under these circumstances they are more vulnerable to respond to an urgent request.

Add to this that remote employees are using mobile devices to check and respond to email, which means these attacks become even more difficult to spot. Mobile presents a prime opportunity for phishing attacks because of the smaller screen size, and greater urgency to respond to emails, and social media. And as more employees work from their mobile devices, another risk is the co-mingling of their personal and corporate environments.

An employee working from home may check their personal email on a corporate-issued mobile device, or access corporate resources from a personal mobile device. In either case, there is a risk that this employee may be phished resulting in the compromise of their enterprise credentials, or enable an attacker to move laterally to the enterprise network. This risk is even more pronounced by the emergence of mobile-first SMS-based phishing attacks, which cannot be detected by traditional email antiphishing solutions.

Security practitioners should objectively assess this risk. Even if they have phishing protection for email in place, do they have a way to protect their user’s personal email accounts or SMS messages on their mobile devices? 

To learn how Lookout delivers phishing and content protection to ensure that users are not putting corporate data at risk, visit www.lookout.com/phishing.


Steve Banda,
Senior Manager, Security Solutions