Podcast Transcription


Dr. Christine Izuakor:
Welcome to the Veriato Insider, a biweekly podcast covering some of the latest trends and things to know in cybersecurity. This podcast is sponsored by Veriato, an award-winning employee monitoring and insider threat detection software provider. To learn more about how Veriato can help protect your company, checkout veriatoinsider.com.

Dr. Christine Izuakor:
Reporting to you from Chicago, I'm Dr. Christine Izuakor, your host for today. We're in the first quarter of the year, which means that tax season is upon us and for cybersecurity experts we all know that tax season is scheme season. I mentioned this as a trend in the last podcast episode on reducing cyber risk with AI and the user behavior analytics. And if you missed that one, you can check it out on veriatoi.com as well under the resources tab. But I want to expand on that topic for this week's session.

Dr. Christine Izuakor:
So what do I mean by scheme season? Well, this is a longstanding challenge. Attackers are posing as the IRS, as employer W2 distributors or tax filing companies, and they're trying to trick users into basically doing things to put themselves and your company at risk. And these trends are always a good reminder that we have to educate our employees on how to avoid these attacks and also ensure that we as corporations have ways to defend against insider threats within the company, even from the non-malicious unsuspecting employees.

Dr. Christine Izuakor:
Now I'll share a quick story on this tax season scheme season trend. I once had someone come to me super early in my career, absolutely shocked and in this majoring tax season and we'll call her anonymous Ashley, so we don't put her on blast today. Ashley went to file her tax return and got an error from the IRS. Now why is that? Well, it's because according to their records, she had already filed her tax return and she had already received a very hefty refund. Now it was in that moment that Ashley knew she had been pawned and added to the very lengthy tax season scheme season victim list.

Dr. Christine Izuakor:
Now, unfortunately an attacker had stolen her identity and used it to file these fraudulent taxes and battling this took months. The money that she thought she'd have to pay for medical expenses, long gone. Adding salt to the wounds, she needed to provide proof that she had filed her taxes in order to gain access to critical resources she needed. Couldn't do that and instead got penalized for not being able to prove that she did her taxes. And so needless to say it was a mess. Now Ashley is not alone of course. These kinds of attacks happen all the time and they not only target individuals but businesses also can fall victim to tax season schemes in several different ways.

Dr. Christine Izuakor:
And so this week's topic, we're going to cover two important things. The first is common tax schemes you should be aware of and avoid as a business. And the second is what you can do to protect your company from tax season and general schemes that we see today. As always, towards the end of the episode, I'll also wrap up with a summary of three recent cyber happenings and trends that we should all be aware of.

Dr. Christine Izuakor:
First topic; common tax schemes you should be aware of and avoid as a business. Tax season is a time when people feel many mixed emotions, some look forward to filing quickly and getting their refunds. Others dread paying back taxes. Some are dealing with the stress of realizing that they been pawned like our friend Ashley. No matter what situation people are in when there are high emotional stakes involved, these are the ripe opportunities where cyber attackers know that they can quickly benefit from the most unsuspecting users. It's that play on emotions that makes the attack methods so effective.

Dr. Christine Izuakor:
The most common tax season scams usually come in three forms. There is phishing, vishing and smishing. And I'll explain each of these just to quickly level set on the definitions.

Dr. Christine Izuakor:
The first one, phishing schemes, are where a malicious attacker is sending enticing and seemingly urgent emails to your employees with hope that they will provide sensitive information, or get them to click on links and download malware that can give attackers unauthorized access to other accounts or systems. And so during tax season they may send emails that are telling your employees that they can download their W2s or that they'll get access to other important tax documents if they click the links. And so they usually get very targeted around this time of year.

Dr. Christine Izuakor:
The second one, vishing, so like phishing, but spelled with a V is the same thing, just using voice. So people may get calls from fraudsters who are posing as your HR department for example, or maybe posing as the IRS asking for sensitive information. And they often make threats and talk about consequences of not complying with whatever they're asking for just to put more pressure on unsuspecting people.

