Beware the Tax Scam – Updated


The following was published in today’s Foster’s and Seacoast Sunday.  This is an updated and expanded version of post from earlier this week.

It seems like each year, there are more and more tax scams that kick into high gear right after the New Year. This is because tax season is upon us. As the tax man cometh, so does the tax scam, especially online.

tax_scam_alertYou may recall that last year, the IRS reported an alarming rise in the number of fraudulent tax returns filed, using compromised identities in order to get tax refunds the legitimate taxpayer was entitled to. Unfortunately, the criminals doing this were the recipients of these refunds and the actual taxpayer was often unaware this had happened until they tried to file their actual tax return.

The increased alarm this year is in part due to the massive Equifax data breach that was reported last summer. That data breach was unique as it was the first time that a credit bureau had been breached. Because they are a credit bureau, you may not have realized how much personal data that they have on file for you. The exposure was reported to be nearly half the population of the United States. Literally hundreds of millions of Social Security numbers and other private information related to your personal identity may have been released. To date, the impact is not truly known.

Many security experts are concerned that this year could see a record number of fraudulent tax return filings due to the massive amount of information from the Equifax data breach that may be in the hands of bad actors. We likely will not know for sure until tax season has passed.

Many tax professionals are advising that individuals file their tax returns as early in the tax season as possible. In effect, try to beat the hackers by filing before they do. That is one way to potentially prevent a fraudulent filing in your name. However, you have no way of knowing if you could be a victim, nor will you know until you actually file. As the cliché goes “the best defense is a good offense,” thus the recommendation.

There are several other tax scams to be aware of as well. The most common are phishing email campaigns that try to trick you to open attachments or click links that will compromise your system, allowing the hackers to steal your personal information. Remember the IRS will never send you an email attachment, nor a link to click and then enter private information. Nor will the IRS ask you to make a payment via email or link within an email. If you owe money to the IRS, you will always receive a paper bill, in the mail. Even at that, it’s a best practice to call the IRS and verify the validity of that notice.

If you use a tax preparer, check with them for their guidance before doing anything online. While many are able to e-file, do so at your preparers direction, not from unsolicited email messages. As with just about everything in life and online, common sense is your best defense. If it doesn’t seem right, don’t do it.

You even need to be careful using your social media accounts. I’m sure you’ve seen people posting their responses to what seem like fun lists of information. These are posts you will see from friends that list places they have been, what their first pet was, states they have lived in and more. While these seem like fun and innocent things to do, they expose information that can be used to help compromise your personal identity through social engineering when combined with other information about you. So think twice before participating in these, as tempting as they are.

The IRS maintains a page devoted to communicating tax scams and consumer alerts at I recommend you check that page whenever you have a concern about a potential tax scam. Currently, the page lists the following scams considered to be actively in use: IRS-impersonation telephone scams, scams targeting tax professionals, soliciting W-2 information from payroll and human resources professionals, email, phishing and malware schemes and fraudsters posing as taxpayer advocacy panel.

What is important to recognize from this list is that in addition to the actual taxpayer, tax preparers are a target. Obviously, these firms have access to a wealth of private information that includes everything a hacker would need to impersonate someone. It stands to reason they would be a target and these firms have an obligation to do everything that they can to protect the private information that is in their trust. Similarly, HR departments are a target, for the personal and payroll information that they have access to. They too, just have robust defenses and procedures in place to protect this information and prevent unauthorized release.

I posted about this on my blog, earlier this week. I will continue to monitor for new information as it becomes available. Hopefully, this information will help you maintain the safety of your personal information and ensure that your tax information and hopefully refund, remains yours and yours alone.

Beware the Tax Scam


The good ‘ole cliché is usually “Beware the Tax Man” but in today’s interconnected world, the tax scam is more concerning than the tax person (the cliché is gender specific in its origin), for sure.

