The Internal Revenue Service has continued to issue warnings about a prevalent phishing scam that has been circulating this tax season. The attack comes in the form of an email requesting W-2 forms or other tax information, seemingly from a valid employer or employee email address.
This same attack was used around this time last year, and now attackers are coupling it with another attack, one that requests banking information for a wire transfer – again, seemingly from an employee or employer.
“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen.
The attack is what is known formally as a BEC (business email compromise) or BES (business email spoofing) attack, and it typically aims to gain access to tax or banking information for small-medium businesses through natural human error in their employees. Any business using email or online resources for their employees should provide extensive security training, which will drastically decrease the likelihood of being compromised.
A Closer Look at the Attacks
The W-2 scam is not new, appearing last year. Cyber-criminals tricked payroll and human resource officials into disclosing employee names, Social Security numbers and income information. The attackers then attempted to file fraudulent tax returns to steal tax refunds.
The spoofed emails will contain, for example, the actual name of the company chief executive officer. In this variation, the “CEO” sends an email to a company payroll office or human resource employee and requests a list of employees and information including Social Security numbers.
The following are some of the details that may be contained in the emails:
- Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)?
- I want you to send me the list of W-2 copy of employee’s wages and tax statements for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
New Attack: The Money Wire Request
In the latest addition to the W-2 scam, the cyber-criminal follows up with an “executive” email to the payroll or HR staff and asks that a wire transfer also be made to a certain account. Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers.
While the money wire request is not a new attack, seeing it coupled with the W-2 attack is what makes it even more important that both employers and employees remain vigilant. The wire request may not come for weeks or even months after the W-2 attack.
What You can Do
As mentioned above, the single most important thing you can do if you’re an employer is ensure that all your employees have adequate online security training. In addition, if you work with any databases or online interactions whatsoever within your company, you need to ensure that your building and network are both physically and digitally secure.
If you aren’t an employer, you should at least read our 10 tips on making the internet a safer place!
The internet allows you access to the world at large, but it also allows the world at large access to you. If you’re not careful, you could easily be the victim of any number of various online attacks. In fact, depending on where in the world you live, many people are as likely or more so to be attacked online than in real life. Yet we rarely take cyber security as seriously as real-life security.
Luckily there is a day, February 7th, on which awareness is raised about internet security, and the hashtag #SaferInternetDay is currently trending! So we’ve compiled a list of 10 tips that we could all implement in our daily internet usage which would go a long way in making the internet safer for everybody.
- Never use the same password twice. Many people use a clever set of rules to create unique passwords for each website. We suggest using a password manager such as KeePass, which can create and store high entropy passwords for you without ever having to type them in, leaving you impervious to key-logging attacks and simple password-cracking tools.
- Always use 2-factor authentication when available. Not only does 2FA prevent users from accessing your accounts/information without your cellphone, but it also acts as an alert that somebody has attempted to access your accounts/information.
- Never use free/public WiFi. Most people know very little about the security risks posed by free/public WiFi. For a work-around, if you really value your free WiFi, at least use a free VPN.
- Always read terms & conditions/privacy agreements. In many cases, you may be agreeing to have your information used in a way that you wouldn’t approve if you had only read the privacy agreement! Always remember to read what you’re agreeing to before agreeing to it!
- Never open an unexpected attachment from a stranger. This is called phishing, when hackers will send out thousands or even millions of random emails with links that, if followed, will, in some way or another, attempt to steal your information or infect your computer.
- Always lock your phone/tablet/computer! These devices all have built-in security features which, in most cases, can be tightened or loosened in the settings. Make sure you keep your security tight and your devices locked when you’re away from them.
- Never check the “save password” box. Your devices may be secured, but if anybody does somehow gain access to them, they will have access to any account which you have the password saved in your browser for. Avoid this again by using a password manager — we recommend KeePass.
- Always use additional security for online banking. Most banking Apps and mobile sites are pretty secure, and offer plenty of increased security options to their users. We suggest that you use as many of them as possible.
- Never use a default password. This is far less common today than it used to be, but one good example of a default password is your router. Always make sure to set your router password to something unique.
- Do not share personal information online. This goes mostly for social media, where many people often feel comfortable sharing information that they don’t realize could compromise their security. One simple example is the answers to common recovery questions, such as your mother’s maiden name or the name of your first pet.
We hope you will use some of these tips for a safer internet in your daily internet usage, and maybe we can see a future where hackers and cyber criminals are disincentivized based on the knowledge and security of average internet users!
For those who don’t know what bitcoin is, this excellent and highly simplified analogy from coindesk should answer every question you have about it — except how to actually get your hands on some! No worries, we’re going to tell you how you can easily buy bitcoin, exchange bitcoin to USD, withdraw bitcoin to your bank, or accept it as a merchant with seamless exchanges directly into your SolidTrust Pay account!
