IRS Warns About Business Email Compromise
There’s more than 2 billion dollars worth of compromises using this one trick alone. You gotta be aware of it.
Airing date: 02/07/2017
IRS Warns About Business Email Compromise
Craig Peterson: It’s time for another TechSanity Check. And today, we are going to talk about your taxes. We’re gonna talk about the business email compromise and how the IRS is warning businesses about this. Now this is a big deal. I mentioned it on my show before. We have the FBI. I called them, talked to them, when was that, about 3 weeks ago? About some of these stuff. There’s more than 2 billion dollars’ worth of compromises using this one trick alone. You gotta be aware of it. It will cost you money because, wow, I have seen this. I have one of my clients come under this attack just weeks ago. Stick around. A little more TechSanity Check. Craig Peterson here.
You know, I’m not sure how many people are aware of just how important this is to know about. You know I talk about security all of the time. Security is what I’ve done as a business forever here. Since ’91 really, that’s the business I’ve been in. And I’ve been involved in the internet now. Developing code. Developing and implementing protocols since 1981, ok? So I’m kind of a grandpa. So for me I look at it and say, wow. Why haven’t people got their act together yet, right? Coz for me, let me see, 81 to 91 to 2001 to 2011, well that’s 30 years. So we’re talking about 35 years for me, that’s how long this internet security battle has been brewing. And it really hit me in the late 80s, early 90s when the Morris worm first hit my servers, running sendmail, and the security problems I had then because we had a trusted internet. There was a way to get on someone else’s email server and double check the configuration. Maybe even make a change for them, right? We’re all cooperative. We’re all great people. And of course that ended up being a bit of a problem.
So the internet, we’ve known for a long time, has security issues. We have all these machines on the internet now that were never originally designed to be secure on the internet. That includes, of course, every version of Windows ever, except for NT to a degree. And of course, I have to say that because, ok, full disclosure. I helped developed the original version of Windows NT. But at any rate there are security issues. And even before the internet was a big security risk. Back in the 80s. I’ve showed how there were major problems with ATMs. And I was working for the 2nd largest savings and loan in the nation back then. And I was responsible for maintaining and keeping up their ATM network. Everybody in the network department, etcetera, worked for me. And it was kinda interesting back then because the security was pretty good but it wasn’t any near what it is today. We’re using private leased lines and things which are supposed to be more secure. But back then, I showed them, hey listen. This is how you can empty an ATM. And I showed it to them, right? Theoretically and then bring out the practical side too. And I earned myself an FBI background check for that one because they wanted to make sure I wasn’t about to run out and empty all of their ATMs coz those ATMs back in the day held $20,000 worth of cash on a long weekend when the bank wasn’t open.
So that’s a pretty good score there. Empty a 20 grand. And what happens? We have another scam going on. Well not a scam, another theft going on right now where people are emptying ATMs. They still haven’t got it figured out. Ah, so frustrating. So now we’ve got the IRS out there saying we’ve got this major business email compromise attack. And I swear, I’m gonna put together some great information on this. I’m gonna put together some training for your employees because we’ve got to end this. We got to stop these types of scams from happening. They should not be happening.
Well, the newest advisory here, coming out of the Internal Revenue Service talking about compromised W2 records. And they’re getting more and more reports of them being compromised. So they’re warning employers now that this W2 scam has moved beyond corporations and it’s now including schools, tribal organizations, and non-profits. According to the IRS commissioner, these are some of the most dangerous email scams the agency has seen in a long time. Frankly I think that the agency maybe has ever seen. And we’ve seen… I got these calls. Last year I talked about this. Maybe it was 18 months ago. I got phone calls from someone claiming to be from the IRS. And I kept hanging up on them. I really should have recorded them. But my phone at the time didn’t have any software to be able to record the call. So that was unfortunate. But this is bad, ok? According to, again, IRS commissioner, it can result to a large scale theft of sensitive data that criminals can use to commit various crimes including filing fraudulent tax returns.
So they’re getting W2 data from these companies here, ok? And they are using it now to compromise, to file fake tax returns. We’ve heard more and more about that. So the IRS has an interesting response to all of these. We’ll talk about that in just a minute here. They’re going on to say that the National Center for Educational Statistics and employment figures at Glassdoor, these successful attack so far have affected at least 30,000 taxpayers. Ok. So that’s a small percentage of overall taxpayers. But if it hits you, it could hit hard. And this BEC, in one case I’m aware of, it hit hard in the tune of $43 million. And I gotta tell that story too. I’ll put that up my list of things to do.
But the confirmed victims include 10 school systems, software development company, a utility company in Pennsylvania, restaurants now, healthcare, finance, manufacturing, energy businesses. It goes on and on and on. Now these criminals are mostly focused on payroll and tax records. And what they will do is use phishing and spear phishing attacks to go after a specific target. These things are very effective. They exploit the trust relationships that exist within corporate environments. And they will send an email from what looks to be the CEO or CFO, but any high level manager will work. Usually sent to someone in human resources department or someone in their payroll department and these attacks come right out and say it. They say things like, and here’s a direct quote: “Kindly send me the individual W2 PDF and earning summary of all W2 of our company and staff for a quick review.”
Ok? So remember, these are going to the CFO or the payroll people. And they’re coming from a high-level manager. Here’s another one: “Can you send me the updated list of employees with full details. Name, social security number, date of birth, home address, salary.” Here’s another one, this is all documented from the IRS: “I want you to send me the list of W2 copies of employees’ wage and tax statement for 2016. I need them in PDF file format. You can send it as an attachment. Kindly prepare the list and send them to me ASAP.” Wow. Wow.
Now these messages change between the attacks. But these messages that the IRS is using as samples here offer something I think is very clear. Do these sound like your CEO? Ok? Every last one of those, well there are only 3, but every one of those has grammatical errors. Now a native English speaker that’s a CEO is probably not going to make the types of errors this person made. Not at all, ok? And these examples are simply they sound wrong because they were obviously not written by native speakers. Now that’s today, ok? And next week they will realize their mistakes and they will get them corrected, right? Heck, go to Fiverr people. Have someone rewrite it for you who’s a native English speaker.
Oh man. Ok? So this goes on and on. But the bottom line, these business email compromises are not a tech problem. You cannot put a firewall in place to block them. No security product is gonna catch all of these. These are problems with humans being human and poor data control policies, ok? Bottom line. I swear I’m going to put together a little program that you guys can get that explains all of these that you can share with your employees. I think in fact, I’m gonna make a business out of this because it’s been 35 plus years that I’ve been complaining about this on the internet side coz I’ve been on the internet for that long. Maybe this is something. Maybe this is my hole, right? My opening in the market. Something that needs to happen. Or maybe I’m gonna fall flat on my face because nobody cares, right? No, it’s not gonna happen to me. It’ll only happen to 30,000 taxpayers. It’s not gonna happen to me. Believe me it will. It can. It is already happening to one of our clients. Look at what happened to the Democrats. Apparently, we had the head of Hillary’s campaign get a similar type of scam. It’s the same type of spear phishing attack. They got hacked. They lost all of their emails. So, this I think I’m right. This is it. I’m gonna do this no question.
So stick around. We’ll talk more about this in the future. Have a great day. I will be back tomorrow, of course, with another TechSanity Check in my daily podcast. And also of course, we’re airing our As Heard Ons tomorrow. I’ll be on WGAN. Have a great day. Take care. Visit me online, http://CraigPeterson.com.