Educause Security Discussion mailing list archives
Re: Tax-themed phishing exercises
From: "McClenon, Brady" <Brady.McClenon () ONEONTA EDU>
Date: Mon, 23 Apr 2018 19:02:54 +0000
So the IRS strongly discourages tax-themed phishing exercises because it can create more work for them. Ok.. well… It can also help educate people and reduce instances of fraud. Thereby lessening their work load. To me it just illustrates what we already know. The IRS wasn’t meant to be, and isn’t, a customer service oriented organization. The U.K.’s NCSC blog post makes some decent points, but seems to make a lot of incorrect assumptions about phishing simulations. 1. It seems to imply that vendors or institutions that use phishing simulations use them, or bill them, as an alternative to a defense-in-depth-approach. I’ve never seen this to be the case. It is only used a layer in a defense-in-depth approach. 2. The metrics they provide can’t be trusted. If the percentages are too low, then maybe the test was too easy. Well, maybe, but that is possible of any test or assessment. It’s not a reason to stop assessing. 3. It’s about blaming the user…. Well, it could be, but it can also be about blaming yourself I too. It can be used to assess your phishing education program to see if your methods are working. Maybe the post just struck me wrong today as I sit stuck in a basement office on the first beautiful day of spring, but it seemed like another article suggesting we over analyze our methods that usually leads to “analysis paralysis” and ultimately just excepting the status quo. Ok, I’m going to go outside and stand in the sun for a few minutes now. 😊 Brady McClenon IT Security Administrator ITS – IT Security SUNY Oneonta From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dixon, Cameron Sent: Friday, April 20, 2018 12:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Tax-themed phishing exercises Two statutes worth being aware of with regard to tax-themed phishing: * https://www.law.cornell.edu/uscode/text/31/333 * https://www.law.cornell.edu/uscode/text/18/709 One is Treasury-specific, but IRS takes these very seriously! The U.K.’s NCSC has great commentary on phishing your users, which really resonates with me: https://www.ncsc.gov.uk/blog-post/trouble-phishing - - - - Cameron ________________________________ From: The EDUCAUSE Security Constituent Group Listserv on behalf of Boyce, Rori Sent: Friday, April 20, 2018 8:51:54 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Tax-themed phishing exercises This makes perfect sense, thanks for the heads up! From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Hassler, Karl D. Sent: Thursday, April 19, 2018 3:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Tax-themed phishing exercises Caution - External Email ________________________________ Just and FYA for those of you engaged in phishing exercises with your communities: The IRS strongly discourages tax-themed phishing exercises because they can end up being reported to phishing () irs gov<mailto:phishing () irs gov> and divert agency attention and personnel from investigations of actual phishing scams. They’ve had incidents where organizations construct payroll-themed lures which make employees/recipients believe they are victims of a stolen identity refund fraud (SIRF) or the business email compromise (BEC) / business email spoofing (BES) W2 scam. Recipients promptly emailed phishing () irs gov<mailto:phishing () irs gov>, called the IRS, contacted their tax professionals, etc. which generated a lot of confusion. Remember, you want to get peoples’ attention and reinforce best practices. If you’re too convincing, you can set off an Orson Wells-like panic. Tax phishes, especially at this time of year have the potential to elicit calls to the IRS. TLP: Amber Karl Hassler, CISSP Director, IT Security Policy & Compliance 302-831-3750 302-489-9788
Current thread:
- Tax-themed phishing exercises Hassler, Karl D. (Apr 19)
- Re: Tax-themed phishing exercises Boyce, Rori (Apr 20)
- <Possible follow-ups>
- Re: Tax-themed phishing exercises Sue McGlashan (Apr 19)
- Re: Tax-themed phishing exercises Dixon, Cameron (Apr 20)
- Re: Tax-themed phishing exercises McClenon, Brady (Apr 23)
