Educause Security Discussion mailing list archives
Re: Tax-themed phishing exercises
From: Sue McGlashan <sue.mcglashan () UTORONTO CA>
Date: Thu, 19 Apr 2018 20:21:42 +0000
To add to that - be careful of any realistic internal-department-themed phishing exercises, since some people contact the Help Desks of the internal department directly, and depending on the scenario, the discussions can be irate. Please make sure to discuss any scenarios with the relevant department first, to get their agreement to the scenario and that the scenario will not create a bad impression of their service, and to allow them to prepare their Help Desk with standard responses. -- Sue McGlashan M.Ed. CISSP CCSK ISA, Information Security and Enterprise Architecture Information and Technology Services University of Toronto Phone 416-946-3260 This email communication is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the email and all copies (electronic or otherwise) immediately. From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Hassler, Karl D." <khassler () UDEL EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Thursday, April 19, 2018 at 3:49 PM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Tax-themed phishing exercises Just and FYA for those of you engaged in phishing exercises with your communities: The IRS strongly discourages tax-themed phishing exercises because they can end up being reported to phishing () irs gov<mailto:phishing () irs gov> and divert agency attention and personnel from investigations of actual phishing scams. They’ve had incidents where organizations construct payroll-themed lures which make employees/recipients believe they are victims of a stolen identity refund fraud (SIRF) or the business email compromise (BEC) / business email spoofing (BES) W2 scam. Recipients promptly emailed phishing () irs gov<mailto:phishing () irs gov>, called the IRS, contacted their tax professionals, etc. which generated a lot of confusion. Remember, you want to get peoples’ attention and reinforce best practices. If you’re too convincing, you can set off an Orson Wells-like panic. Tax phishes, especially at this time of year have the potential to elicit calls to the IRS. TLP: Amber Karl Hassler, CISSP Director, IT Security Policy & Compliance 302-831-3750 302-489-9788
Current thread:
- Tax-themed phishing exercises Hassler, Karl D. (Apr 19)
- Re: Tax-themed phishing exercises Boyce, Rori (Apr 20)
- <Possible follow-ups>
- Re: Tax-themed phishing exercises Sue McGlashan (Apr 19)
- Re: Tax-themed phishing exercises Dixon, Cameron (Apr 20)
- Re: Tax-themed phishing exercises McClenon, Brady (Apr 23)
