It’s tax season again and with it comes lots of tax fraud using stolen identities. Whether you are a tax preparer or a law abiding citizen filing taxes, you are a target to cybercriminals. Data breaches are occurring in increased numbers as cybercriminals target tax professionals to steal identities of innocent individuals to file fraudulent returns. What are some ways you can prevent data breaches? I listed 10 things below that you can do as a tax professional or individual filer, but also refer to my previous blog post: You’ve been hacked and probably might not even know it – How to identify hacks, prevent them, and protect yourself.

10 things you can do to prevent data breach and identity theft:

• Think twice and confirm you are opening safe links in emails.
• Always verify the senders email address for requests for private information.
• In addition, using a verified phone number not listed on the email, contact the sender to verify if they requested for the information.
• To make it even safer, make all communication verbal or in person so you can always verify who you are speaking to.
• Always secure client data or your own data by ensuring it is not left visibly on hardware or media devices.
• Logout and close out of all tax software after use.
• Use strong passwords that include passphrases, a combination of letters, numbers, and symbols on all computers and tax software programs.
• Use caution when granting remote access to your systems and verify access is being granted to trusted and authorized users with a business need to know.
• Use reputable and trusted tax software from your local retail store or the software company’s valid website.
• Safeguard your Electronic Filing Identification Number (EFIN).

Generated evil twins from data breaches are one of the worst cybercrimes. Taking simple steps can take you a long way when it comes to protecting data and identity. If a data breach has occurred to you or your firm, alert the Internal Revenue Service and state agencies in every state you prepare or file returns. Since I’m a Minnesotan, this article includes resources for the State of Minnesota’s tax website, but should you find yourself in a similar experience, please refer to your state governments website to report breaches and tax fraud.

Resources:
Identity Theft and Tax Fraud – State of Minnesota
Identity Protection: Prevention, Detection, and Victim Assitance – IRS

Millions of people around the globe today use social media everyday such as Facebook. What happens to the trust of those users whose private information and/or credentials have been compromised? Such failure to protect users data makes it vulnerable during cyber attacks. Whether it be Facebook, another social media, or any organization who holds private user information and credentials, that information could be yours.

On March 21, 2019, it was reported that 600 millions passwords of Facebook users were not protected and accessible to 20,000 Facebook employees. These passwords were also stored in plain text, which means it was plainly visible and unencrypted. Facebook reported that there were no signs of misuse and it was due to security failures. The issue was discovered in January 2019, Facebook reported.

The target here isn’t Facebook. It could happen to any other social media or organization. The importance is that organizations need to:

• Review security of private user data
• Timely notify users of their exposed credentials
• Prevent similar occurrences in the future (since this has occurred a few times in the past for Facebook)

Recall from my third blog entry about Credential Re-use. If poor security continues and users credentials and private data are not secured, this is a vulnerability. If a cyber attack were to occur and this information was compromised, the plain text passwords could be re-used across multiple sites that users may use the same exact credentials for. Let’s face it, many people only use one password.

It is important for organizations that store private information to remember that they must enforce strict security measures and review of applications developed to log user information. Such occurrences will surely hinder the trust of customers. Would you continue to trust and support an organization that has you sign a privacy agreement, but not actually keep your data private?

Source:
Millions of Facebook passwords exposed internally

With tons of mitigation strategies out there, organizations often wonder which strategies to implement. A good baseline to follow are the Essential Eight as recommended by the Australian Cyber Security Centre, an Australian Government. It should be implemented not only because it makes it harder for cyber attackers, but it can save time, money, and efforts spent on large-scale cyber vectors, making the Essential Eight a cost-effective choice.

The Essential Eight:

1. Application Whitelisting – to control and only allow authorized software to execute, blocking all other unauthorized applications.
2. Patching Applications – ensures applications are up-to-date to remediate new security vulnerabilities.
3. Configuring Microsoft Office Macro Settings – to block un-trusted macros in documents from installing malware.
4. Application Hardening – blocking flash player, ads, and java on web browsers to protect against vulnerable application functionality
5. Restricting Administrative Privileges – limit administrative access to systems to only authorized individuals.
6. Patching Operating Systems – ensures operating systems are up-to-date to remediate new security vulnerabilities.
7. Multi-factor Authentication – authenticates user identity and provides strong access controls through tokens, biometrics, and dual passwords.
8. Daily Backups – critical piece as it maintains the availability of critical data and provides a disaster recovery strategy.

