Educause Security Discussion mailing list archives

Re: Tax-themed phishing exercises


From: Sue McGlashan <sue.mcglashan () UTORONTO CA>
Date: Thu, 19 Apr 2018 20:21:42 +0000

To add to that - be careful of any realistic internal-department-themed phishing exercises, since some people contact 
the Help Desks of the internal department directly, and depending on the scenario, the discussions can be irate. Please 
make sure to discuss any scenarios with the relevant department first, to get their agreement to the scenario and that 
the scenario will not create a bad impression of their service, and to allow them to prepare their Help Desk with 
standard responses.

--
Sue McGlashan M.Ed. CISSP CCSK
ISA, Information Security and Enterprise Architecture
Information and Technology Services
University of Toronto
Phone 416-946-3260

This email communication is intended only for the person or entity to which it is addressed and may contain 
confidential and/or privileged information. Any use of this information by persons or entities other than the intended 
recipient is prohibited. If you received this in error, please contact the sender and delete the email and all copies 
(electronic or otherwise) immediately.


From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Hassler, Karl 
D." <khassler () UDEL EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Thursday, April 19, 2018 at 3:49 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Tax-themed phishing exercises


Just and FYA for those of you engaged in phishing exercises with your communities: The IRS strongly discourages 
tax-themed phishing exercises because they can end up being reported to phishing () irs gov<mailto:phishing () irs gov> 
and divert agency attention and personnel from investigations of actual phishing scams.  They’ve had incidents where 
organizations construct payroll-themed lures which make employees/recipients believe they are victims of a stolen 
identity refund fraud (SIRF) or the business email compromise (BEC) / business email spoofing (BES) W2 scam.  
Recipients promptly emailed phishing () irs gov<mailto:phishing () irs gov>, called the IRS, contacted their tax 
professionals, etc. which generated a lot of confusion.



Remember, you want to get peoples’ attention and reinforce best practices.  If you’re too convincing, you can set off 
an Orson Wells-like panic. Tax phishes, especially at this time of year have the potential to elicit calls to the IRS.



TLP: Amber


Karl Hassler, CISSP
Director,  IT Security Policy & Compliance
302-831-3750
302-489-9788



Current thread: