West Midlands Trains (WMR/LNR) send staff an email about a bonus... as a cybersecurity test

[Flange Squeal]

Should be being thanked by the RMT for educating their members with an important life lesson not to click on every link.

This is a fairly standard IT practice in large organisations - typical of railway staff to throw their toys out of the pram about it.

I don't think people are against the principle of the phishing education itself, and indeed on the face of it I don't think it is a bad idea at all. What I think has upset people in this case is that we are still in a pandemic which has caused a lot of people across society to be suffering quite severe anxiety and stress, which may have been heightened by some of the recipients of this email who may have - if frontline staff - spent even the worst periods of it still having to encounter hundreds of strangers on a daily basis, and/or who have lost friends or loved ones to Covid.

It is of course true that cybercriminals will go for potentially vulnerable targets as that is where they are most likely to get 'results', so a fake bonus scheme is a good example of a potential scam. But for a company to send out an email with not just the mention of money but also a "promise of thanks" to the very people who have kept their operation going on the frontline, only to click through to be told it's false could almost imply to the recipients that the organisation don't thank them at all for their efforts, and instead want to laugh at their expense. Just seems rather insensitive in my opinion, even if the intentions behind the idea were good.

Perhaps a different subject matter more general to the business might've been a better, more sensitive option? Maybe something like a fictitious change to the payroll system in line with the new tax year requiring you to confirm your bank account details are up to date, but when you click it you get the subsequent explanation about phishing, dangers of if you had entered bank account details, and maybe a written example of such a bonus scheme email being a potential scam that scammers could invent, might've been an alternative method of such education?

I would also point out that it is a representative of the TSSA union that features in the article and giving a negative reaction - not the RMT.

 

[FGW_DID]

Perhaps a clever ploy by the accounts team! Send out the real email, to claim a bonus, next week. Nobody will click on it, thinking it’s the IT team trying to catch them out again. Voila, no bonuses paid, company has saved a fortune!

 

[Hadders]

It would be interesting to see what the text was. If it says "Click here to claim your bonus" or whatever, then it just shows people are not thinking before they're clicking. Who has ever had to click a link for a bonus: normally you get told about it and it appears in your bank account - you don't have to claim it.

Indeed. The subject of the email doesn't exactly sound ideal but we do need to bear in mind that fraudsters do indeed stoop to this type of level to try and get information out of people so it's hardly surprising that organisations will want to try and send realistic type of emails to their colleagues.

Just recently I've had fake emails about:

Bank transactions
Outstanding phone bills
My tax rebate (I wish....)

All of which were false but I could easily have compromised my online security.

 

[birchesgreen]

Sounds a bit like a prank, some years ago I knew someone who worked in my employer at the time's IT dept, he sent a fake email to his team in the manager's name saying that there were going to be job losses. All a prank. Though oddly enough he was right, there was one job loss...

 

[Mike395]

It'd be interesting to see the message headers for the email that was sent - if it was sent from the mail server that WMT use for legitimate email, I wonder if this could possibly be seen as constituting a contract for offering a bonus.

Regardless, unless staff were advised in advance of this test possibly occurring (either in their contracts or via some other medium - though perhaps not specifying when, a bit like a fire drill) this is ethically problematic. As an employee, I'd be concerned that my response may be recorded somewhere, regardless of whether any official disciplinary action was taken.

 

[Energy]

Regardless, unless staff were advised in advance of this test possibly occurring (either in their contracts or via some other medium - though perhaps not specifying when, a bit like a fire drill) this is ethically problematic

It should probably be said in their contract that these will happen although there shouldn't be any indication when, real phishing links do not give warning so neither should these.

 

[Mike395]

It should probably be said in their contract that these will happen although there shouldn't be any indication when, real phishing links do not give warning so neither should these.

Oh, for sure - sending out a circular a few weeks before, or even having it displayed as a possibility somewhere on an internal intranet would probably suffice. Not doing anything at all - as my assumption is has happened here - is still ethically problematic, regardless of the e-mails content. The mention of a bonus causes additional problems but even if it was phishing for other details such as company login credentials, I'd be wanting to see some sort of advance warning as to the sort of test that might happen, along with a statement advising exactly how any data collected in the test will be used.

 

[172007]

Doubt any drivers will have been caught out, none I know use email or the tablets we where given; rostering is still manual paperbased so no point to the tablets.

 

[flitwickbeds]

I am a key worker whose job can't be done from home, so have been travelling to Central London 4 times a week during the whole of Covid. I and my colleagues who attended work for more than an (unspecified) percentage of their contracted hours did genuinely receive a £250 gift voucher as thanks for "keeping the show on the road". This arrived in the form of an email which contained a link which had to be clicked to see or spend the voucher.

The difference was we got an invididual email from our line managers a few days before saying that a "surprise" would come into our inboxes around midday on a specified day. So we were already aware and on the lookout to see what the surprise would be.

