West Midlands Trains (WMR/LNR) send staff an email about a bonus... as a cybersecurity test

[flitwickbeds]

Train firm’s ‘worker bonus’ email is actually cybersecurity test

West Midlands Trains workers discover email promising one-off payment is ‘phishing simulation test’

www.theguardian.com

West Midlands Trains emailed about 2,500 employees with a message saying its managing director, Julian Edwards, wanted to thank them for their hard work over the past year under Covid-19. The email said they would get a one-off payment as a thank you after “huge strain was placed upon a large number of our workforce”.

However, those who clicked through on the link to read Edwards’ thank you were instead emailed back with a message telling them it was a company-designed “phishing simulation test” and there was to be no bonus. It warned: “This was a test designed by our IT team to entice you to click the link and used both the promise of thanks and financial reward.”

 

[birchesgreen]

Unbelievable isn't it? On no level does it make any sense, even on an IT level.

 

[Blinkbonny]

Absolutely crass.

 

[telstarbox]

A lack of thinking there.

 

[Fawkes Cat]

I would so like to see the emails between IT Security and HR which I imagine followed this bright idea. I'm guessing that there's going to be 'guidance' issued to the company in general (and IT Security in particular) about getting future test messages cleared by someone who knows what they're talking about before issue.

 

[Nexus]

I doubt a one-off phishing email test would raise staff awareness. You need a continuous educational program and periodic testing so that staff (or anyone) are trained to spot warning signs of a scam email.

 

[ExRes]

Superb, taken directly from the Basil Fawlty guide to Industrial Relations

 

[Ediswan]

I doubt a one-off phishing email test would raise staff awareness. You need a continuous educational program and periodic testing so that staff (or anyone) are trained to spot warning signs of a scam email.

It is not even clear that there were any warning signs in the email.

 

[Islineclear3_1]

Many employees are not IT savvy and are not expected to be.

I can understand the need for cybersecurity awareness training but this is not the right way to go about it

 

[Darandio]

The WMR response is as hilarious as the whole test itself. The fact that someone believed this was a great idea boggles my mind.

 

[Journeyman]

Unbelievably stupid. It wouldn't surprise me if a ballot for strike action follows.

 

[43096]

Unbelievably stupid. It wouldn't surprise me if a ballot for strike action follows.

On the grounds of what? "All our members are dumb enough to click a link to anything"?

 

[Journeyman]

On the grounds of what? "All our members are dumb enough to click a link to anything"?

Promising a non-existent bonus. The RMT have downed tools for less.

 

[43096]

Promising a non-existent bonus. The RMT have downed tools for less.

Should be being thanked by the RMT for educating their members with an important life lesson not to click on every link.

This is a fairly standard IT practice in large organisations - typical of railway staff to throw their toys out of the pram about it.

 

[bcarmicle]

GoDaddy (a web hosting firm) did the same thing last Christmas, and made quite a splash in the news

 

[Fuzzytop]

IT tech here too. I recently noticed Microsoft 365 were promoting an Attack Simulator to do just these kinds of fake campaigns:

Get started using Attack simulation training

Admins can learn how to use Attack simulation training to run simulated phishing and password attacks in their Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations.

docs.microsoft.com

It struck me as a tad insensitive, if I'm honest. These spearphishing attacks are trouble, but running a test on staff - especially in the current circumstances - felt to me like it would break down more trust than anything else.

 

[deltic]

Our company periodically sends out such emails but not as crass as this

 

[Energy]

Should be being thanked by the RMT for educating their members with an important life lesson not to click on every link.

This is a fairly standard IT practice in large organisations - typical of railway staff to throw their toys out of the pram about it.

I personally think its a good idea, sure employees aren't expected to be cybersecurity experts but people are almost always the easiest weak point in cybersecurity so basic training like how to detect phishing links should be happening. Promising a bonus may be seen as insensitive during times when many have lost their jobs so maybe sending one pretending to be Microsoft Office (or other software they use) might be better.

 

[D365]

Our company periodically sends out such emails but not as crass as this

Ditto, it’s a pretend phishing exercise to keep us ”on guard”! But yes I agree this was very insensitive. As you’ll know, there are far better ways of executing this exercise.

