cyber attacker

Scammers Pretending to be IRS, Banks, Charities

We are in the midst of a national emergency. The government is offering benefits to victims; your new way of business is requiring new, unfamiliar technology; and uncertainty is driving you to new apps and websites in search of information to help you stay afloat—all of which are being seized upon as new opportunities by cybercriminals.

Criminals are scamming individuals and businesses of their money and data through a myriad of tricks. Current scams are related to:

  • The IRS or CARES Act
  • Stimulus Payments
  • COVID-19
  • Charitable giving sites
  • Current updates – statistics and/or heat maps
  • Early vaccine / treatment access
  • Problems with a Bank Account or Credit Card
  • Investment Opportunities
  • Blood Donation

Here is what cybercriminals are doing:

Method 1: Masquerading
Cybercriminals are exploiting the necessity for individuals and businesses to deploy new IT resources and methods to conduct work remotely such as VPNs, screen sharing technologies, and remote meeting software. Criminals are developing malicious tools that appear legitimate. Unsuspecting users, in search of a tool to facilitate their needs, instead download a malicious VPN agent. It is important to discuss any new IT resources you are considering with a professional who can advise you not only on the best, but the most secure tools.

Also, as your business operations change, cybercriminals are waiting to involve themselves in the process. Man-in-the-middle attacks involve criminals intercepting emails detailing payment instructions and bank account numbers and re-routing them to off-shore bank accounts before forwarding the email to the recipient. The sender and recipient are none the wiser until they discover that the money is gone.

Method 2:  Phishing/Vishing/SMishing using COVID-19 themes

Attacks may come in the form of fraudulent emails (i.e., "phishing"), text messages (i.e., "smishing") or voice calls (i.e., "vishing"). These attacks may take advantage of users by posing as the following:

  1. The IRS
  2. Charitable agencies
  3. Tech Support

Remember, the IRS will NEVER call, text, or email you for payment or bank account information, nor will other government agencies. Scrutinize every unfamiliar call, text, or email and avoid disclosing your personal information.

Method 3: Fake Mobile Applications
Cyber criminals understand that we regularly download apps to facilitate our daily needs. There have been multiple cases of malicious Android applications claiming to offer information about the virus or to accommodate your business needs in these times of uncertainty. But all they really offer is attackers the opportunity to spy on you, steal information, or ransom your data.

Method 4: Malicious and Fraudulent Websites
The Palo Alto Networks threat intelligence team notes that over the past few weeks more than 100,000 websites have been registered containing terms like “covid,” “virus,” and “corona.” Many of these websites are used to deploy malicious software that can threaten your business operations and data security or trick you into thinking you are applying for stimulus loans through its interface. Some websites spread false information to create unnecessary action or panic. Such risks can be avoided by using only trusted sources.

Do the following to protect yourself from becoming a victim of a fraudulent attack:

  • Use extreme caution when dealing with any email with a subject line, attachment or hyperlink pertaining to COVID-19.
  • Be cautious when dealing with an email, text message, social media post, or phone call with a subject line or topic pertaining to a COVID-19 related matter.
  • Use only TRUSTED Sources, such as known government websites, for updated information on COVID-19.
  • NEVER trust a hyperlink in a communication stressing urgency, such as a warning about a severe problem pertaining to financial information—i.e. bank account, credit card or the IRS.
  • Verify that the contact information is from a trusted source—for example, the toll-free phone number on the back of your credit card.
  • If you visit a website, open it directly from your computer or a previously used App on your SmartPhone instead of from the requesting email.
  • Never provide any identifying number over the phone, such as your Social Security number, Your Medicare ID number, your driver’s license number and your bank account number.
  • If you need to implement new technology or processes for your business or personal life, consult a professional.
About the Author(s)

William J. Heaven is a Senior Manager in HBK’s IT Department and works out of the firm’s corporate office in Youngstown, Ohio. He specializes in cyber security, IT security, external IT audit, internal IT audit, IT consulting, software Development, IT governance, PCI-DSS, supply chain, system implementations and e-Commerce.

Matthew J. Schiavone is a Senior Manager in HBK’s Quality Control department and works primarily in the Pittsburgh, Pennsylvania office. He specializes in risk advisory services, system and organization control (SOC) reporting, internal controls, IT audit, information security, and cyber security for all types of industries.

Suzanne Leighton is a Senior Manager in the Pittsburgh, Pennsylvania office of HBK. She began her career in 1990 spending 14 years in public accounting followed by 14 years in government. Sue has extensive experience in state taxation and pass through entities. While working at the PA Department of Revenue, she was the Director of the Pass-Through Business Office for 11 years prior to being promoted to Deputy Secretary for Compliance and Collections. She is a member of the HBK’s Tax Advisory Group.

Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.