By the time your email account is approximately 0.000001 milliseconds old, it receives roughly 3 billion phishing emails. (OK, maybe not literally, but the Scammer Welcoming Committee™ isn’t far behind the “welcome” email you get for creating a web-based email account account.) These scams commonly rely on a mix of intimidation and curiosity to trick targets into clicking links and attachments containing malware that is designed to steal personally identifiable information, financial data, or even money.
If scammers steal your information, they have plenty of opportunities to convert that data to cash, like Dark Web auctions, fraudulent credit card and loan applications, and tax-refund fraud. But another way they use the information—especially if the first attempt gets a little information—is to start building a profile that they use to create a more convincing scam that is commonly referred to as “spear phishing.”
What is spear phishing?
Spear phishing occurs when a criminal has a little bit of information about a victim that they use to better impersonate a legitimate person, business, or organization. While accountants and tax preparers are subject to the same type of phishing scams as other taxpayers, they also have to contend with scammers who impersonate potential clients, tax software companies, and, of course, the IRS.
You’re not insulated from prying eyes just because you didn’t choose a career in Hollywood or Capitol Hill. From checking your social media accounts to reviewing your business webpage info, criminals have a number of ways to create a bespoke spear phishing scam.
Scammers might use that info to nibble even more in smaller scams, and they might not even appear to come from the same source. Once the scammers have a complete profile, they can, as mentioned earlier, more successfully apply for financial services—or they may build a very convincing pretext that results in getting access to your client database. After all, why settle for one victim when they can hit hundreds or thousands at the same time?
How do I know when it’s a scam?
Since they love to use threats and urgency to get targets to panic, keep an eye out for emails and phone calls from “clients” that seem extra pushy, and always beware messages from “the government” that threaten legal action. (I was lucky enough to get the “we’re going to suspend your Social Security Number” phone call last week.) Poor grammar and misspelled words can also point to a potential scam. Remember, many of these attacks originate outside the United States, resulting in mistakes commonly made by non-native speakers.
If the message purports to come from a government agency and sounds credible, be sure to go through your data-security checklist.
If a phone call:
- Request the caller’s official identification—including badge number—and write it down
- Write down the phone number on the caller ID, if available
- Look up the organization’s official phone number, and tell the representative that you will call back
If an email:
- Contact the organization using an official email or phone number pulled from their .gov web address
- NEVER click on any unsolicited attachments or embedded links
Good luck out there!