We hear about it every year at this time: consumer-targeted phishing scams in which hackers are after tax returns. We’re all well aware of the motivations behind these schemes. It has now reached the point that the IRS issues a warning about phishing scams every January, urging consumers to file as early as possible to avoid being victims.
The biggest challenge with tax ID theft through phishing is that the victims aren’t aware they’ve been targeted until it’s too late. As security professionals, it’s easy to get cynical about the continued proliferation of these scams and blame the consumers themselves. I’ve been seeing articles by members of the security community that take a tone of condescension and snark. You can almost hear the authors sighing deeply and picture the exasperated eye rolls.
I’m appealing to my fellow security professionals: This tax season, let’s drop the scorn toward victims of phishing scams. Underestimating the effectiveness of phishing and blaming its victims doesn’t help anyone. For example, in February, cybercriminals intentionally preyed on the public’s fears and concerns about the coronavirus by sending out malicious links masquerading as information consumers can use to protect themselves from the virus. With the coronavirus all over the media, can you blame consumers for clicking on a URL that promises safety and information?
A tone of condescension also ignores the real and increasing damage phishing does to the trust relationship between consumers and brands, tech firms, and government agencies. In addition, it’s worth noting that the tips we often give to consumers aren’t foolproof. Almost half of all spoofed sites are now SSL-registered, exploiting the trust consumers have placed in visiting what they believe are secure “https” URLs with the familiar padlock icon. And phishing domains and emails sent to customers are both more sophisticated than ever. In fact, 97% of people around the world are unable to identify a sophisticated phishing email.
Focus on What Matters
I ask that we focus on better ways to shut down these insidious attacks before they can take hold. The good news is, the security community has already created the tools and technology it takes to solve this problem. We just need to refine them and point them in the right direction.
Right now, defenders are placing much emphasis on email filtering and domain monitoring. Both of these tools are valuable, but they’re only pieces to a larger, more complex puzzle. For example, it’s smart to use anti-phishing email filtering to make sure fake email messages don’t get through to your company’s employees, but a growing number of phishing scams employ social engineering techniques to trick people into giving up sensitive information, particularly over text.
Additionally, email filtering helps to keep your employees safe, but what about the email accounts of your customers? And, yes, it is your problem if customers are duped. Don’t forget that under consumer privacy laws such as GDPR and the newly enacted CCPA, your company is legally responsible for customer data loss caused by phishing, even if you never knew your brand was being targeted by a campaign.
As for domain monitoring software solutions, they are designed to alert businesses when certain domains have had a status change or need to be renewed. But they don’t alert security teams when a new spoof URL has been published or spot all of the fakes. According to Dell Technologies, an estimated 30,000 spoof URLs are launched every day. These URLs typically cycle back and forth between malicious and legitimate, as reported in a recent Anti-Phishing Working Group report. The sheer volume and constant state of flux make it difficult for any domain monitoring solution to monitor and identify them all.
Defenders should consider scalable, real-time strategies that improve detection from the moment a spoof site or page has launched. [Editor’s note: The author’s company offers a related solution.] The problem with the current approach to phishing detection is that by the time the victim clicks on the link and visits the spoof site, it’s too late. The consumer who tries to file a real tax return only to learn that someone else already filed one in their name is a perfect example.
End the Victim Blaming
It’s easy to heap blame on customers, telling ourselves that they “should know better” than to click on a URL in an email from someone they don’t know. But as the saying goes, “You don’t know what you don’t know.” Customers believe that the emails and texts containing spoof URLs are coming from a brand they know and trust. And it could very well be your brand. That’s the most insidious part of a phishing attack. It’s up to us, the defenders, to innovate new ways to solve this vexing problem.
Dr. Salvatore Stolfo is the founder and CTO of Allure Security. As a professor of artificial intelligence at Columbia University since 1979, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Dr. Stolfo has … View Full Bio