Spear-Phishing Gets Taxing!

As this year’s tax season picks up steam, hackers are increasingly looking to crack the IRS code. And we’re not talking about the volumes of arcane rules and regulations that accountants and others pore over every single day.

Over the last few weeks, a number of companies—including Seagate, Snapchat and SevOne—have succumbed to spear-phishing attacks aimed at tax data. The latest victim was payday lending firm Moneytree, which reportedly handed over Social Security numbers, home addresses and W-2 information for about 1,200 employees.

The IRS has issued a special bulletin alerting payroll and HR professionals about the scheme, which makes it appear that a company’s senior executives—or the IRS—are requesting the information about employees. The agency reported that it had witnessed a 400 percent increase in phishing and malware incidents so far this year.

To be sure, the crooks are getting smarter and better at tricking people. According to a just released study conducted by Cloudmark and Vanson Bourne, more than 84 percent of respondents estimated that a spear-phishing attack had penetrated their organization’s security defenses. In addition, they reported that 28 percent of spear attacks get through their organization’s security defenses.

On average, respondents estimated that the financial cost of spear-phishing to their organization was more than $1.6 million over the last 12 months. Moreover, 43 percent said that they suffered a loss in employee productivity as a result of spear-phishing attacks, and 29 percent indicated that their company reputation had taken a hit.

Clearly, current protections and training methods are not working as intended. Nearly 80 percent of the organizations surveyed have a training program in place to thwart attacks, but only 3 percent said that all employees passed a simulated spear-phishing test. On average, respondents estimated that 16 percent of staff members failed their organization’s most recent spear-phishing test.

There are no easy answers. Remarkably, 71 percent of organizations have already deployed a spear-phishing solution, according to the survey.

However, until we see far more advanced security systems—including those that tap cognitive computing and deep learning—the problem will almost certainly continue. Even then, hackers, attackers and thieves will likely find some other way to trick, deceive and bamboozle people.

In the end, it all comes down to a fairly basic but critical concept: It’s impossible to over-train your staff about spear-phishing and other security threats.