Social Engineering at the IRS

Information Week published an article outlining how a security test revealed that 60% of the users tested were willing to accept a call from an unknown source and change their password to something that the caller suggested.

First off, kudos to the IRS for actually testing their security. And double kudos for actually being willing to release the (admittedly bad) results publicly. But I am not surprised at all that 60% of the users tested were fooled into helping the person on the other end of the line.

With my amateur psychologist hat on, I assert that users just don't feel the same way about virtual information as they do physical information. How often would you see someone accidentally mis-address a FedEx envelope containing financial data? This happens all the time with email (oops! I meant to send it to Mike Smith, not Mike Jones!).

Welcome to the war on human nature-- and we're losing.