February 2018: Every year there’s a flurry of activity surrounding taxes — forms to collect, information to gather, people to contact — that are outside of normal day-to-day operations. This is catnip to scammers.
To protect your organization (and employees, partners, and vendors) against fraud, train your employees how to spot a tax scam and then test them on it. Here’s what works:
Training to not trust
For most people, suspicion is a habit that must be learned. We’re a trusting species that believes if something seems OK it probably is. While it wouldn’t be advisable to walk around mistrusting everything, it is advisable to train each of your employees to mistrust all requests that involve confidential information.
During tax time, W-2 phishing scams and other scams can look shockingly legit. For example, one of your employees can get an email from someone who says they’re the accountant for one of your vendors and they need a W-9 form. They name the vendor and the contact person, both of which are accurate. Your employee has provided this type of information in the past, so he or she thinks it’s fine to fulfill the request and get back to business.
Or let’s say your CEO or a department head is traveling abroad and hops on a local WiFi hotspot that’s been compromised. A sniffer can capture email addresses, so if an address is from the U.S., it means the owner is traveling. This makes for an ideal time to launch a spear phishing campaign or other CEO fraud scam against the employees back home. The scammers might send a notice about a large transaction from the travel country that requires confirmation or a warning that the boss’s international data plan is almost used up. Employees don’t want to inconvenience the boss, so they comply.
If your team isn’t trained on today’s most effective scams, your organization is more likely to be a victim of tax fraud.
Choose training that makes it real
Even high-quality security awareness training programs are relatively generic. They introduce concepts and get increasingly difficult as they progress, but when it comes to testing, a generic approach doesn’t get the job done as effectively as a customized approach. To truly appraise your employees, test phishing and spear phishing emails should be crafted just as if they were real-life, sophisticated phishing campaigns.
To get it right, your trainer needs to think like a scammer:
- Make the phishing emails look and sound like they’re part of the normal course of business
- Target specific employees with requests for the types of information they typically provide
- Send emails that spoof known contacts at known companies
- Sometimes add a sense of urgency, like we need to get this information updated so we can get you paid
It’s important to let your employees know they’ll be tested, though. Blindsiding them isn’t great for morale, and don’t publicly name and shame employees who do poorly. Instead, make training part of your standard operating procedures all year long and consider giving awards to top performers. If you make test scores part of confidential performance reviews as well, you’ll get the best results.
Make sure you have enough people to run the program effectively
Like any other program, your security awareness program needs to be run well so it works well. It can be a somewhat labor-intensive (and ongoing) endeavor to manage a customized security awareness training program, so factor that into your planning.
Ideally, the program should be run by a team that fully understands your organization and what it does. They should know which projects employees are working on, which partners and vendors are involved, when employees might be up against a deadline or distracted — scammers do their homework and so should your training team.
When Leapfrog works with clients on security awareness training, we are often able to fill management gaps if an internal team isn’t available. Since we already manage the IT environment, train our own team for IT disasters, and are up to speed on the clever details scammers use, we’re able to execute effective training campaigns and track the results. If a client needs reporting for compliance, it’s as simple as printing out the data in the required format.
If you’re a Leapfrog customer, be assured that we will never contact any of your employees by email about something like resetting your password or sending information — we’ll call you! If you think you or your organization has been a victim of tax-related identity theft, please visit this IRS page for next steps. If you think your organization can benefit from security awareness training and managed IT services, please contact Leapfrog.
If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.