 

[DelayRepay]

Our company periodically sends out such emails but not as crass as this

My (not railway) employer sends this type of message on a regular basis but they have never promised a bonus!

They typically say things like 'your parcel could not be delivered, click here to re-arrange delivery'.

 

[LowLevel]

I personally think its a good idea, sure employees aren't expected to be cybersecurity experts but people are almost always the easiest weak point in cybersecurity so basic training like how to detect phishing links should be happening. Promising a bonus may be seen as insensitive during times when many have lost their jobs so maybe sending one pretending to be Microsoft Office (or other software they use) might be better.

It is a standard thing within Abellio companies, but it usually takes the form of something less offensive and irritating, albeit enticing, like "click this link for a free voucher for StarBocks"

 

[Fawkes Cat]

It's not the anti-phishing education which is a problem - lots of employers do that, however annoying it might be. It's the purporting to make a commitment on behalf of another part of management that's likely to cause trouble.

 

[satisnek]

Wow... My own employer's IT department has teamed up with this outfit (read all about it and make up your own mind) which sends out simulated phishing emails. Since I use my work email solely for internal use and one-to-one correspondence with customers, these things stick out like a sore thumb and as far as I'm concerned it constitutes harassment. But this takes things to a whole new level...

 

[Solent&Wessex]

Something very similar (but not offering rewards of bonuses!) happened at another TOC (with a different owning group) a few years ago. The phishing email went to some but not all staff including front line staff who only have email access on their phone and some who aren't very IT literate at all. If you were unfortunate enough to click through on the link in the email then you got ordered to complete an online course and end of course test about IT security.

There was a big hullabaloo about it with the union as a) the union were not aware of it and most importantly b) the company, initially, refused to release front line staff from their duties to complete the online course and said they would have to do it either during their working day (not that easy when you are frontline staff without company computer access and working on a train all day apart from break periods in messrooms) or in their own time and if they didn't complete it by a set date disciplinary action may be taken.

 

[RPM]

No honourable way out of this other than paying some sort of bonus. It won't happen though, obviously.

 

[JaJaWa]

These emails are standard at many companies, I have received them before.

 

[Energy]

and as far as I'm concerned it constitutes harassment.

However irritating they are they serve an important purpose, phishing emails are common and it only takes one person to fall for it for quite a lot of damage to be done.

a) the union were not aware of it

Thats a bit of a stupid reason, the scammers who send them don't warn people.

b) the company, initially, refused to release front line staff from their duties to complete the online course and said they would have to do it either during their working day (not that easy when you are frontline staff without company computer access and working on a train all day apart from break periods in messrooms) or in their own time and if they didn't complete it by a set date disciplinary action may be taken.

That is a fair reason, the training is important and is still training so they should be given 10-20 minutes to complete it.

 

[popeter45]

as somebody who works in IT security i can see both sides of this
on one hand yes this was crass but also cyber-criminals wont dumb down there attack becuase the end user isnt a IT wiz

No honourable way out of this other than paying some sort of bonus. It won't happen though, obviously.

issue there is it sort of rewards people for failing a security test and potentally creates a culture where such attacks are way more likly to succeed

 

[Hadders]

The company I work for sends out test phishing emails.

To be fair to WMR it would be good to see the actual text of the email. For example many phishing emails have spelling mistakes, would ask you to click links that don't looks legitimate etc in a similar fashion to the sort of phishing emails you get claiming to be from HMRC etc.

I suspect this is what has happened here.

 

[43096]

The company I work for sends out test phishing emails.

To be fair to WMR it would be good to see the actual text of the email. For example many phishing emails have spelling mistakes, would ask you to click links that don't looks legitimate etc in a similar fashion to the sort of phishing emails you get claiming to be from HMRC etc.

I suspect this is what has happened here.

It would be interesting to see what the text was. If it says "Click here to claim your bonus" or whatever, then it just shows people are not thinking before they're clicking. Who has ever had to click a link for a bonus: normally you get told about it and it appears in your bank account - you don't have to claim it.