Dr. Christine Izuakor:
Now vishing is an interesting area that's evolving rapidly, especially as deep fake audio vishing grows. If you aren't familiar, deep fakes are where technology can leverage artificial intelligence to mimic people in ways that look super realistic. Now you may have heard of deep fake videos and images. If not, you can do a quick Google search and you'll find some very realistic, sometimes scary looking videos, so much so that it's getting very difficult to distinguish what's real versus what is deeply fake. It's not just video anymore; deep fake audio is the computer generated synthesis of a real voice that can be manipulated to say literally anything. It's being used to mimic the voice tone and even speaking patterns of people you trust.

Dr. Christine Izuakor:
And so this changes the game for phishing attacks because what happens when someone uses this to replicate the speech of your CEO or your HR leader or your boss in order to make requests that seem realistic but they're fraudulent? And so during tax season, this could be an attacker who is posing as your HR team and asking for sensitive information to quote unquote process your W2. Or it could be a fraud voicemail from an attacker who is impersonating the voice of your CEO, sending it to your head of HR requesting that all of the W2s, for example, be exported to some mysterious file share for backup. Some of these may sound like obvious bogus requests, but when your employees are under pressure and the voice sounds so real, you'd be surprised how many people actually fall for it.

Dr. Christine Izuakor:
I mean, think about it, the Nigerian Prince scams that have been around for what seems like forever, definitely over a decade, and I'm a proud Nigerian and I know a few legitimate Nigerian princes, so I always get a kick out of these stories, but in all seriousness, I was reading an article by CNBC in 2019 that disclosed Americans still lose a total of about $700,000 a year from Nigerian Prince email scams. $700,000. Who are these people? I can't make this stuff up. And so people are still falling for these attacks and it's definitely still something we have to pay attention to.

Dr. Christine Izuakor:
The third type I mentioned is smishing. This is like phishing, like vishing, only spelled with an S. Again, same concept trying to trick people, only this time using SMS or a text message.

Dr. Christine Izuakor:
The bottom line is that if there is an enticing scam out there that hits close to home and touches people emotionally, someone will fall for it. That's why attackers love these attacks so much. Taxes impact everyone and so they can cast a very wide net and know that someone somewhere is going to fall for it.

Dr. Christine Izuakor:
Now, what can you do to protect your company from tax season schemes? Now, we already know that tax season schemes often play on human emotion, and requires some kind of human action to make the attacks successful. This is where a focus on people becomes extremely important. Employees who are oblivious to and falling for these attacks are essentially an insider threat to your company. These are employees who have legitimate access to your resources and by clicking on risky links or sharing sensitive data with scammers, they might unintentionally expose your company to external risks and threats.

Dr. Christine Izuakor:
Now remember that, like I said, not all insider threats are malicious and so the question then becomes how do you protect your company from insiders, from your own employees and contractors who have legitimate access to your systems? Well, there's a lot of ways to approach this, but there's two critical ones that I want to touch on for this specific tax season scheme season topic.

Dr. Christine Izuakor:
The first is prevention and detection technology. Of course you know you want to deploy strong email security controls that can intelligently block bad emails, scan links and attachments for viruses and protect email in other ways. Of course you want to implement standards; cybersecurity functions like a network firewalls, strong identity and access management to make sure that employees don't have unauthorized access to sensitive information. That way even if someone's password gets compromised, at least what they can do is limit it.

Dr. Christine Izuakor:
But this is also where insider threat detection technology can make a huge difference. Because for example, if someone's password does get stolen as a result of a tax season fraud scheme, with advanced insider threat detection technology, especially those that leverage artificial intelligence, user behavior analytics and all of those to evaluate risk, you can still use that technology to look at the activity that's going on to evaluate often difficult to analyze user activities and alert on things that are suspicious and then enable your team to respond quickly to those threats, like an HR leader exporting all of your employee W2s to a sketchy backup location because it's what they think your deep fake CEO asked for.

Dr. Christine Izuakor:
The second important area is around cybersecurity culture and training. Make sure that you implement a training and awareness program that educates employees on security best practices of course. That's table stakes, but even more important, cultivate a culture that embraces and prioritizes cybersecurity.

