Tax scams cost small businesses billions of dollars each year, both in direct financial losses and indirect consequences such as legal fees, lost time, and damaged reputations.
Common tax season scams and business risks
Phishing emails impersonating tax authorities
Phishing emails are a prevalent threat especially during tax season. Shockingly, 1 in 3 employees fall for phishing emails by clinking on malicious links or sending confidential information to bad actors. The average financial loss per successful phishing attack is nearly $4.9 million. With most of these phishing emails use urgent or threatening language to manipulate recipients and spoof the email address making them seem they are being sent by reputable tax authorities or the IRS.
Business email compromise (BEC) scams
BEC scams are another significant threat. These scams involve a cybercriminal impersonating a high level executive, manager, or HR person via email in order to get employees to share sensitive information. Over the past decade these scams have cost businesses over $55 million. During tax seasons, criminals impersonate executives or HR staff to steal employee tax data (like W-2s), bank account details, and vendor invoices, making them prime targets for data theft and fraudulent returns.
System failures
With the average business server lifespan at 3-5 years, and computer systems just slightly longer. The risk of systems going down during tax season can be high and devastating if your business doesn’t have backups in place.
Ransomware attacks during tax filing period
88% of companies have experienced a ransomware attack over the past year, and 45% of executives named ransomware as the top cyber risk. Ransomware is a type of malware that prevents employees from accessing their computer or data by encrypting and locking down the system unless a payment is made. With the average ransom demand rising to $5.2 million, in the first half of 2024, this is one of the fastest growing types of cyber-attacks.
Compromised accounts
Hackers become more aggressive during tax season as they look to steal accounting and financial organization's logins to reroute tax refunds, manipulate payroll, or drain business accounts. This often occurs when cybercriminals using phishing emails, malware, or data breaches to gain access to employee usernames or passwords.
How to protect your business
Keep in mind the 3-2-1 backup rule
Secure data storage with multiple copies is crucial. Store three copies of backups on two different media types, like an external drive or cloud backup service with encryption, and a final copy stored in an offsite physical location. Carbonite Professional Solutions provides automatic encrypted backups, protecting against data loss, reducing recovery time, and saving businesses from potential data recovery costs. It even supports HIPAA, FERPA, and GLBA compliance.
Educate employees on phishing attacks
To effectively educate employees on phishing attacks business should do the following:
- Implement ongoing cyber security training programs.
- Conduct simulated phishing exercises.
- Establish clear reporting procedures and encourage employees to use smart email best practices and stay vigilant.
- Webroot Security Awareness Training is a proven educational approach for reducing risky employee behaviors, that can lead to security compromises. This robust training program includes subjects like information security, social engineering, malware and industry-specific compliance topics.
Mitigate phishing attacks with a smart backup strategy
Businesses should also have a robust backup policy in place in the unfortunate event a phishing attack is successful.
- Identify what critical data should be backed up to keep your business operating.
- Automate regular backups to minimize the risk of data loss. Carbonite Professional offers continuous and encrypted backups, with built-in monitoring of backups.
- Create and manage backup policies by group, role, devices, etc.
- Test your backup recovery processes.
Require multi-factor authentication (MFA)
It’s been found that when businesses add multi-factor authentication to their sign in policies it can block up to 99.9% of automated attacks. Adding a second layer of protection, such as authenticator applications or requiring a code be sent to the employees’ phone to log-in, can safeguard financial systems, email accounts, and any platforms used for tax-related activities.
Securely exchange tax documents
Use encrypted email such as Webroot Advanced Email Encryption or file-sharing services such as Hightail to share tax documents with third-party tax preparers.
Consider more advanced cybersecurity protection
Protecting your business end-to-end can help to minimize cybersecurity risks not just during tax season, but all year long. Domain name system (DNS) Protection can reduce employee downloaded malware that puts your business at risk.
Webroot DNS Protection creates a highly secure, private, resilient and manageable connection to the internet. Webroot Endpoint Protection offers all the devices on your computer network additional security with built-in antivirus, anti-malware, web filtering, and more.
Conclusion
Proactive cybersecurity steps can save your business millions this tax season. By staying vigilant, educating your employees, and putting good backup practices in place you can save not only money but eliminate productivity downtime and stress. Stay safe this tax season.
Additional resources