As tax season is now in full swing, you will surely be the target of a hacker, phone scammer, phishing campaign or other attempt to get you release private information that could be used for fraudulent purposes.

tax-scamCommon scams include email phishing with links to malicious sites that will install malware on your systems in an effort to obtain private information like social security numbers, account numbers, address verification, confirmation of responses to secret questions and more.  Even answering those fun lists on social media sites like Facebook that as you to list out things only you know about yourself are a risk.  Social engineering will scrape this information and put it together with other information to gain a more complete picture of you which may be used to open accounts, file tax returns or more.

Experts advise filing your returns as early as possible as a proactive defensive measure.  Last year, many fraudulent tax returns were filed and hackers received refunds from the fraudulent filings.  The actual taxpayer did not learn this had happened until they filed their return, often in April.  Then they learned a return had already been filed in their name.  Filing early can prevent that from happening.

With the massive Equifax hack that occurred this past year, experts are expecting that this tax season may see a sharp increase in the filing of fraudulent tax returns.  That hack exposed millions of social security numbers to unknown bad actors.  Tax season could present the conditions for these leaked identities to be taken advantage of.

Remember that the IRS will never call you or email you asking for payment via phone or by responding to an email or clicking a link to enter payment information.  The IRS is very specific in how it communicates with taxpayers.  Asking for payment via obscure payment methods or through email will never happen.  If you owe the IRS money, they will send you a bill via the US Postal Service.  Call the IRS and verify the legitimacy of the bill.  Don’t pay it until you confirm it.

If you use a tax preparer, be sure they are informed of any contact you receive as they can help you validate whether or not the contact is legitimate.  If you don’t use a tax preparer, practice extreme caution when providing information over the phone or electronically.

Huawei & ZTE, the New Lenovo and Kaspersky?


You may recall reading about US government concerns regarding Kaspersky Lab‘s alleged ties to the Russian government and Lenovo‘s ties to the Chinese government.  Both of these brands are banned in most US government agencies out of a concern that their presence could present security risks.  Specific concerns were related to software and hardware components that could be used to spy on users with hardware and software from those companies.

hzYou may not yet recognize the names Huawei and ZTE, but they are Chinese manufacturers of technology devices.  Both have manufactured devices for other manufacturers, but both are also introducing devices into the US market under their own brand names.  Huawei has started an aggressive advertising campaign to drive demand ahead of entering the market.  The US government has similar concerns about these companies.  They have long been rumored to have ties to the Chinese government.

In response to these concerns, Texas Representative Mike Conaway has introduced a bill called the Defending U.S. Government Communications Act.  It’s intent is to ban US government agencies from using products from these manufacturer’s.  It follows a growing concern within many governments about adversaries using technology to try to infiltrate secure systems or influence society.

It is unclear if this new legislation will become US law, but it does underscore the concern of the intelligence communities around the world about this evolving threat.

Update on Meltdown & Spectre


meltdown-spectre-cpu-security-vulnerabilities-logos-610x318Here is the latest regarding the Meltdown & Spectre threats that have been widely reported on since last Thursday.  If you are not aware of what these risks are, please review my prior post; Meltdown & Spectre, What You Should Know.

Here’s what we know as of this moment:

  1. The bug is real and affects just about every microprocessor released since 1995.  This includes server, PC’s, Mac’s, Smartphones, Tablets and even Internet of Things devices like smart thermostats and other smarthome and commercial technologies.
  2. The flaw was discovered by Google security researchers this past summer and reported it to the appropriate manufacturers.  While the threat was taken seriously and work has been underway to fix the flaw, the information was released to the public out of concern that details were beginning to leak out before the patches were ready for distribution.
  3. Microsoft, Intel and others have already released patches to begin fixing this issue.  Your internal IT department or trusted IT partner is likely already in the process of deploying these patches to safeguard your systems.  For home, personal, devices, only install patches that you are certain are from the actual manufacturer.
  4. Never apply a patch from a link in an email message.  Bad actors are taking advantage of phishing and other social engineering techniques, to try to trick users into installing a patch that is actually malware from a hacker.  Only install patches you can verify!
  5. Most reports suggest that you will see a performance slowdown as a result of these patches.  Maybe.  For most users, you will not notice a performance impact.  For some intensive applications, a performance slowdown may be unavoidable, but for most average users, you will not notice a difference once the patches are installed.
  6. Intel has stated that they will have patches for 90 percent of the affected chips within a week.
  7. Some users with AMD chips are reporting issues after applying patches, so be sure to read up on the manufacturers web sites for the latest information before applying a patch.
  8. Just last night, during the keynote address at the Consumer Electronics Show, chip maker Intel announced the formation of a new internal security group to focus on improving the overall security of Intel technologies.  “Security is Job No. 1 for Intel and the industry,” said Intel CEO Brian Krzanich.  This type of focus will only help mitigate future issues and I applaud the response.

