Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/17/2020
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

This Tax Season, Save the Scorn and Protect Customers from Phishing Scams

As security professionals, it's easy to get cynical about the continued proliferation of tax ID theft and blame the consumers themselves. But that doesn't help anyone.

We hear about it every year at this time: consumer-targeted phishing scams in which hackers are after tax returns. We're all well aware of the motivations behind these schemes. It has now reached the point that the IRS issues a warning about phishing scams every January, urging consumers to file as early as possible to avoid being victims.

The biggest challenge with tax ID theft through phishing is that the victims aren't aware they've been targeted until it's too late. As security professionals, it's easy to get cynical about the continued proliferation of these scams and blame the consumers themselves. I've been seeing articles by members of the security community that take a tone of condescension and snark. You can almost hear the authors sighing deeply and picture the exasperated eye rolls.

I'm appealing to my fellow security professionals: This tax season, let's drop the scorn toward victims of phishing scams. Underestimating the effectiveness of phishing and blaming its victims doesn't help anyone. For example, in February, cybercriminals intentionally preyed on the public's fears and concerns about the coronavirus by sending out malicious links masquerading as information consumers can use to protect themselves from the virus. With the coronavirus all over the media, can you blame consumers for clicking on a URL that promises safety and information?

A tone of condescension also ignores the real and increasing damage phishing does to the trust relationship between consumers and brands, tech firms, and government agencies. In addition, it's worth noting that the tips we often give to consumers aren't foolproof. Almost half of all spoofed sites are now SSL-registered, exploiting the trust consumers have placed in visiting what they believe are secure "https" URLs with the familiar padlock icon. And phishing domains and emails sent to customers are both more sophisticated than ever. In fact, 97% of people around the world are unable to identify a sophisticated phishing email.

Focus on What Matters
I ask that we focus on better ways to shut down these insidious attacks before they can take hold. The good news is, the security community has already created the tools and technology it takes to solve this problem. We just need to refine them and point them in the right direction.

Right now, defenders are placing much emphasis on email filtering and domain monitoring. Both of these tools are valuable, but they're only pieces to a larger, more complex puzzle. For example, it's smart to use anti-phishing email filtering to make sure fake email messages don't get through to your company's employees, but a growing number of phishing scams employ social engineering techniques to trick people into giving up sensitive information, particularly over text. 

Additionally, email filtering helps to keep your employees safe, but what about the email accounts of your customers? And, yes, it is your problem if customers are duped. Don't forget that under consumer privacy laws such as GDPR and the newly enacted CCPA, your company is legally responsible for customer data loss caused by phishing, even if you never knew your brand was being targeted by a campaign.

As for domain monitoring software solutions, they are designed to alert businesses when certain domains have had a status change or need to be renewed. But they don't alert security teams when a new spoof URL has been published or spot all of the fakes. According to Dell Technologies, an estimated 30,000 spoof URLs are launched every day. These URLs typically cycle back and forth between malicious and legitimate, as reported in a recent Anti-Phishing Working Group report. The sheer volume and constant state of flux make it difficult for any domain monitoring solution to monitor and identify them all.

Defenders should consider scalable, real-time strategies that improve detection from the moment a spoof site or page has launched. [Editor's note: The author's company offers a related solution.] The problem with the current approach to phishing detection is that by the time the victim clicks on the link and visits the spoof site, it's too late. The consumer who tries to file a real tax return only to learn that someone else already filed one in their name is a perfect example.

End the Victim Blaming
It's easy to heap blame on customers, telling ourselves that they "should know better" than to click on a URL in an email from someone they don't know. But as the saying goes, "You don't know what you don't know." Customers believe that the emails and texts containing spoof URLs are coming from a brand they know and trust. And it could very well be your brand. That's the most insidious part of a phishing attack. It's up to us, the defenders, to innovate new ways to solve this vexing problem.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Beyond Burnout: What Is Cybersecurity Doing to Us?"

Dr. Salvatore Stolfo is the founder and CTO of Allure Security. As a professor of artificial intelligence at Columbia University since 1979, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Dr. Stolfo has ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...