35% of IRS employees fell for password social engineering tests

Incident Date: March 15 2005
Incident Location: Washington D.C. USA

Among U.S. Internal Revenue Services (IRS) employees there is still some confusion about with whom they should share their passwords; but they are getting better. This news came from the U.S. Treasury Department who released their findings March 15, 2005 in a report titled "While Progress Has Been Made, Managers and Employees Are Still Susceptible to Social Engineering Techniques".

During a computer security assessment, auditors were able to convince 35 IRS managers and employees to provide them with their username and change their password to a known value. Auditors posed as IRS information technology personnel attempting to correct a network problem. Using this technique, known as social engineering, they mimicked an approach taken by criminals who attempt to con legitimate users out of their authentication credentials. Once these con artists have a valid username and password combination they often access computer systems to steal data or carry out other crimes.

A total of 100 IRS personnel were called during the social engineering exercise in December of 2004. Accordingly, the coerced victims represented 35% of the user sample. The IRS employed around 68,000 employees at the time of the testing.

When asked why they cooperated, IRS personnel cited various reasons. Some didnít suspect a problem with the request, while others complied only after receiving approval from their managers. Employees reported that even failure to find the callerís name in a global IRS personnel directory didnít always discourage them from continuing to cooperate.

A similar test conducted in August of 2001 revealed that 71 employees were willing to cooperate with the security auditors.

Two days after testing the IRS issued an email bulletin to employees warning about social engineering and encouraging them to notify security personnel if they get similar calls. These tips had already been communicated on an internal web site and during a computer security awareness week campaign.


Story Sources

Title: While Progress Has Been Made, Managers and Employees Are Still Susceptible to Social Engineering Techniques
Author: Pamela J. Gardiner
Date: 3/15/2005
Publication: 2005-20-042
Publication Location: Washington D.C. USA
Publication URL: http://www.treas.gov/tigta/auditreports/2005reports/200520042fr.html


Do you have additional information to contribute regarding this story? If so, please email siteupdates@passwordresearch.com with the details and source.

<-- Back to Authentication Story Index





[Home] [About Us] [News] [Research]

Copyright © 2006 Password Research Institute