I will continue to monitor events for any new developments.  For now, it still seems that these threats have not actually be exploited, but nonetheless, I absolutely recommend remaining diligent and patching your systems without delay.

How Did You Weather The Bomb Cyclone?


The following article was published in todays Foster’s and Seacoast Sunday.

BombCyclone2By the time you read this, you will have hopefully survived the “Bomb Cyclone” that rolled through on Thursday. I got a kick out of all the reports in various media about the storm’s “wicked cold” and “polar vortex.” It’s winter in New England. You never know what’s coming and when.

Storms like this provide a stark reminder that businesses don’t stop due to weather. Successful companies need to be able to operate through storms like this and ensure their staffs are able to work wherever and whenever they need to.

Successful companies today, employ a range of strategies to remain functional throughout any event that could impact their offices or staff. This is mostly done by leveraging Cloud or data center services to disperse the organization’s business systems across geographies in order to insulate the business from a catastrophic event in any one geography.

To put this in layman’s terms, this means not relying on a computing infrastructure that is solely located in the company’s sole office location. That’s how it used to be done, but not today. In the past, especially for smaller businesses, but for much medium- and larger-sized organization as well, a single location would be where you would find one or more servers that run all of the business systems. Email servers, file systems, printing, databases, accounting applications, any proprietary software would all be on these servers. If the office was not accessible, neither were the systems unless the business invested in power infrastructure, like generators, to keep the servers running the event of a power outage. This would also require robust remote access infrastructures, so that employees would be able to access these resources.

Today, this is accomplished very differently and quite cost effectively. Smart businesses have servers and systems offsite, in the Cloud, a private or public data center or a combination of these. Many companies have moved to Office 365 or Google G Suite, mostly for email, but potentially other productivity applications and services as well. With email moved offsite and into a data center infrastructure managed by industry giants Microsoft and Google, you can be assured you will not lose your ability to electronically communicate when a storm runs through your local regions. Email has become a primary form of communication for both internal and external contacts. Ensuring this capability is “always on” is more critical than it has ever been.

Having critical business systems offsite also ensures availability. When your applications are running in the Cloud or a data center, your systems will be more accessible than they would be if they were only located within your office. Hardly any business that considers itself a small- or medium-sized could afford to maintain the highly available and redundant infrastructure that exists in the Cloud and other data centers. The power and connectivity capabilities within these sites are truly impressive. They are all designed to ensure uptime and availability, regardless what may be happening.

While the above addresses the systems your teams use every day to accomplish their goals, telecommunication requirements are often overlooked. It’s equally important to make sure callers are able to call your organization and get through to someone throughout an extreme event, be it weather, natural disaster or other. Having a redundant telecommunications infrastructure will further ensure your customer experience is consistent through any event that might otherwise negatively impact the business.

If you or your teams experienced any issues during this last storm that should be a clear sign you need to review how your company is structured to ensure employees, customers and business partners are able to continue to work together and support one another, regardless of environmental or other events that would otherwise interrupt this. Make 2018 the year that your business embraces truly high availability and redundancy.

