Phishing attacks teem in tax season
March 19, 2018
The threat of a cyberattack through phishing is omnipresent, but phishing attacks may take advantage of the season. For example, according to a February cybersecurity newsletter from the U.S. Health and Human Services Office for Civil Rights, phishing attacks regarding tax refunds are common during tax season.
"Individuals must remain vigilant in their efforts to detect and not fall prey to phishing attacks because these attacks are becoming more sophisticated and harder to detect," according to the newsletter.
Phishing is sometimes used to trick individuals into divulging sensitive information via electronic communication by impersonating a trustworthy source.
For example, the news release said, an individual may receive an e-mail or text message informing the individual that their password may have been hacked. The phishing email or text may next instruct the individual to click on a link to reset their password. In many instances, the link will direct the individual to a website impersonating an organization's real website (e.g., bank, government agency, email service, retail site) and ask for the individual's username and password.
Once entered into the fake website, the third party that initiated the phishing attack will have the individual's login credentials for that site and can begin other malicious activity, such as looking for sensitive information or using the individual's email contact list to send more phishing attacks, according to the newsletter. Alternatively, rather than capture login credentials, the link on the phishing message may download malicious software onto the individual's computer. Phishing messages could also include attachments such as a spreadsheets or documents that contain malicious software that executes when such attachments are opened.
One of the primary methods of combating phishing attacks of all kinds is through user awareness, the newsletter said.
The Office of Civil Rights posted these tips for people on how to avoid becoming a victim of phishing attacks:
- Be wary of unsolicited third party messages seeking information. If a person is suspicious of an unsolicited message, they should call the business or person that purportedly sent the message to verify that they sent it and that the request is legitimate.
- Be wary of messages even from recognized sources. Messages from coworkers or a supervisor, as well as messages from close relatives or friends, could be sent from hacked accounts used to send phishing messages.
- Be cautious when responding to messages sent by third parties. Contact information listed in phishing messages such as email addresses, websites and phone numbers could redirect people to the malicious party that sent the phishing message. When verifying the contents of a message, use known good contact information or, for a business, the contact information provided on its web site.
- Be wary of clicking on links or downloading attachments from unsolicited messages. Phishing messages could include links directing people to malicious websites or attachments that execute malicious software when opened.
- Be wary of even official-looking messages and links. Phishing messages may direct people to fake websites mimicking real websites using website names that appear to be official, but which may contain intentional typos to trick individuals. For example, a phishing attack may direct someone to a fake website that uses 1's (ones) instead of l's (i.e., a11phishes vs. allphishes).
- Keep anti-malware software and system patches up-to-date. Anti-malware software can help prevent infection by a virus or other malicious software. Also, ensuring patches are up-to-date reduces the possibility that malicious software could exploit known vulnerabilities of the computer's or mobile device's operating system and applications.
- Back up data. In the event that malicious software, such as ransomware, does get installed on your computer, people may want to make sure they have a current backup. Malicious software that deletes data or holds it for ransom may not be retrievable.
For more information, visit the Federal Trade Commission's consumer information on phishing.