Asaf Cidon, Barracuda: Watch Out for BEC Attacks During Tax Season

By Gabriela Vatu / February 15, 2019

Tax season is upon us and filing your documents may prove to be quite dangerous for you and your family if hackers get a hold of them. We decided to have a chat with Asaf Cidon, Vice President of Email Security at Barracuda Networks, to discuss the issue, as the threat of Business Email Compromise (BEC) attacks is on the rise and comes with a new level of sensitivity due to the nature of the documents at risk.

TechNadu: How prevalent are BEC attacks compared to other types of threats targeting companies and their employees?

Asaf Cidon: As a whole, W-2 are much less common than other BEC attacks, like wire transfer requests or gift card scams. However, they are quite prevalent in certain organizations that have a large number of employees, and around the tax season when it is common to send all employees their W-2s.

TechNadu: What percentage of BEC Attacks would you say is successful?

Asaf Cidon: We do not have clear data on what percentage are successful, because we often only see the initial attacks. The IRS actually keeps up-to-date statistics. Last year, for instance, more than 200 companies fell prey to this scam, which translated to 100,000s of employees whose SSNs were compromised.

TechNadu: The most popular BEC objectives according to one of Barracuda's studies are wire transfers and clicking on malicious links. Which of these is the most successful among unsuspecting employees?

Asaf Cidon: Malicious links are the most successful, but wire transfers obviously have a much higher payoff. Oftentimes, the malicious link BEC attacks are a means to successfully execute a wire transfer attack.

TechNadu: How do you believe the BEC attack industry will evolve in 2019?

Asaf Cidon: There are several trends we noticed in BEC attacks. One of these is that more attacks are originated in compromised accounts, where the attacker either uses the compromised account to launch the BEC or uses it to conduct reconnaissance on an impending transaction or data transfer. Another thing we are seeing is a new "creative" BEC attacks. For example, attackers impersonate the CEO to try to steal gift cards that the company is supposed to purchase for the employees. We are also seeing more and more attacks that target lower level employees.

TechNadu: Tax season is upon us all, in the US and other parts of the world too. Are companies and employees at a bigger risk now? What type of data are attackers after in this situation?

Asaf Cidon: Absolutely. W-2s and any information that contains SSNs (social security numbers) or other PII (Personally identifiable information) are a top target and are highly monetizable for the attackers.

TechNadu: Let's assume the attackers were successful and got their hands on a large number of tax documents and other sensitive information. What is the best course of action for employees and companies?

Asaf Cidon: There are several steps companies need to take. First, they need to notify all affected employees and contractors. Then, they should notify the relevant government agencies, like the FBI and the IRS. Further on, the company needs to get employees covered in an identity protection program.

It is a good idea to conduct a forensic investigation to understand where the attack came from and how it succeeded. Then, based on the findings, they have to shore up the company's email security posture. Plus, they should conduct phishing training that explicitly simulates W-2 attacks.

TechNadu: What are the consequences of such attacks being successful? Are we talking about identity theft? What are the biggest risks?

Asaf Cidon: There are several major consequences. Obviously identity theft for the employees. Equally important, such attacks can severely harm the organization's brand and the morale of employees and customers. Finally, the organization might face potential fines, depending on how their security and regulatory posture and on the attack itself.

TechNadu: What type of companies are most commonly hit by BEC attacks?

Asaf Cidon: All companies (and non-profit organizations) get hit with BEC. This is an absolute horizontal attack: we see organizations of all sizes, all sectors, across all geographies. Two or three years ago it used to be only large public companies or financial firms, but that is absolutely not the case anymore.

TechNadu: What steps should everyone take to protect themselves?

Asaf Cidon: They need to use email security that can automatically stop BEC attacks, ideally using AI that does not rely on fixed rules. They also have to set up and measure an internal security awareness training program. They should also implement internal policies that require wire transfers and PII to only be sent out following, ideally, an in-person confirmation, or at a minimum a phone call with the recipient. Lastly, companies should implement a forensics and incident response process in case of an attack.

How careful are you with your financial filings and what steps do you take to make sure the emails you get when at work are genuine? Let us know in the comments section below, and please share the article online so others can read it too. Follow TechNadu on Facebook and Twitter for more details.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari