Organizations not adequately protected against tax phishing scams
With phisherfolk ever keen to cash in at the end of the tax year, a new study has analyzed the public DNS records for 200 domains likely to be impersonated for tax fraud and finds that 78 percent are not adequately protected.
The research from email security company Valimail looked at Fortune 100 businesses, US states' departments of revenue, federal tax agencies and well-known tax preparation services.
The analysis focused on the presence and validity of Domain-based Message Authentication, Reporting and Conformance (DMARC) and Sender Policy Framework (SPF) records. Across all domains analyzed, 78 percent of the organizations either lack DMARC records or their DMARC policy is not enforced.
On a positive note, 91 percent of the domains do have SPF records, which indicates a willingness to implement email authentication -- although SPF does not protect domains from phishers spoofing the 'From:' field. Without DMARC at enforcement, attackers are able to spoof these organizations' domains and initiate convincing tax-related phishing attacks.
"Threat actors have historically used major events to enhance their phishing attacks, and tax season is no exception," says Alexander García-Tobar, CEO and co-founder, Valimail. "However, we are in a unique position today: Not only is it tax season, but the COVID-19 pandemic has forced US legislators to take aggressive actions to limit social interactions, and as a result many recently out-of-work individuals are facing lost wages. These individuals may be counting on a quick tax return, or they may be confused about the recently changed tax filing deadline. This makes people all the more susceptible to convincing tax scams, and cybercriminals are always willing to take advantage of uncertainty. Unfortunately, organizations that do not have DMARC records at enforcement are an easy target for criminals who use spoofing to launch highly convincing tax-related scams aimed at consumers or these companies' own employees."
Among the detailed findings are that state tax agencies are the most vulnerable to domain spoofing, 49 of the 55 agencies analyzed are either missing DMARC records or do not have DMARC policies at enforcement.
Five of the six federal agencies analyzed are protected with DMARC at enforcement, underscoring the effectiveness of practices outlined in the 2018 Homeland Security Binding Operational Directive 18-01.
Of the 16 tax preparation services analyzed, only seven (44 percent) were protected with DMARC at enforcement. Also 77 of the 2019 Fortune 100 companies are not protected with DMARC at enforcement.
The full report can be found on the Valimail site.