Recently, the IRS issued an urgent warning about a new phishing scam that impersonates, leveraging a double whammy, the IRS and the FBI in a single email.
But in this case, instead of looking for tax payments, the goal of this attack was to get the intended victim to click on an embedded malicious link which would then download ransomware.
In Boston there was a recent case where a woman was scammed out of more than $11,000 by a fraudulent IRS-themed campaign. As amazingly simple as some of these attacks seem, people do fall for them. And can we really be so sure that no one in our organizations would fall for these kinds of attacks?
These types of email attacks, both targeted at consumers and businesses, are extremely common. In fact email security companies block millions of emails every month with malware attachments, millions of clicks on malicious URLs, as well as millions of emails that attempt to spoof the receiver by impersonating their boss or a C-level person in their organization and pushing them into doing something they shouldn’t, like wiring big money to an account controlled by the cybercriminal.
There is no silver-bullet solution to these types of attacks. To be clear, the IRS does not initially contact people with a threatening email or phone call.
The IRS contacts people with good old snail mail if there’s an issue. While it’s important at an employee level to be informed with all types of email-borne attacks, organizations need a multilayered defensive program that starts with preventive technical controls against the many flavors of phishing, way beyond just anti-virus/anti-spam, but also covering threat monitoring, user awareness training, and particularly strong and focused defenses against attacks that if successful would be highly damaging to the organization.