IT departments must protect enterprise employees from tax phishing scams as they are being targeted by e-mail, according to Paul Wood, an analyst at Symantec Corp, headquartered in Mountain View, Calif.
Tax-related scams increase in mid-February throughout March. Fourty-eight per cent of malicious mail included tax-related phishing on March 20, this year. The majority of this e-mail claimed to be from the United Kingdom’s tax office, according to Wood.
“It’s certainly a seasonal trend, where in many countries, many people see an increase,”
Wood said.
Phishing scams change to follow the tax period, becoming more prevalent closer to the end of the financial year in April, he said.
“Phishing utilizes timely events to increase the likelihood of catching targets and information; during tax season it’s tax phishing, during election season its election phishing,” said James Quin, an analyst at London, Ont.-based Info-Tech Research Group Inc.
Typically these scams involve legitimate-looking services like telling people of a chance for a rebate, using tax issues to lure employees. The e-mail then might ask for credit card information. A recipient of the phishing e-mail should know it is a scam if it asks for credit card info because the government does not give out rebates in that fashion. These scams usually contain grammatically correct language and legitimate-looking Web sites to con recipients into giving away personal information.
The goal of a phishing scam is to attack individuals, not the enterprise. So it is the employees at risk of being scammed, according to Quin.
“Tax scams, like most broadly targeted phishing attempts, are not focused on enterprises, and therefore have little impact on them,” Quin said.
Most employees in an enterprise are already protected under anti-spam tools and filtering out e-mail containing threats, he said.
“Enterprises do this more for their own protection than the protection of their employees, but the protection is extended to the employee automatically,” Quin said. “If the business is not using some form of spam protection, whether an in-house managed solution or a third-party service, they should consider it immediately.”