How cybercriminals are trying to hook your employees this tax season 

How cybercriminals are trying to hook your employees this tax season 

Dmitry Bestuzhev, Most Distinguished Threat Researcher, BlackBerry

In this digital world, nothing is certain except death and taxes … and cyberattacks. It’s not a matter of if but when an organization will be targeted. Cybercriminals are busy this time of year. This tax season, we can expect to see an increase in unauthorized access to accounts, phishing emails, and suspicious phone calls. Phishing scams are the primary source of most cyberattacks. All it takes is one employee clicking on one suspicious link, and the data of an entire organization could be compromised.  

We must understand what’s at stake: data is worth more than ever on the dark web – bank details, passwords, even shopping basket histories. It’s getting harder to recognize targeted attacks, meaning anyone working from home or outside the office must be vigilant and work with their employers to spot and report suspicious activity. 

Employees need to know that weak passwords and human error – including trusting emails about an order or calls from a bank – will let hackers in. While humans are the weakest link when it comes to cybersecurity, human awareness is still the best defense. 

Here are some of the popular ways hackers are trying to hook employees this tax season: 


Phishing attacks have become increasingly sophisticated and can be difficult to recognize, making this an effective form of cybercrime. Cybercriminals create cleverly designed emails that appear to be from legitimate sources and contain believable messages. They exploit human psychology by creating a sense of urgency and fear to convince you to click on a malicious link or open an attachment that contains malware.  

These attacks are preventable. The truth is that every organization needs better cyber hygiene. Anyone can fall prey to simple phishing emails, which are responsible for a large proportion of cyberattacks. Humans are generally prone to error – it just happens. You can educate people, but when they’re in a moment of inattention, they’re bound to make mistakes. It’s up to businesses to implement robust security strategies and ensure they’re not putting employees in a position where there’s an option to make compromising mistakes. Cyber criminals are waiting for organizations and the public to drop their guard. We must not give them the opportunity. 

Spear phishing 

Spear phishing is an advanced form of phishing targeted at a specific person or organization. This usually involves researching the target to make the scam more convincing. The emails used in spear phishing can be personalized to appear as if they’re coming from someone the recipient knows, such as a co-worker or family member. These emails can also be tailored to include relevant information about the targets by incorporating personal information such as their full names, date of birth, or name of their employer. Spear phishing emails contain malicious links or attachments and can result in the theft of sensitive data or the installation of malware.  


Smishing is essentially phishing through text messages – a combination of the terms SMS and phishing – and this is becoming a serious threat. It can be cheap and effective, particularly if the hacker uses a short phone number, such as a four-digit number, which would make it look like a legitimate source. These attacks are particularly effective when paired with phone calls. 

The Internal Revenue Service (IRS) recently warned taxpayers of an increase in IRS-themed texting scams aimed at stealing personal and financial information, and offered a reminder that the IRS does not send emails or text messages asking for information or account numbers. 

Many workers inadvertently expose themselves and their employers to attacks by practicing poor security hygiene. For example, texting-addicted phone users are much more likely to immediately open and respond to potentially malicious texts than emails. Aware of this, crafty threat actors are quickly creating new forms of mobile malware and adapting phishing lures for smishing.  


Malware is a generic name for different types of malicious programs designed to infect devices and steal sensitive information, such as passwords or logins. Once a device is compromised or infected by malware, a threat actor can steal this data repeatedly – even new, stronger passwords created by the device user. Using the best anti-malware software and technology is your best defence against malware attacks. 

Phone Scams 

People posing as representatives of the Internal Revenue Service (IRS) or other government agencies are picking up the phone to try to steal personal information and money. They may call or email victims and claim they owe taxes, fees, or penalties. They may also threaten victims with arrest if they don’t pay immediately. These scams can also be difficult to recognize, as criminals often use official sounding language and fake caller IDs. Victims should never give away any personal information over the phone or online and should always verify the identity of anyone claiming to be form the IRS before taking any action.  

How to protect yourself 

Organizations have the responsibility to deploy fully up-to-date cybersecurity technologies that track and defend against new threats. But employees also have a role to play by making the job of cyber attackers as difficult as possible by improving their cyber hygiene through strong multi-factor authentication, constant vigilance and exercising zero trust. 

Multi-factor authentication (MFA) requires users to provide two or more pieces of evidence to prove their identity, such as a password, PIN, or fingerprint. This makes it harder for cybercriminals to access accounts because they would need both login credentials and the additional authentication factor. MFA also helps detect unauthorized access attempts, as any suspicious activity triggers an alert.  

Cybercriminals use a variety of methods to guess weak passwords.  Strong passwords should be at least eight characters long with a combination of uppercase and lowercase letters, numbers, and symbols. They shouldn’t contain any personal information or words that can be found in a dictionary. Avoid using the same password for multiple accounts and change passwords regularly.  It’s not always easy to spot the red flags. Cybercriminals exploit confusion and uncertainty, so we can’t drop our guard. Cyberattacks may be inevitable, but their success needn’t be. 

Pin it
Related Posts