• Dear Guest, and welcome to RailUK Forums. Our non-railway discussion forums are currently restricted until members have five or more posts, and you will not be able to make a new thread or reply to an existing one in this section until you have made five or more posts elsewhere on the forum.

West Midlands Trains (WMR/LNR) send staff an email about a bonus... as a cybersecurity test

Status
Not open for further replies.

flitwickbeds

Member
Joined
19 Apr 2017
Messages
384

West Midlands Trains emailed about 2,500 employees with a message saying its managing director, Julian Edwards, wanted to thank them for their hard work over the past year under Covid-19. The email said they would get a one-off payment as a thank you after “huge strain was placed upon a large number of our workforce”.

However, those who clicked through on the link to read Edwards’ thank you were instead emailed back with a message telling them it was a company-designed “phishing simulation test” and there was to be no bonus. It warned: “This was a test designed by our IT team to entice you to click the link and used both the promise of thanks and financial reward.”
 
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R

RailUK Forums

Fawkes Cat

Established Member
Joined
8 May 2017
Messages
1,409
I would so like to see the emails between IT Security and HR which I imagine followed this bright idea. I'm guessing that there's going to be 'guidance' issued to the company in general (and IT Security in particular) about getting future test messages cleared by someone who knows what they're talking about before issue.
 

Nexus

New Member
Joined
15 Mar 2018
Messages
4
I doubt a one-off phishing email test would raise staff awareness. You need a continuous educational program and periodic testing so that staff (or anyone) are trained to spot warning signs of a scam email.
 

Ediswan

Member
Joined
15 Nov 2012
Messages
1,091
Location
Stevenage
I doubt a one-off phishing email test would raise staff awareness. You need a continuous educational program and periodic testing so that staff (or anyone) are trained to spot warning signs of a scam email.
It is not even clear that there were any warning signs in the email.
 

Darandio

Established Member
Joined
24 Feb 2007
Messages
9,860
Location
Redcar
The WMR response is as hilarious as the whole test itself. The fact that someone believed this was a great idea boggles my mind.
 

Journeyman

Established Member
Joined
16 Apr 2014
Messages
6,278
Unbelievably stupid. It wouldn't surprise me if a ballot for strike action follows.
 

43096

On Moderation
Joined
23 Nov 2015
Messages
10,838
Promising a non-existent bonus. The RMT have downed tools for less.
Should be being thanked by the RMT for educating their members with an important life lesson not to click on every link.

This is a fairly standard IT practice in large organisations - typical of railway staff to throw their toys out of the pram about it.
 

bcarmicle

Member
Joined
11 May 2018
Messages
37
GoDaddy (a web hosting firm) did the same thing last Christmas, and made quite a splash in the news
 

Fuzzytop

Member
Joined
4 Jan 2017
Messages
203
IT tech here too. I recently noticed Microsoft 365 were promoting an Attack Simulator to do just these kinds of fake campaigns:


It struck me as a tad insensitive, if I'm honest. These spearphishing attacks are trouble, but running a test on staff - especially in the current circumstances - felt to me like it would break down more trust than anything else.
 

deltic

Established Member
Joined
8 Feb 2010
Messages
2,506
Our company periodically sends out such emails but not as crass as this
 

Energy

Established Member
Joined
29 Dec 2018
Messages
2,576
Should be being thanked by the RMT for educating their members with an important life lesson not to click on every link.

This is a fairly standard IT practice in large organisations - typical of railway staff to throw their toys out of the pram about it.
I personally think its a good idea, sure employees aren't expected to be cybersecurity experts but people are almost always the easiest weak point in cybersecurity so basic training like how to detect phishing links should be happening. Promising a bonus may be seen as insensitive during times when many have lost their jobs so maybe sending one pretending to be Microsoft Office (or other software they use) might be better.
 

D365

Established Member
Joined
29 Jun 2012
Messages
8,768
Our company periodically sends out such emails but not as crass as this
Ditto, it’s a pretend phishing exercise to keep us ”on guard”! But yes I agree this was very insensitive. As you’ll know, there are far better ways of executing this exercise.
 

DelayRepay

Established Member
Joined
21 May 2011
Messages
1,641
Our company periodically sends out such emails but not as crass as this
My (not railway) employer sends this type of message on a regular basis but they have never promised a bonus!

They typically say things like 'your parcel could not be delivered, click here to re-arrange delivery'.
 