Buying Bitcoin with SolidTrust Pay
Once you’ve set up an account and a bitcoin wallet, buying bitcoin with SolidTrust Pay is fast, easy, and highly secure. We’ve been around for over 10 years, and our dedicated support staff is always ready to lend a helping hand with any transaction or account issues, as well as to clarify anything you don’t quite understand. In order to buy bitcoin with a SolidTrust Pay account, simply follow these steps:
- Create an account at SolidTrustPay.com.
- Verify your account to the Standard Verified level.
- Set up two-factor authentication using your mobile device or desktop/laptop.
- Create a bitcoin wallet of your choice and connect it to your STP account.
- Deposit the amount you want to spend on bitcoin into your account via Bank, Credit Card, or transfer from another user.
- Go to the My Money –> Withdraw Funds section of your account and choose the Bitcoin option.
- Withdraw your desired amount and wait up to 24 hours for it to appear in your bitcoin wallet.
Steps 1 – 4 will only need to be completed once, of course, and then you will be able to easily buy bitcoin with steps 5 – 7. Once your account is Standard Verified and connected to a wallet, you may withdraw up to $2500 per 24 hours from your STP account to your BTC wallet (the Bank Verified limit is $5000 per 24 hours).
Selling Bitcoin with SolidTrust Pay
Selling bitcoin is even easier with SolidTrust Pay than buying it! You only need to have your account Card Verified in order to deposit up to $250 (automatically converted to USD) from your bitcoin wallet to your SolidTrust Pay account per 24 hours. This will allow you to spend or transfer your funds online as you see fit, or make a withdrawal to your credit card in USD. The deposit limit for a Standard Verified Account is $500 per 24 hours, and Bank Verified accounts are limited to $1000 per 24 hours.
Getting Bitcoin from your Wallet to your Bank
One of the biggest challenges people often have is how to withdraw bitcoin from your wallet to your bank. Using the same steps above to connect your wallet to your SolidTrust Pay account, you simply need to go a step further and connect your Bank account to your SolidTrust Pay account. From here, all you need to do is go to the My Money –> Deposit Funds area of your account and choose the Bitcoin option (bitcoin will be automatically converted into USD). Your funds may take up to 24 hours to appear in your account, at which time you will have the option to withdraw them directly into your bank.
Accepting Bitcoin as an Online Merchant
As an online merchant, likely chest-deep in all the responsibilities that come with running a business online, it can be hard to predict and adapt to trends in the market that aren’t currently affecting your business. Luckily, adding the bitcoin option to your SolidTrust Pay button will give your customers the option to pay with bitcoin, which is then automatically converted into USD and placed in your merchant account — no bitcoin wallet required!
We want nothing but the best for our members, especially when it comes to security! Please use the following guide to help you safely store and remember your passwords.
The image to the left should be pretty familiar to anyone who has ever had to login to anything. Most of us are used to seeing some form of this sign-in box for most of the websites we visit. But did you know that you are actually taking a fairly large risk each time you enter your password online? There are plenty of different ways an attacker could intercept your login details, such as decryption tools or key-loggers, and if you have a universal password (same password for everything), the attacker will instantly have access to all of your accounts! This could cost you time or money, or at the very least a headache! Prepared, diligent and proactive is the only way to be. That is why we are urging our users to start storing their passwords in a password management utility.
“KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).”
– Description from KeePass’ official website
KeePass is free and open source, but it’s far from the only password management utility. Click here to see a list of PC Mag’s top 10 paid password managers of 2017, and click here to see the top 10 free password managers. Below are a few reasons to choose the program that best suits your needs and start using it right away.
Not only will using a program such as KeePass keep your passwords and login details safe from potential attackers, it will help you remember them for yourself as well!
You should NEVER use the same password for two different websites/accounts. KeePass can generate and store a brand new, entirely random password for you at the click of a button!
If you use the random password generator, you will never have to type your password onto your keyboard, making a key-logging attack completely useless.
Many password management tools can store additional information, such as full names and addresses, for automatic form-filling.
Secure credit card and banking information the same way you would a password and avoid typing them out into your browser.
When it comes to the eWallet/payment processing industry, it’s easy to see why we put so much emphasis on the security of our members. Wherever there is money, extra security will follow. We hope that you will take a few short minutes out of your day today to make sure that you are doing everything in your power to avoid the worst possible thing that could happen to you online! See below for instructions on downloading and using KeePass, as well as some additional resources for your security.
–> Go to http://www.keepass.info
–> Click on the latest release (found under ‘latest news’)
–> Click “download KeePass 1.32” (or whichever the current version is)
–> Click Classic Edition and then run the setup (this version is for Windows only. If you are using a different OS, please scroll down for other download options)