The UK’s HMRC and the US IRS services are organizations built on tradition, tried and tested processes and both internal and external trust. Public bodies of this nature have been moving conscientiously towards the implementation of web 2.0 driven electronic interaction with the public and the business communities for some years now. But at the same time, their methods and models have not radically changed and that give us an advantage in terms of predictability when it comes to data security.
Public sector predictability
If public sector predictability does exist to some degree, then shouldn’t we be able to use this basic home truth to our advantage when it comes to information security? The truth is that governments don’t change their tax or other revenue payment/billing systems very often and this, in and of itself, should provide us with certain pointers with regard to data safety.
If the tax authorities suddenly send you three emails saying that their payment account details have changed, shouldn’t the “predictability factor” cause you to stop and question the authenticity of this information? The answer is yes it should, of course.
There are some basic operational rules that can help us stay safe with regard to payment services to government. In the UK for example, the HMRC (or to give it its full title, Her Majesty’s Revenue and Customs service) makes it very clear that it will “not charge individuals or companies to provide a service” — so this means that you may have to pay tax or request a tax refund, but you do not have to pay to make the payment or receive it.
The HMRC does in fact provide a help page detailing the types of bogus calls and phishing scams that do sometimes occur here: http://www.hmrc.gov.uk/security/examples.htm — it is worth a read of this information before you set up your initial electronic payment services with your bank if you are starting up a new small to medium sized business and/or operating as a sole trader or partnership at some level.
National news analysis
Simple truth — governmental revenue and tax services are about as likely to change their contact telephone numbers and bank account information, as they are to change their name. So if you haven’t heard about a nationwide re-branding or re-positioning of public services on the national evening news, then there is a very good chance that you may be in receipt of malicious spam/scam type information. It’s not hard to check either, turn on television or check CNN/BBC etc.
Just like your bank, the tax and revenue authorities are not likely to start asking you for your passwords of any sort; nor will they ask you for your bank details as these are generally submitted at the point of registration, so be aware of the need for ongoing vigilance once you do have your public authority systems established.
Perhaps even more obvious is if a potential scammer or spammer appears to willingly engage in email discourse with you. Public bodies are rarely able to operate at this level and generally do not prefer to anyway.
The US IRS (or Internal Revenue Service) lists similar warnings to the UK’s HMRC such as:
- fraudulent use of the IRS name or logo by scamsters
- phony e-mails which claim to come from the IRS and which lure the victims into the scam by telling them that they are due a tax refund
- web site clones where a complete duplicate of the IRS web site “appears” to present users with an authenticated service when in fact the entire framework is fraudulent
Where you prefer to talk about spams, scams or the more Americanized “scamsters”, we are dealing with the same problem here. Businesses need to heed the above information as a foundational information security building block upon which they then themselves build their own secure systems and processes with an appropriate level of anti virus protection software.
Just remember, if it’s tax, it’s money — and if it’s money, it’s a risk situation. So please stay aware and stay protected.