LowLevel

Established Member
Joined
26 Oct 2013
Messages
5,515
I personally think its a good idea, sure employees aren't expected to be cybersecurity experts but people are almost always the easiest weak point in cybersecurity so basic training like how to detect phishing links should be happening. Promising a bonus may be seen as insensitive during times when many have lost their jobs so maybe sending one pretending to be Microsoft Office (or other software they use) might be better.

It is a standard thing within Abellio companies, but it usually takes the form of something less offensive and irritating, albeit enticing, like "click this link for a free voucher for StarBocks"
 

Fawkes Cat

Established Member
Joined
8 May 2017
Messages
1,409
It's not the anti-phishing education which is a problem - lots of employers do that, however annoying it might be. It's the purporting to make a commitment on behalf of another part of management that's likely to cause trouble.
 

satisnek

Member
Joined
5 Sep 2014
Messages
643
Location
Kidderminster/Mercia Marina
Wow... My own employer's IT department has teamed up with this outfit (read all about it and make up your own mind) which sends out simulated phishing emails. Since I use my work email solely for internal use and one-to-one correspondence with customers, these things stick out like a sore thumb and as far as I'm concerned it constitutes harassment. But this takes things to a whole new level...
 

Solent&Wessex

Established Member
Joined
9 Jul 2009
Messages
2,504
Something very similar (but not offering rewards of bonuses!) happened at another TOC (with a different owning group) a few years ago. The phishing email went to some but not all staff including front line staff who only have email access on their phone and some who aren't very IT literate at all. If you were unfortunate enough to click through on the link in the email then you got ordered to complete an online course and end of course test about IT security.

There was a big hullabaloo about it with the union as a) the union were not aware of it and most importantly b) the company, initially, refused to release front line staff from their duties to complete the online course and said they would have to do it either during their working day (not that easy when you are frontline staff without company computer access and working on a train all day apart from break periods in messrooms) or in their own time and if they didn't complete it by a set date disciplinary action may be taken.
 

RPM

Established Member
Joined
24 Sep 2009
Messages
1,418
Location
Buckinghamshire
No honourable way out of this other than paying some sort of bonus. It won't happen though, obviously.
 

Energy

Established Member
Joined
29 Dec 2018
Messages
2,576
and as far as I'm concerned it constitutes harassment.
However irritating they are they serve an important purpose, phishing emails are common and it only takes one person to fall for it for quite a lot of damage to be done.
a) the union were not aware of it
Thats a bit of a stupid reason, the scammers who send them don't warn people.
b) the company, initially, refused to release front line staff from their duties to complete the online course and said they would have to do it either during their working day (not that easy when you are frontline staff without company computer access and working on a train all day apart from break periods in messrooms) or in their own time and if they didn't complete it by a set date disciplinary action may be taken.
That is a fair reason, the training is important and is still training so they should be given 10-20 minutes to complete it.
 

popeter45

Member
Joined
7 Dec 2019
Messages
547
Location
london
as somebody who works in IT security i can see both sides of this
on one hand yes this was crass but also cyber-criminals wont dumb down there attack becuase the end user isnt a IT wiz
No honourable way out of this other than paying some sort of bonus. It won't happen though, obviously.
issue there is it sort of rewards people for failing a security test and potentally creates a culture where such attacks are way more likly to succeed
 

Hadders

Established Member
Senior Fares Advisor
Joined
27 Apr 2011
Messages
9,033
The company I work for sends out test phishing emails.

To be fair to WMR it would be good to see the actual text of the email. For example many phishing emails have spelling mistakes, would ask you to click links that don't looks legitimate etc in a similar fashion to the sort of phishing emails you get claiming to be from HMRC etc.

I suspect this is what has happened here.
 

43096

On Moderation
Joined
23 Nov 2015
Messages
10,838
The company I work for sends out test phishing emails.

To be fair to WMR it would be good to see the actual text of the email. For example many phishing emails have spelling mistakes, would ask you to click links that don't looks legitimate etc in a similar fashion to the sort of phishing emails you get claiming to be from HMRC etc.

I suspect this is what has happened here.
It would be interesting to see what the text was. If it says "Click here to claim your bonus" or whatever, then it just shows people are not thinking before they're clicking. Who has ever had to click a link for a bonus: normally you get told about it and it appears in your bank account - you don't have to claim it.
 
Status
Not open for further replies.

Top