Educause Security Discussion mailing list archives

Re: Tax-themed phishing exercises

From: "Boyce, Rori" <Rori.Boyce () UNH EDU>
Date: Fri, 20 Apr 2018 12:51:54 +0000

This makes perfect sense, thanks for the heads up!

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Hassler, Karl D.
Sent: Thursday, April 19, 2018 3:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Tax-themed phishing exercises

Caution - External Email
________________________________

Just and FYA for those of you engaged in phishing exercises with your communities: The IRS strongly discourages 
tax-themed phishing exercises because they can end up being reported to phishing () irs gov<mailto:phishing () irs gov> 
and divert agency attention and personnel from investigations of actual phishing scams.  They've had incidents where 
organizations construct payroll-themed lures which make employees/recipients believe they are victims of a stolen 
identity refund fraud (SIRF) or the business email compromise (BEC) / business email spoofing (BES) W2 scam.  
Recipients promptly emailed phishing () irs gov<mailto:phishing () irs gov>, called the IRS, contacted their tax 
professionals, etc. which generated a lot of confusion.

Remember, you want to get peoples' attention and reinforce best practices.  If you're too convincing, you can set off 
an Orson Wells-like panic. Tax phishes, especially at this time of year have the potential to elicit calls to the IRS.

TLP: Amber

Karl Hassler, CISSP
Director,  IT Security Policy & Compliance
302-831-3750
302-489-9788

Current thread:

Tax-themed phishing exercises Hassler, Karl D. (Apr 19)
- Re: Tax-themed phishing exercises Boyce, Rori (Apr 20)
- <Possible follow-ups>
- Re: Tax-themed phishing exercises Sue McGlashan (Apr 19)
- Re: Tax-themed phishing exercises Dixon, Cameron (Apr 20)
  - Re: Tax-themed phishing exercises McClenon, Brady (Apr 23)