My encounter with an IRS scammer

For those of you that don’t know, phishing is the activity of defrauding an online account holder of financial information by posing as a legitimate company. Last year, I almost fell for a phishing attempt by someone claiming to be an IRS employee.

I’ve held a variety of roles in Information Security and you’d think I would try to hide the fact that I almost fell for a phone-based scam. However, I think my story can help others so I’ve decided to share it on my blog. Also, it’s not like I’m the only IT Security professional to almost fall for a phishing attempt. Chris Hadnagy literally wrote the book on Social Engineering/Phishing and has been tricked by a an Amazon phish.

 

At the time I first was contacted by a fake IRS employee, I was in the middle of a legitimate dispute with the IRS over a tuition deduction from a few years prior. I working from home and randomly received a call from a number in Cincinnati from someone claiming to be an IRS employee. I knew that the IRS had an office in Cincinnati and despite the fact that all of my prior correspondence related to my aforementioned dispute had been written, I didn’t think it was out of the realm of possibility that someone from the IRS would call me.

The “employee” began the call by stating that I was going to be taken to court over unpaid taxes. The caller gave me a case number and knew enough about the inner workings of the IRS to sound legitimate. It didn’t make any sense to me why I would suddenly be taken to court when my last document submission was mailed several months before the stated deadline. This should have been my first clue that the call was not legitimate. Unfortunately, due to the fact I was actually worried about my legitimate issue with the IRS, my guard was down.

I was obviously distraught at this point. If my dispute went to court, I would possibly spend more on legal fees and accountants than I actually owed to the IRS. Even though I knew I did nothing wrong, the idea of a settlement went through my head while the caller discussed the issues. However, I wanted to make sure that my accountant was involved in the final decision.

The “employee” let me know that I could avoid court and the associated fees by simply settling over the phone. It was if they could read my mind. I let them know that I wanted to consult my accountant and a few family members with deeper knowledge of tax law before making a final decision. The caller started to get very impatient at this point.

I started to get more of a sense that this call was fake. I eventually asked the “employee” to provide me with a publicly posted phone number for their office. I wanted to call a validated phone number to confirm that I was speaking with an actual IRS employee. I felt that this was a completely reasonable request.

The scammer became enraged, they told me that if I hung up the phone that they would issue an arrest warrant. They demanded that I drive straight to the bank while leaving them on speaker phone. They wanted me to wire them money to a specific account. I was now 100% confident that I was being phished.

If this ever happens to you, this is the point where you should just hang up and report the incident. However, I decided to have a little fun. I decided to keep the scammer on the phone for around 30 minutes while I “drove” to the bank to wire them the money. In reality, I was just sitting at my desk listening to music and catching up on email. I asked them for the account number and routing number so I could “wire” them the money. Armed with that information, I placed the scammer on hold and called the Ohio Attorney General’s office. I filled out a form to inform the IRS as well.

After providing the Ohio Attorney General’s Office and IRS with the details, I hung up on the scammer. They called me back about a dozen times in rapid succession before moving on to their next attempted victim. I’m now almost certain this fraud attempt originated from India where dozens of people were arrested for operating entire call centers filled with fake IRS agents. A few weeks later, I received a letter from the IRS stating that my dispute had been resolved based on the documentation that I provided and I no longer owed any money.

Lessons Learned:

  • The IRS has an entire webpage devoted to validating communications received by their employees. The page also has information for reporting phishing attempts.
  • The IRS will never
    • Call to demand immediate payment, nor will they call about taxes owed without first having mailed a bill.
    • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
    • Require you to use a specific payment method for your taxes, such as a prepaid debit card.
    • Ask for credit or debit card numbers over the phone.
    • Threaten to bring in local police or other law-enforcement groups to have you arrested for not paying.

My Thoughts On IT Certifications

A few days ago, a former colleague asked me about IT certifications. They’re at a bit of a career crossroads and wanted to know whether or not I thought obtaining a certificate was worth the investment of time and money. Given their circumstances, I told them that I thought it would be worthwhile for them to learn about a specific piece of technology and take an exam. However, I was sure to specify that obtaining an IT certification won’t necessarily guarantee that they’ll get that big promotion or secure their dream job.

It’s important to note that every hiring manager is different. As a hiring manager myself, I personally don’t hold a whole lot of stock in certifications. I’ve had coworkers with a half-dozen certifications that were very unreliable when it came to implementation and troubleshooting. I have also worked with some extremely talented individuals that don’t hold a single certification. There isn’t necessarily a correlation between a cert and success.

Don’t get me wrong, there are definitely benefits to obtaining IT certifications. In fact, some organizations won’t consider candidates without relevant certs. During my most recent job search, I ended up getting more questions about my certs from VMware and Microsoft than I did about my Master’s degree. I’m positive that those little vendor logos went a long way to get my resume past HR and to the hiring manager. However, that’s only half of the battle when attempting to secure a position.

Certifications aren’t ever going to be a silver bullet. At some point, you’ll need to rely on your reputation and industry experience to advance your career. That being said, certifications won’t hurt you. They can expose you to technology that you may not get a chance to interact with on a daily basis. Every circumstance is different but if you’re looking to gain exposure to a new area of technology or feeling a bit stale, obtaining a vendor certification is the way to go.

 

Lessons Learned During My First Term As An Adjunct Professor

This fall, I taught my first undergraduate course. The class was an overview of Network Engineering and covered everything from the OSI model to DNS best practices. Despite a few hurdles, the students all passed the course and I really got a sense that a majority of them learned a lot in the process. As someone who struggled academically high school, the successful completion of my first college course as an Adjunct Professor felt like quite an accomplishment. My confidence was through the roof until a student informed me that they decided against a career in Network Engineering after taking my course.

At first, I was crushed. This student received an A and was very engaged throughout the course. I assumed this meant that I failed my first attempt at teaching. I suddenly began second-guessing the lecture material and lab content. I eventually asked the student more about their decision and was pleasantly surprised by their answer.

It turns out, I actually did the student a service. They stated that they really learned a lot throughout the course. They gained enough information about Network Engineering to decide that it wasn’t something that they wanted to pursue. It didn’t have anything to do with the content of the lectures or the structure of the labs. They simply didn’t feel passionate about this aspect of technology.

Looking back, I’m really glad this student found out what they weren’t passionate about without endangering their career. I will keep this experience in mind as I teach additional courses. As I help students embark on their careers in IT, I will encourage them to seek internships or job shadowing opportunities. This will help them identify if they are truly following their passion or just attempting to earn a paycheck.

Overall, I loved my first experience as an Adjunct Professor and I can’t wait to teach future courses.