Stop phishing attacks to prevent loss of data and money. That’s the advice most security experts give to small business owners. Especially during tax time, cyber crooks can send spoofed messages from the IRS, your state department of revenue, or even your accountant or bank.
When you open fake emails, click on an embedded link, or supply sensitive information, you’ve just handed the crooks the keys to your vault. And they will clean you out.
Use Email Filtering Software
Walmart’s chief security architect, Ira Winkler, urges everyone to stop blaming their employees for data breaches. Rather, he wants businesses to focus on creating a safer cyber environment that would prevent malicious messages from getting through to employees in the first place. (More to come on this strategy soon.)
Several good email filtering vendors, such as Mimecast, can prevent 99% of spoofed messages and malicious attachments from reaching your company’s inboxes. Ask your IT team or your managed service provider (MSP) to help select the right one for your business.
Train Your Staff
While message filtering vendors can prevent most attacks, your employees are a second line of defense against phishing attacks that do manage to get through. Therefore, you should implement a comprehensive training program for all new and continuing employees.
Staff should know how to recognize and thwart phishing attempts:
- Check source email addresses and know how to spot fake addresses
- Detect spoofed hyperlinks by hovering over a link and reading it to make sure that it is refers to the source stated in the message
- Notice weird spelling or layout
- Be leery of any request to click on a link or open an attachment
- Pay attention to “do this now or else” emails. Use an alternate method (a phone call or a message that you send) to contact the real sender (e.g., your bank)
- Avoid giving personal or sensitive information in response to a message
- Know what to do in case you suspect that a phishing attack has happened
Choose a Cyber-Aware Tax Preparer
Cyber-attacks and scams increase during tax time. Be sure to engage a cyber-aware tax preparer by asking them the following questions:
- How do you recommend exchanging sensitive files and other information?
- Who will have access to my data?
- Will our communications be end-to-end encrypted?
- How do you back up client data?
Scam artists are becoming more clever. Messages claiming to be from the IRS, your state taxing authority, or even your accountant might bear their logo and (fake) contact information.
Genuine notices from taxing authorities never ask for sensitive information. But if your tax preparer needs information, you should be sure that the request is valid and that you can transmit the information securely.
Strengthen Password Management and MFA
Since most phishing attacks intend to gain access to your business’s internal network, you can prevent them from succeeding by ramping up your password procedures.
Requiring employees to use strong passwords and change them frequently won’t work. Your team will probably find keeping track of long passwords too annoying.
Rather, you should consider using a single-sign-on system that will create a single password for each employee to use when logging on to all applications and sites to which they have access.
In addition, consider requiring multi-factor authentication (MFA) for employees, vendors, and clients to gain access to any part of your network.
Back Up Data to the Cloud
When handling sensitive information at tax time, be sure to back up your data in the cloud. The cloud is actually safer than on-site backup methods because your data can be encrypted and stored in different remote locations. Cloud storage will also make file searching, sharing, and retrieval more convenient for your staff and your tax preparer.
It is also important to select the right cloud storage vendor for your business. Our recent blog on that topic provides several helpful tips.
Implement a Plan for When an Attack Occurs
If a phishing attack has compromised your tax information or other data, you and your team need to know what to do.
- Which member(s) of your team is responsible for coordinating a response?
- How should a data breach be reported to state and other authorities?
- What is your plan for recovering data that might have been stolen or damaged?
- What is your tax preparer’s plan for responding to a data breach?
In addition to prevention, create a plan to recover your information and keep your business moving forward.