Tax season is well underway, and Her Majesty’s Revenue & Customs (HMRC) is once again seeing a massive spike in tax fraud and corresponding attempts at stealing taxpayers’ personal information.
Last month, HMRC revealed that in 2015 it had identified over 17,000 fraudulent tax returns, attempting to claim back nearly £100 million in false tax repayments. In many of these instances, criminals harvested legitimate HMRC login details from shared computers used by taxpayers to complete their tax returns online. Once they gained access to an account, they altered details on tax returns and changed the nominated bank account in an attempt to get their hands on the fraudulent the tax refunds.
The HMRC stated that its IT systems have thus far never been breached directly by cyber criminals, yet third party security breaches such as those described above are becoming an increasing concern. As such, steps need to be urgently taken to make these systems more resistant to imposters.
Indeed, the government is now stepping up security via its Gov.UK Verify portal that uses multi factor authentication to provide a much higher level of security to both consumers and the HMRC itself.
However, this trend isn’t new by any means. Recent years have seen many examples of data breaches and other cybercrime being carried out via third-party compromises. High profile examples in 2015 included the Experian breach that impacted more than 15 million T-Mobile customers in the UK, and the PNI Photo hack in the US that led to compromises of online photo services at CVS, Costco, Sam’s Club and more.
Unfortunately, data loss and compromise via third parties is a growing problem that’s sure to plague businesses for some time to come. While most companies are still grappling with securing their own networks, data, and users, preventing against attacks that initially target business partners or incorporate previously stolen information adds a new layer of complexity to the equation.
Many times enterprises will have vast supplier and partner networks made up of many smaller partners; these can be easier targets for attackers when the target enterprise itself has already implemented a security program in-house.
So what can be done to defend against these attacks? For one, companies must change the way they view security. As evidenced by many of these attacks, information security is no longer an internal effort, but instead must be accounted for throughout a company’s entire business network – up and down the supply chain.
Any entity that a company does business with can make them vulnerable, and as a result companies must make security a top criteria when choosing the partners and suppliers with which they’ll do business.
Where business relationships exist, security should be a collaborative effort between all stakeholders as much as possible. Rather than each member of your supply chain have disparate security programs that could lead to gaps in protection, businesses should collaborate to develop a coordinated security effort across all of their individual environments.
And finally, as more breaches take place and more stolen information becomes available on the black market, companies must update their existing security measures to defend against attacks that use previously stolen user information to spoof systems or carry out social engineering schemes.
As a result, defences must be built assuming that some customer information has already been exposed and make it harder for criminals that have obtained that information to further compromise systems or individuals.
Solutions like the multi-factor authentication being adopted by Gov.UK Verify can prevent account takeovers and spoofing attempts that rely on stolen credentials or PII.
Furthermore, on-going employee security training and solutions like data loss prevention can prevent employees from falling victim to targeted social engineering attacks that used previously stolen information to seem more authentic.
Sourced from Luke Brown, VP & GM EMEA, India and Latam, Digital Guardian