If you filed your IRS (US Internal Revenue Service) income tax forms through someone else, and that list gets into the hands of phishers, do you think you could detect it?
A lot of people fall for this. Hard. Gizmodo reports:
A lot of people are falling for them: A study of 150,000 phishing emails by Verizon partners found that 23 percent of recipients open phishing messages, and 11 percent open attachments. Is that not crazy? One in 10 people opens an attachment when they have no idea what they’re opening.
And it happens fast: It takes an average of 82 seconds from the time a phishing campaign is launched, until the first sucker bites. And this isn’t just phishing in people’s Gmail accounts. It’s happening on sensitive business and government accounts where the targets should theoretically know better.
Another article in Wired is reporting:
Typically, it takes months if not years to uncover a breach. In 2012, for example, FireEye reported that the average cyber-espionage attack continued unabated for 458 days before the victim discovered the hack.
[More after the break.]
I have received numerous phishing emails. So far, I have recognized them because I knew the people I am dealing with and when something outlandish comes up, I call 'em. However, these days, who knows anybody at these big, monolithic, and automated tax-collection centers, and who wants to take the risk that an ignored IRS email is indeed fake?
I have been holding out as long as I can against having anything to do with the government on the internet. I flat out do not trust the internet when it comes to email. Any of us can tell if it's some casual friend chitchat, but when mail arrives looking like it's from your bank and money is involved, it gets noticed. With the the advent of things like Electronic Funds Transfer, things can happen behind our back, and we ignore the email at our peril....
Many of us here know just how easy it is to make an extremely legitimate looking business email. It would really bother me to receive demands from compliance from some entity purporting to represent the IRS via email, with no way for me to know for sure it's bogus without taking the bait.
How many of you filed your IRS returns electronically? How do you protect yourself from phishing attacks?
(Score: 3, Interesting) by kaszz on Thursday April 16 2015, @01:15PM
The problem is there's no authentication of important emails. For starters one can assign every contact a unique email address. To know where the contact came from. Another action that can be taken is to read emails on secure systems.
But the most important is that the message itself is authenticated with something like PGP sign etc. As long as this isn't in place. Security can't be had. Because the source is sloppy and can't be distinguished.
(Score: 3, Insightful) by Thexalon on Thursday April 16 2015, @01:30PM
No, the problem is that there's no authentication of nearly all email, but many people act like it's a secure communication method when it isn't. If there were authentication, most spam would never have happened, and most phishing attacks would have been impossible.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Interesting) by kaszz on Thursday April 16 2015, @01:36PM
One could at least require that the IRS sign their emails..
(Score: 1) by kadal on Thursday April 16 2015, @02:00PM
That is a great suggestion. Except that it requires that the government get it's ass together...
(Score: 2) by kaszz on Thursday April 16 2015, @02:54PM
We can't have that happening, can we? :D
Just imagine an email inbox where emails that has the proper digital signature (like S/MIME?) would be marked by the email client as such and thus enable users skip the noise and to read the important stuff right away.
(Which would require a central 2000 GFlops mainframe at the headquarters in 24 carat gold with lots of important people in black cars and of course a salary bonus to match ;-) )
(Score: 0) by Anonymous Coward on Thursday April 16 2015, @04:01PM
Especially not when so many elected officials have a vested interest in proving their party line, that the government can't do anything right.
(Score: 0) by Anonymous Coward on Thursday April 16 2015, @08:15PM
FYI, it appears that you squished together 2 memes:
- get its shit together
- get its ass in gear
You should pick one and go with that.
(Colloquial English can be confusing.)
...and a pronoun never needs an apostrophe to make it possessive.
-- gewg_
(Score: 2) by kaszz on Friday April 17 2015, @10:02AM
Thanks for the heads up on spelling.
(Score: 2) by Thexalon on Thursday April 16 2015, @03:05PM
That is necessary, but insufficient: Because the vast majority of emails are unsigned, citizens will expect that emails from the IRS will be unsigned (just like the ones from their bank, their utilities providers, other government agencies, and everybody they interact with at work), so they will presume that the unsigned phishing email purporting to be from the IRS is legitimate.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by kaszz on Thursday April 16 2015, @03:22PM
So citizens has to get used to that from some time in the future Emails will come in the signed form?
It's not like other shit hasn't succeeded like HTML or UTF8..
(Score: 4, Informative) by DeathMonkey on Thursday April 16 2015, @05:49PM
One could at least require that the IRS sign their emails..
Seriously, who actually communicates with the IRS via email?
IRS phishing info [irs.gov]
The IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.
I'm honestly confused about the actual issue is here. Organizations like the IRS already don't communicate via email in general.
(Score: 2) by TheRaven on Thursday April 16 2015, @02:29PM
sudo mod me up
(Score: 2) by kaszz on Thursday April 16 2015, @02:45PM
Makes one really wonder how come that is so............
(Score: 2) by frojack on Thursday April 16 2015, @05:07PM
S/MIME is supported by most mail clients and can tell you the certificate chain. I've not yet seen a single bank that signs the email that they send.
But that is entirely useless. Certificate chains? Really? Who has time to chase those? Who even knows how?
How many of the chains lead to forged certificates, or certs with subtle spelling differences three levels deep that you are sure to miss, but which will pass automated checks?
The only solution is to NOT give any branch of government your email address. Make them use paper.
People can get conned by paper too. But its better than sending your 1040 to some 419 scammer.
No, you are mistaken. I've always had this sig.