Educause Security Discussion mailing list archives

Re: Tax-themed phishing exercises


From: "McClenon, Brady" <Brady.McClenon () ONEONTA EDU>
Date: Mon, 23 Apr 2018 19:02:54 +0000

So the IRS strongly discourages tax-themed phishing exercises because it can create more work for them.  Ok.. well… It 
can also help educate people and reduce instances of fraud.  Thereby lessening their work load.   To me it just 
illustrates what we already know.  The IRS wasn’t meant to be, and isn’t, a customer service oriented organization.

The U.K.’s NCSC blog post makes some decent points, but seems to make a lot of incorrect assumptions about phishing 
simulations.


  1.  It seems to imply that vendors or institutions that use phishing simulations use them, or bill them, as an 
alternative to a defense-in-depth-approach.  I’ve never seen this to be the case.  It is only used a layer in a 
defense-in-depth approach.
  2.  The metrics they provide can’t be trusted.  If the percentages are too low, then maybe the test was too easy.  
Well, maybe, but that is possible of any test or assessment.  It’s not a reason to stop assessing.
  3.  It’s about blaming the user….  Well, it could be, but it can also be about blaming yourself I too.  It can be 
used to assess your phishing education program to see if your methods are working.

Maybe the post just struck me wrong today as I sit stuck in a basement office on the first beautiful day of spring, but 
it seemed like another article suggesting we over analyze our methods that usually leads to “analysis paralysis” and 
ultimately just excepting the status quo.

Ok, I’m going to go outside and stand in the sun for a few minutes now. 😊


Brady McClenon
IT Security Administrator
ITS – IT Security
SUNY Oneonta






From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dixon, 
Cameron
Sent: Friday, April 20, 2018 12:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Tax-themed phishing exercises

Two statutes worth being aware of with regard to tax-themed phishing:

* https://www.law.cornell.edu/uscode/text/31/333
* https://www.law.cornell.edu/uscode/text/18/709

One is Treasury-specific, but IRS takes these very seriously!

The U.K.’s NCSC has great commentary on phishing your users, which really resonates with me: 
https://www.ncsc.gov.uk/blog-post/trouble-phishing



- - - -
Cameron

________________________________
From: The EDUCAUSE Security Constituent Group Listserv on behalf of Boyce, Rori
Sent: Friday, April 20, 2018 8:51:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Tax-themed phishing exercises
This makes perfect sense, thanks for the heads up!

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Hassler, Karl D.
Sent: Thursday, April 19, 2018 3:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Tax-themed phishing exercises

Caution - External Email
________________________________

Just and FYA for those of you engaged in phishing exercises with your communities: The IRS strongly discourages 
tax-themed phishing exercises because they can end up being reported to phishing () irs gov<mailto:phishing () irs gov> 
and divert agency attention and personnel from investigations of actual phishing scams.  They’ve had incidents where 
organizations construct payroll-themed lures which make employees/recipients believe they are victims of a stolen 
identity refund fraud (SIRF) or the business email compromise (BEC) / business email spoofing (BES) W2 scam.  
Recipients promptly emailed phishing () irs gov<mailto:phishing () irs gov>, called the IRS, contacted their tax 
professionals, etc. which generated a lot of confusion.



Remember, you want to get peoples’ attention and reinforce best practices.  If you’re too convincing, you can set off 
an Orson Wells-like panic. Tax phishes, especially at this time of year have the potential to elicit calls to the IRS.



TLP: Amber


Karl Hassler, CISSP
Director,  IT Security Policy & Compliance
302-831-3750
302-489-9788



Current thread: