Recently, the IRS issued a warning that internet hackers have stepped up their phishing campaigns. Specifically, the hackers are increasing the usage of business email spoofing and business email compromise phishing campaigns. A common variation of this type is known as CEO Fraud or Gift Card Fraud (which HBK Risk Advisory services warned clients and colleagues earlier this month - Don't Fall for the Phish(ing) Bait).The warning from the IRS highlights two versions of the phishing scam:
- Emails impersonating company employees to Human Resources staff members requesting changes to the "employees'" payroll direct deposit bank accounts.
- Emails impersonating company executives to the staff members responsible for wire transfers requesting a wire transfer to a specific bank account on the "CEO's" behalf.
- Look for clues such as poor spelling or grammar, these are common in phishing messages.
- Don’t fall victim to the "urgent request" prompt. Unexpected messages that requires "your immediate attention" or are earmarked as "emergency" emails are often phishing scams.
- Be VERY skeptical! Place a phone call to the requesting employee or executive to verify the request of payroll or banking account changes.
- Implement a formal Cyber Awareness Campaign. It should include regular educational updates about the red flags of phishing email campaigns.
- Establish an inventory of your Information Technology (IT) assets (including data mapping).
- Implement or update IT Security Policies (including data classification).