No mitigation strategy is guaranteed to prevent all cyber security attacks due to many factors. But these simple and basic strategies will definitely help to mitigate cyber vectors. If you can ensure good practice of these strategies, you’ve already thicken the first layer of security for your business. Upon implementing the baseline, you can then pursue other business continuity plans to better secure your business’s assets in the case that this first layer is breached.

Sources:
https://acsc.gov.au/infosec/mitigationstrategies.htm
https://www.fortinet.com/blog/industry-trends/the-essential-8-asd-s-strategies-to-mitigate-cyber-security-incidents.html

Remember that one time you left your phone at the coffee shop or maybe you almost did? Remember visiting that website on your mobile phone and randomly received a pop-up informing that “You’ve been infected! Please click here to remove the virus!”? These examples and many others have happened to most of us, but when they happened did you secure your phone immediately after or ensure it was still secured?

Mobile Phones are literally a mobile personal handheld computer and a high population of the world owns mobile phones making mobile security a must. We use our phones conveniently for almost everything from browsing, payment, bills, emails, messaging, social media, e-shopping, navigation, home automation, you name it…it’s probably on the list. Our phones probably contain the most private data about us than our wallet, purse, or your mother. How do you ensure the security of all this information?

7 Basic Tips To Secure Your Mobile Phone/Device:

Set a Password – If you don’t already have a password set on your phone, set it now. That one time you left your phone at the coffee shop and your phone wasn’t locked with a password. Someone could have sniffed through all your private information and if you stored your payment information or use your phone to make payments at cash registers, someone could have made multiple charges without your consent. Setting a password ensures that no one can physically or virtually access your mobile device without first unlocking it with a password, PIN, or pattern that only you know.

Anti-Malware Protection – Whether you are using an iPhone or Android device, both are at risk to malware. That’s right iPhone users…even you. Purchase and install an accredited Anti-Malware application from your phones official app store. This can protect your mobile device from many types of malware attacks, attachments, and prevent infection.

VPN – If you browse a lot, consider purchasing an accredited VPN app from your phones official app store. This will ensure that any e-shopping you do, data you enter and send, or sites you visit are encrypted protecting your private information and the privacy of your browsing.

Use Official App Stores – Official App Stores have very strict policies as to what can get published on to the app store. Very rarely will they pass an app that is malicious. When using a third party app store, this security is not guaranteed as malicious apps could be published on these non-official app stores. This is a high risk to you as you could install a fake app posing as an official app or installing an app that isn’t verified through security policies before being published.

Keep Your Phone Up-To-Date – To ensure that your phone has received all it’s security updates, you should always keep your phone up to date and install updates as soon as possible. These updates could include patches to vulnerabilities found in your mobile devices operating system or hardware.

Disable “Unknown Sources” For Android Devices – This should always be disabled as you should not install applications from Unknown Sources. The exception is if you trust the source and know what you are downloading and what the risks are, but to be safe disable this option.

Don’t Jailbreak Your iPhone – Jailbreaking can opening cool features to your phone, but at the same time it also exposes your phone to vulnerabilities. Security protocols could be bypassed which is not intended by the manufacturer and in turn weakening the security of your device.

Next time when you forget your phone at the coffee shop, most you’ll lose is the device as your phones information should be secured now if you followed the basic tips above. If you visited a malicious website unintentionally, you’ll be protected by your Anti-Malware application. You don’t have to take drastic measures to ensure the security of your mobile phone or device. These basic tips will surely do you more good and save you quite a few headaches.

Sources:
PCWorld – How to prevent mobile malware in 3 easy steps
Malwareytes LABS – Top 10 ways to secure your mobile phone
Webroot – Bad Apps: Protect Your Smartphone from Mobile Malware