IRS employees fall for faux password scam

Employees continue to be susceptible to social engineering attempts that could be used by hackers

Related Links

IRS employees do not follow the most basic computer security practices to protect their passwords, leaving taxpayer data at risk of identity theft, according to the Treasury Inspector General for Tax Administration.

In a test sample, nearly 60 percent of 102 IRS employees were duped into handing over their access information, the IG said in a report released today.

TIGTA auditors used social-engineering methods to survey the degree of compliance with data security. Posing as help-desk representatives, they called IRS line employees, including managers and contractors, and asked for their assistance to correct a computer problem. They requested that the employee provide a user name and temporarily change his or her password to one TIGTA callers suggested.

TIGTA test callers convinced 61 of the 102 employees to comply with the requests. Only eight of the 102 employees in the sample contacted the appropriate offices to report or validate the test calls, the report said. The sample employees were from across IRS’ business units and geographic regions.

“We conclude employees either do not fully understand security requirements for password protection or do not place a sufficiently high priority on protecting taxpayer data in their day-to-day work,” said Michael Phillips, TIGTA’s deputy inspector general for audit.

TIGTA had conducted similar tests in 2001 and 2004, during the latter in which only 35 percent of the employee sample delivered their log-in information. Since then, IRS acted to raise the awareness of employees to password protection requirements and to beware of hackers taking advantage of the human element to find ways to convince employees to share their information.

Employees later told TIGTA that the scenario sounded legitimate and believable. They also did not think changing their password was the same as disclosing their passwords. In some cases, they had experienced past computer problems.

“When employees are susceptible to social-engineering attempts, the IRS is at risk of providing unauthorized persons access to computer resources and taxpayer data,” he said. When these attempts are not reported, IRS cannot investigate incidents and take action to minimize the effects of a security breach.

Hackers have turned to alternative methods to gain access to an organization’s network since agencies are able to block more attacks at the network perimeters.

TIGTA recommended that IRS continue security awareness training and activities, remind them to report incidents, conduct internal social-engineering tests periodically and coordinate with business units about the need to discipline employees for security violations resulting from negligence and carelessness.

The IRS continues to emphasize computer security practices to its personnel, including social engineering, said Daniel Galik, chief of IRS mission assurance and security services, in a response letter dated June 28.

IRS will survey employees to assess their knowledge of hacker methods. The agency will use the results to tailor future efforts to remind employees of those types of attempts. The agency also will conduct at least one internal social-engineering test during the 2008 fiscal year, incorporating lessons learned from the TIGTA survey.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.