Educause Security Discussion mailing list archives

Tax-themed phishing exercises

From: "Hassler, Karl D." <khassler () UDEL EDU>
Date: Thu, 19 Apr 2018 19:49:06 +0000

Just and FYA for those of you engaged in phishing exercises with your communities: The IRS strongly discourages 
tax-themed phishing exercises because they can end up being reported to phishing () irs gov<mailto:phishing () irs gov> 
and divert agency attention and personnel from investigations of actual phishing scams.  They've had incidents where 
organizations construct payroll-themed lures which make employees/recipients believe they are victims of a stolen 
identity refund fraud (SIRF) or the business email compromise (BEC) / business email spoofing (BES) W2 scam.  
Recipients promptly emailed phishing () irs gov<mailto:phishing () irs gov>, called the IRS, contacted their tax 
professionals, etc. which generated a lot of confusion.



Remember, you want to get peoples' attention and reinforce best practices.  If you're too convincing, you can set off 
an Orson Wells-like panic. Tax phishes, especially at this time of year have the potential to elicit calls to the IRS.



TLP: Amber


Karl Hassler, CISSP
Director,  IT Security Policy & Compliance
302-831-3750
302-489-9788

Current thread:

Tax-themed phishing exercises Hassler, Karl D. (Apr 19)
- Re: Tax-themed phishing exercises Boyce, Rori (Apr 20)
- <Possible follow-ups>
- Re: Tax-themed phishing exercises Sue McGlashan (Apr 19)
- Re: Tax-themed phishing exercises Dixon, Cameron (Apr 20)
  - Re: Tax-themed phishing exercises McClenon, Brady (Apr 23)