Auditors placed phone calls to 100 IRS managers and employees, posing at IT helpdesk personnel needing help to fix a network problem. They were able to convince 35 employees to divulge their user account names and change their passwords.
"Using our test scenario, a hacker or disgruntled employee could obtain user names and passwords to gain unauthorized access to the IRS systems," according to the audit.
The audit was about a 50 percent improvement over a similar test the IG conducted in August 2001, but IRS employees need more security awareness, the IG said.
Daniel Galik, IRS chief of mission assurance and security services, said in a written response that his office agreed with the IG's recommendations that it boost security awareness about social engineering risks.
The IRS has incorporated the topic of social engineering into its mandatory online security awareness training and plans to issue periodic reminders to employees about the issue, he said.