Dr. Christine Izuakor:
This is my favorite topic. I could go on and on about this, but I know I only have a few minutes left for this podcast, so if that's something that anybody wants to learn more about or chat about just in terms of culture and the human element of security, please feel free to find me online, christineizuakor.com.

Dr. Christine Izuakor:
The great thing about all of this though is that making your employees aware of this doesn't just benefit your company; it benefits the employee personally. If they are getting these tax season scams on business email, they're probably getting it on their personal email as well. They're getting the calls on their personal phones and so on. And you're teaching them to avoid the attacks on all fronts. That's a win-win.

Dr. Christine Izuakor:
Now of course this isn't a definitive guide to handling tax schemes or the bigger issue of insider threats, but it's a great start. Check out more detailed content on this topic and more at veriato.com.

Dr. Christine Izuakor:
Now it's cyber trending time. So here are three recent cyber happenings and trends that we should all be aware of.

Dr. Christine Izuakor:
First up we have some financial news. The Securities and Exchange Commission, also known as the SEC, is weighing in on cybersecurity best practices that financial services companies should implement. This came after a recent audit they conducted. According to the Wall Street Journal, these are the latest in a string of moves from regulators and government agencies highlighting the heightened concerns around cybersecurity and corporations. An interesting and all too relevant point from a chief innovation officer at a New York based compliance group noted that although the SCC recommendations are valuable, they're often out of reach for smaller companies. I think that's important to note because cybersecurity risk applies to every company no matter what size, yet small and medium size businesses especially need solutions that are accessible and affordable.

Dr. Christine Izuakor:
Next, a topic near and dear to me, aviation. I love to travel and worked in the industry for quite a while and so this one hits home. Summarized by online publisher TechRadar, it's been reported that 97 of the world's 100 largest airports have massive cybersecurity risks. A Swiss web security company called ImmuniWeb, released an in depth report on the cybersecurity posture of these airports and found that almost all of them had an alarming lack of systems in place to protect their websites, mobile applications and public clouds.

Dr. Christine Izuakor:
The researchers found, for example, that 97% of the websites are deploying outdated web software, 24% have known and exploitable vulnerabilities, while another 76% are not compliant with GDPR. Nearly 25% have no SSL encryption or use now obsolete SSL version 3. Amongst the airports evaluated, 59 of them were identified to have code leakages of critical level risk and nearly 90% of the airports had data leaks on public code repositories. The list of issues is long and goes on and on.

Dr. Christine Izuakor:
Again, it's quite concerning and you might be wondering at this point which three airports passed this seemingly impossible to pass test with an A+? Well maybe we can learn a thing or two from Europe, that three airports that passed out of the hundred were located in the Netherlands, Finland and Ireland.

Dr. Christine Izuakor:
And last but not least, coronavirus meets cyber virus. Officials with the Kaspersky cybersecurity firm reported that they've found malicious infected files disguised as normal files like PDFs, MP4s, Word documents and so on, and they've been sent to unsuspecting users with these labels that say that the files contain information on how to protect yourself from the coronavirus, updates on the threats and virus detection procedures and so on, when in reality they are dangerous files meant to help cyber criminals exploit user fear and get paid. Right in line with today's topic and my points earlier, attackers seek to capitalize on highly emotional and highly stressful situations to get people to click on things, which is very unfortunate given the severity of this very real problem.

Dr. Christine Izuakor:
That concludes the Veriato Insider podcast for this week. Again, this podcast is brought to you by Veriato, an award winning cybersecurity company, recently recognized by Gartner. Their solutions are anchored around four core pillars of cybersecurity protection and those include employee monitoring and web filtering, insider threat detection, employee investigations, and ransomware support.

Dr. Christine Izuakor:
To learn more about how Veriato can help protect your company, or if there are questions you want answered during the next podcast visit veriato.com and send the team a quick note.

Dr. Christine Izuakor:
Thanks for tuning in. I'm Dr. Christine Izuakor, the CEO of Cyber Pop-up, and it's been my pleasure to share these insights with you. Until next time, stay safe and secure insiders.


Listen To Podcast