IRS employees fall for faux password scam

Employees continue to be susceptible to social engineering attempts that could be used by hackers

Related Links

IRS employees do not follow the most basic computer security practices to protect their passwords, leaving taxpayer data at risk of identity theft, according to the Treasury Inspector General for Tax Administration.

In a test sample, nearly 60 percent of 102 IRS employees were duped into handing over their access information, the IG said in a report released today.

TIGTA auditors used social-engineering methods to survey the degree of compliance with data security. Posing as help-desk representatives, they called IRS line employees, including managers and contractors, and asked for their assistance to correct a computer problem. They requested that the employee provide a user name and temporarily change his or her password to one TIGTA callers suggested.

TIGTA test callers convinced 61 of the 102 employees to comply with the requests. Only eight of the 102 employees in the sample contacted the appropriate offices to report or validate the test calls, the report said. The sample employees were from across IRS’ business units and geographic regions.

“We conclude employees either do not fully understand security requirements for password protection or do not place a sufficiently high priority on protecting taxpayer data in their day-to-day work,” said Michael Phillips, TIGTA’s deputy inspector general for audit.

TIGTA had conducted similar tests in 2001 and 2004, during the latter in which only 35 percent of the employee sample delivered their log-in information. Since then, IRS acted to raise the awareness of employees to password protection requirements and to beware of hackers taking advantage of the human element to find ways to convince employees to share their information.

Employees later told TIGTA that the scenario sounded legitimate and believable. They also did not think changing their password was the same as disclosing their passwords. In some cases, they had experienced past computer problems.

“When employees are susceptible to social-engineering attempts, the IRS is at risk of providing unauthorized persons access to computer resources and taxpayer data,” he said. When these attempts are not reported, IRS cannot investigate incidents and take action to minimize the effects of a security breach.

Hackers have turned to alternative methods to gain access to an organization’s network since agencies are able to block more attacks at the network perimeters.

TIGTA recommended that IRS continue security awareness training and activities, remind them to report incidents, conduct internal social-engineering tests periodically and coordinate with business units about the need to discipline employees for security violations resulting from negligence and carelessness.

The IRS continues to emphasize computer security practices to its personnel, including social engineering, said Daniel Galik, chief of IRS mission assurance and security services, in a response letter dated June 28.

IRS will survey employees to assess their knowledge of hacker methods. The agency will use the results to tailor future efforts to remind employees of those types of attempts. The agency also will conduct at least one internal social-engineering test during the 2008 fiscal year, incorporating lessons learned from the TIGTA survey.


  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

    sensor network (agsandrew/

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.