Google defines “spoof” as a “humorous imitation of something,” or a “trick played on someone as a joke.” But there is nothing funny about the type of spoofing I am about to describe. The tax industry is gathering forces to warn the public about a dangerous tax scheme that involves something called “business email spoofing.” I feel compelled to do my part in spreading the word about this one. As part of this scheme, cybercriminals send an email that appears to come from a high-level executive at the target company to somebody in HR or payroll, asking them for sensitive employee information (most often social security numbers or documents containing social security numbers). This particular scam first appeared last year and we are now seeing a second wave. Enough victims have reported these emails so that the IRS now has examples of the exact phrasing used in some of these spoof emails. It is worth your time to review these phrases, and certainly double check any similar requests coming from the head of your company.
Only a few days after their warning to the business world last month, the IRS released a follow-up alert stating that the spoofing scheme had spread to “other sectors, including school districts, tribal organizations and nonprofits.” The second wave appearing this tax season appears to be more dangerous and more pervasive than what was witnessed last year. First of all, the emails started surfacing earlier in the season this time around. The scheme has spread to new sectors of society; pretty much any organization that collects social security numbers is at risk. And the emails have gotten more bold this time around. Originally the criminals would ask for social security numbers under the guise of high-level management, which would potentially provide a means for illegally obtaining tax refunds (an indirect way of getting paid). Now they are boldly taking a more direct route to the cash by simply asking for a wire transfer. I am sure that most of the time these emails are recognized as spam/phishing, but with just the right wording and in just the right set of circumstances, the cybercriminals are successful.
We have seen variations of this scheme before. Tax scammers posing as representatives of the IRS typically called or emailed individuals asking for financial and identifying information as well as direct payments. But why contact taxpayers one by one when you can hit the jackpot exploiting the vulnerabilities of entire businesses and organizations? That has to be their rationale. I imagine crime rings where the more effective individual scammers are “promoted” to a position where they handle the corporate accounts where both the risks and the potential profits are much greater, but I really have no idea about the structure or sophistication of these criminal organizations. For all I know it could be one or two thugs sitting in their mom’s garage somewhere halfway around the world. It is very frustrating that this kind of thing can go on, but I’ll leave that to the FBI and Criminal Investigation. What goes on in the mind of the victim is also interesting, but I don’t know enough about human behavior to understand why people keep falling for this. We are increasingly comfortable making financial transactions online. Does that familiarity cause us to let our guard down? If it is mostly a matter of people being uninformed, I hope this article helps to spread the word.