IRS employees fall for faux password scam

As part of a test sample, 60 percent of IRS employees were duped into giving their passwords to IG auditors posing as help-desk representatives.

IRS employees do not follow the most basic computer security practices to protect their passwords, leaving taxpayer data at risk of identity theft, according to the Treasury Inspector General for Tax Administration. In a test sample, nearly 60 percent of 102 IRS employees were duped into handing over their access information, the IG said in a report released today. TIGTA auditors used social-engineering methods to survey the degree of compliance with data security. Posing as help-desk representatives, they called IRS line employees, including managers and contractors, and asked for their assistance to correct a computer problem. They requested that the employee provide a user name and temporarily change his or her password to one TIGTA callers suggested. TIGTA test callers convinced 61 of the 102 employees to comply with the requests. Only eight of the 102 employees in the sample contacted the appropriate offices to report or validate the test calls, the report said. The sample employees were from across IRS’ business units and geographic regions. “We conclude employees either do not fully understand security requirements for password protection or do not place a sufficiently high priority on protecting taxpayer data in their day-to-day work,” said Michael Phillips, TIGTA’s deputy inspector general for audit. TIGTA had conducted similar tests in 2001 and 2004, during the latter in which only 35 percent of the employee sample delivered their log-in information. Since then, IRS acted to raise the awareness of employees to password protection requirements and to beware of hackers taking advantage of the human element to find ways to convince employees to share their information. Employees later told TIGTA that the scenario sounded legitimate and believable. They also did not think changing their password was the same as disclosing their passwords. In some cases, they had experienced past computer problems. “When employees are susceptible to social-engineering attempts, the IRS is at risk of providing unauthorized persons access to computer resources and taxpayer data,” he said. When these attempts are not reported, IRS cannot investigate incidents and take action to minimize the effects of a security breach. Hackers have turned to alternative methods to gain access to an organization’s network since agencies are able to block more attacks at the network perimeters. TIGTA recommended that IRS continue security awareness training and activities, remind them to report incidents, conduct internal social-engineering tests periodically and coordinate with business units about the need to discipline employees for security violations resulting from negligence and carelessness. The IRS continues to emphasize computer security practices to its personnel, including social engineering, said Daniel Galik, chief of IRS mission assurance and security services, in a response letter dated June 28. IRS will survey employees to assess their knowledge of hacker methods. The agency will use the results to tailor future efforts to remind employees of those types of attempts. The agency also will conduct at least one internal social-engineering test during the 2008 fiscal year, incorporating lessons learned from the TIGTA survey.