Study Finds IRS Very Susceptible To Social Engineering
from the change-this-password-now dept
The IRS has had problems modernizing their computer system in the past, but no matter how modern your computer system is, security is weak if your employees are easily duped through social engineering techniques. A new study found that 60% of the employees they tested were willing to hand over sensitive info to a person calling and posing as IRS tech support. This type of social engineering happens all the time, but it seems especially worrisome that so many IRS employees would be so willingly giving out info when they have access to so much confidential info and should be especially aware of the threat. In fact, the report notes that similar tests were done in 2001 and 2004 and the IRS promised to put in place measures to prevent these types of tricks from working. Apparently, that hasn't really happened.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: security, social engineering
Companies: irs
Reader Comments
Subscribe: RSS
View by: Time | Thread
DUHHHH
[ link to this | view in thread ]
uhhhhh
First, I give them kudos for testing and being aware of the threat of social engineering. My company performs pen testing for fortune 500 and many still want to ignore this and provide very little training to their employees to avoid and report it. Many compromises we investigate can be sourced to this attack vector but many still focus on the “technical” solution. Well, no form of technology will help you here.
You may be surprised to find just how helpful people are willing to be given the right circumstances and you are just as vulnerable as they. Don’t forget Sally at your credit card company, your school admin office, former employer, old girlfriend, mother …
[ link to this | view in thread ]
[ link to this | view in thread ]
It's a Confidence Scam
[ link to this | view in thread ]
Re: It's a Confidence Scam
If you're willing to say that the current name it has is going to have some significant impact on how widespread it becomes or why it isn't dying out, well, thats just ignoring the problem and giving it a different name.
It's called social engineering because the terms used actually make sense. Something shouldn't have its name changed just because you think it makes it sound too good.
[ link to this | view in thread ]
Re: It's a Confidence Scam
For instance, what they now euphemistically call "ethnic cleansing" (sounds antiseptic doesn't it?) is actually genocide.
Maybe if people would read a little, they'd recognize it.
[ link to this | view in thread ]
Re: It's a Confidence Scam
Monday
08:05 AM
User called to say they forgot password. Told them to use password retrieval utility
called FDISK. Blissfully ignorant, they thank me and hang up. God, we let the people
vote and drive, too?
[ link to this | view in thread ]
Re: It's a Confidence Scam
[ link to this | view in thread ]
Idiots in the government
Two, the government only hires the most mediocre of personnel. Because they use and outdated system to hire those individuals (special preferences). I know this, because I have 17 years experience with government hiring practices, or the lack thereof.
Three, we live in a data driven society. If you don't understand the basics of computing, you need to go to school and learn it. It is not an employers responsibility to teach you computing, you should know it (before being hired). However, it is the employer's responsibility to recognize that a prospective hire is totally computer illiterate. To solve this problem you need to have employers that are not computer illiterate, in order to be able to tell if the hire is computer illiterate. There are to many people in middle/upper management that know very little about technology, and wouldn't know if someone is computer illiterate or not, because most of them are.
Four, when it comes to my personal data, I want only the most skilled technologists in the field working on and protecting my data. That costs money, and lots of it, to hire that type of talent. Employers don't want to spend that type of money, because it cuts into the bottom line. They don't consider law suites, penalties or lose of customer good will, until after the fact. It costs them more in law suites, fines and consumer trust than it would ever cost them in salaries, but their willing to take the chance to increase profits.
Five, until there is a complete change in the focus of government and business, from profits and special interests, to securing our personal data. Things will only get worse. The burden will be ours to handle, in the form of cleaning up our credit etc...
[ link to this | view in thread ]
Hysterical
Ahh i'm in thanks and btw youve been ROOTED!
Good to know - thanks from AskTheAdmin
[ link to this | view in thread ]
Re: Re: It's a Confidence Scam
[ link to this | view in thread ]
IRS social engineering comic
[ link to this | view in thread ]
Temps
[ link to this | view in thread ]
Social Engineering...
You guys are developing split ends over this phrase and it really doesn't matter. The truth is, its an accurate description of what is happening.
I'll bet good money inbound call agents are at least, advised about these techniques and to be a little more sensitive when conversing with someone about sensitive data.
[ link to this | view in thread ]