IG: IRS employees abusing e-mail privileges

IG report on email abuses

Related Links

A recent audit found inappropriate e-mail, including pornography, on more than half of Internal Revenue Service employees’ computers, according to a report from the Treasury Inspector General For Tax Administration. The audit also uncovered security holes in many of the agency’s e-mail servers.

The IG reviewed 96 IRS employees’ electronic mailboxes and found that 71 had messages violating the agency’s personal use policy, according to the July 31report. The inspectors found chain letters, jokes, offensive content and sexually explicit content. The report said 74 percent of employees have such prohibited e-mail messages on their computers.

Such content is often used to lure people into opening e-mail messages that contain viruses and other malicious software.

The risk of computer viruses had earlier prompted the IRS to issue a personal-use policy for e-mail. The agency also gave employees awareness training on the policy’s importance.

“While these efforts established a good foundation for e-mail security, employees are not following the IRS’ personal e-mail use policy,” the IG’s report states.

The IG recommended monitoring e-mail message content, which could lead to more employees being disciplined for abusing their privileges. Systems administrators should be held accountable for ensuring that only authorized computers are allowed to perform as e-mail servers, the report recommends.

Moreover, the IRS’ chief information officer should make sure that technology employees follow existing procedures for installing security updates and patches on all e-mail servers.

The IRS maintains 228 authorized e-mail servers. The IG’s office evaluated security on 28 servers and found 687 vulnerabilities.

“People can exploit security vulnerabilities to shut down the servers and disrupt e-mail service or to use the servers to access or attack other computers in the network, which could disrupt other critical operations in the IRS,” the report states.

The report also recommends that the IRS cut down on the number of e-mail servers. The audit found an additional 4,913 IP addresses linked to devices that had been configured to operate as unauthorized e-mail servers. Messages entering through such servers skirt the security screening that identifies malicious software.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected