Fake computer technicians who asked Internal Revenue Service employees to provide login and password information were able to persuade 35 workers to cooperate, according to a new government report.
Treasury Department inspectors, posing as staffers from the information technology help desk, called 100 IRS employees and managers and said they were trying to fix a network problem, the Associated Press reported. They asked the employees for their login name and to temporarily change their password to one they provided. Those who complied with the request violated IRS rules, which bar employees from giving out their passwords.
"With an employee's user account name and password, a hacker could gain access to that employee's access privileges," said the report by the Treasury Department's inspector general for tax administration. "Even more significant, a disgruntled employee could use the same social engineering tactics and obtain another employee's username and password," auditors said.
The test was done to find the human flaws in the security system that protects taxpayers' data. When the test was done in 2001, 71 employees out of 100 cooperated, versus 35 this time.
The employees gave various reasons for complying with the request. Some said they did not suspect foul play since they were having network problems at the time; some said they wanted to be helpful to the tech staff; still others said they couldn't find the caller's name on the global IRS directory, but complied anyway. Some got approval from their managers before they would cooperate.
IRS employees have since been instructed to notify security officials if they get calls seeking password or login information.