Meltdown & Spectre, What You Should Know



Over the last few days, mainstream media has been sounding the alarm over two security vulnerabilities named Meltdown and Spectre.  What is unique about this latest security threat is that the flaws are within the design architecture of the processors that run virtually every computer and mobile device on the planet.  Yes, you read that right, you are almost certainly impacted by these flaws.

So, now that you are concerned, what should you do?  In a nutshell, watch for operating system and software updates and apply them as soon as you can.  Not your anti-virus or anti-malware software.  These won’t help.  Watch for operating system and firmware updates, as well as application updates and apply them.

If your company works with an MSP, like the company I work for, you can likely breathe a little easier.  Companies like Onepath were aware of these threats before the news hit and have been actively monitoring for patches from the hardware and software manufacturers, testing them and pushing them out to managed computers and mobile devices to patch them against the threat.  We sent out an advisory to all of our managed clients on Thursday, which may review at this link.  There is some good information in this advisory, including links to more detailed articles on the matter.

As of now, it is unclear if any malicious actors have actually used these threats to steal information.  It is thought not to be the case, but this is a rapidly developing story.  The good news is that to exploit these threats on a computer or mobile device, a hacker would need to get their malicious software installed on your computer or mobile device in order to take advantage of the exploits.  If you are practicing safe computing, you are likely safe for now, just as you should be against any malicious threat.

Cloud server infrastructures are thought to possibly be at greater risk.  Cloud providers are working diligently to patch their infrastructures to protect their customers, but most of us have less control over those resources as they are managed by the Cloud providers. We have to rely on them to tell us what they are doing to safeguard their systems.

For those that are interested in the technical side of this issue, Meltdown allows access to information running in memory on the affected computer or mobile device.  By allowing a hacker to gain access to what’s in memory, a bad actor could potentially steal passwords and other sensitive information, including what’s stored in password managers and browser sessions.  Spectre, on the other hand, allows a hacker to jump between applications, penetrating a security isolation long thought to be impenetrable.

As I stated earlier, the real risk to the average business and consumer is really not yet known.  The best defense is a strong offense, so making sure your computers and mobile devices are updated when manufacturers release their updates is the best thing you can do.  Some updates have already been released.  Others are thought to take days, weeks or even months to get to users.  I will continue to monitor developments related to these threats and posts updates as new and actionable information becomes available.  In the meantime, stay safe online and keep your defenses up.

Are You Weathering the “Bomb Cyclone”


The entire East Coast of the United States is being hit with what’s being called a “Bomb Cyclone” this week.  This refers to a snow event coupled with hurricane like winds and record low pressure.BombCyclone

Here in New England, the media has been pretty funny about this.  The “Bomb Cyclone” is complete with “wicked” (a very Boston term) cold temperatures pushed in the region by the Polar Vortex.  Sounds epic!

To be sure, the conditions in New England are rapidly deteriorating this morning.  White Out conditions are already present in much of the region.  How is your business weathering the storm?  Yes, the pun is intended.

For my own company, we are operating mostly remotely today.  We provide IT services to small and medium sized clients around the country, with a heavy concentration up and down the East Coast, so most of our clients are impacted.  We have to be fully operational through an event like this, in order to support our clients, whether they are impacted or not.

The primary issues that a storm like this present are power outage and travel limitations.  If your staff is unable to get to your office, are they still able to work and interact with others who may not be impacted by the weather and are operating business as usual?  Do you have all of your business systems in the Cloud or a private data center so that these system remain online and available, regardless of whether your office has power and connectivity or not?  Does your staff know how to securely connect to these systems from home or any location where they may be working today?  Is your phone system setup with remote phones that staff may use from remote locations or from their smartphone, so that callers to your company don’t need to think about a different number to call to reach your team?  Do you have contingencies in place for alternate power or alternate work locations if your office is inaccessible for an extended period of time?

These and other questions are important things to know before you find yourself in the midst of the next “Bomb Cyclone” should we experience another or similar extreme weather event.

Stay safe today and hopefully, wherever you are working from today, you’re as productive as you would be if you were sitting at your desk in your office.  I am.