I'd like to see the text and subject of the email, but my thoughts are that the way this was done seems very insensitive and, in some ways, pretty unrealistic in terms of a phishing email anyway. Did the email come from a genuine NWR email address? Was there any personalisation using genuine employee data? If yes, then the scammers wouldn't easily be able to replicate that anyway.

 

[Mike395]

Did the email come from a genuine NWR email address? Was there any personalisation using genuine employee data? If yes, then the scammers wouldn't easily be able to replicate that anyway.

Just to pick up on this bit, the better phishing emails are getting quite clever on the domains/e-mail addresses used - e.g. I recently had a realistic-looking tracking message from Royal Mail and the email address used was something akin to [email protected] - sure enough, royalmailgroup.co.uk had a very realistic version of the Royal Mail tracking page (with a fee to pay on the item, naturally!), with a tracking number in the correct RM format, and the domain name isn't obviously not legitimate so I can see why people would be caught out.

 

[Wolfie]

Train firm’s ‘worker bonus’ email is actually cybersecurity test

West Midlands Trains workers discover email promising one-off payment is ‘phishing simulation test’

www.theguardian.com

Absolute lunacy. No worker would not click on that, particularly if the company, as my employer does, has a tendency to send corporate stuff to all staff.

 

[Wolfie]

It would be interesting to see what the text was. If it says "Click here to claim your bonus" or whatever, then it just shows people are not thinking before they're clicking. Who has ever had to click a link for a bonus: normally you get told about it and it appears in your bank account - you don't have to claim it.

Now that l agree with.

 

[Energy]

Absolute lunacy. No worker would not click on that, particularly if the company, as my employer does, has a tendency to send corporate stuff to all staff.

That's the point. Assuming it looks like a phishing email the employee should spot that before they click on it.

 

[flitwickbeds]

Just to pick up on this bit, the better phishing emails are getting quite clever on the domains/e-mail addresses used - e.g. I recently had a realistic-looking tracking message from Royal Mail and the email address used was something akin to [email protected] - sure enough, royalmailgroup.co.uk had a very realistic version of the Royal Mail tracking page (with a fee to pay on the item, naturally!), with a tracking number in the correct RM format, and the domain name isn't obviously not legitimate so I can see why people would be caught out.

Yes, true. However that was (presumably) totally unsolicited so wouldn't have included your name. Best it would (probably) have said would be something like "To [email protected]", "Dear sir/madam" or some other generic greeting.

Additionally, in order to show the staff a "haha, there's no bonus for you, fool, however you could've just downloaded a virus or submitted personal information to scammers" message that would have had to have been hosted on their Intranet (unless a whole domain name and hosting account was purchased for this, or there was a third party company involved using websites they controlled). Therefore, the link in the email would have pointed to the genuine Intranet domain name, and therefore shouldn't have raised any suspicions.

 

[43096]

Additionally, in order to show the staff a "haha, there's no bonus for you, fool, however you could've just downloaded a virus or submitted personal information to scammers" message that would have had to have been hosted on their Intranet (unless a whole domain name and hosting account was purchased for this, or there was a third party company involved using websites they controlled). Therefore, the link in the email would have pointed to the genuine Intranet domain name, and therefore shouldn't have raised any suspicions.

Why would you click on a link to get a work-related bonus? Think about it... If they are paying a bonus it goes straight into your pay in the normal way, you don’t have to register for it.

 

[The North Briton]

My company sends out test phishing e-mails. It also sends out genuine e-mails which look like phishing due to poor syntax, punctuation, etc. which I have reported on the odd occasion.

 

[Parallel]

I think it’s inappropriate for an employer to send out this as a cybersecurity test. My employer sends cybersecurity tests out but thankfully some degree of thought goes behind the emails, which won’t result in the majority of their staff being cheesed off.

 

[Dave W]

My organisation distributes reward and recognition vouchers using Edenred which, lo and behold, arrive in the form of a not altogether slick email.

I work in IT - I’m a service manager. There are several ways to skin the cyber security awareness cat which don’t involve trying to catch out overworked staff who’ve put themselves on the line for the business (and the public) over the last 15 months, especially regarding pay. Have to say it all feels a little crass to me.

 

[popeter45]

My organisation distributes reward and recognition vouchers using Edenred which, lo and behold, arrive in the form of a not altogether slick email.

I work in IT - I’m a service manager. There are several ways to skin the cyber security awareness cat which don’t involve trying to catch out overworked staff who’ve put themselves on the line for the business (and the public) over the last 15 months, especially regarding pay. Have to say it all feels a little crass to me.

yea if anything before you send such emails maybe its a good idea to first check if your creating an attack vector yourself by using such methods in the first place

 

[flitwickbeds]

Why would you click on a link to get a work-related bonus? Think about it... If they are paying a bonus it goes straight into your pay in the normal way, you don’t have to register for it.

As I explained upthread, and @Dave W also testifies, my organisation this year sent me a "thankyou" voucher for £250 for working for the last 15 months. This was in the form of a "voucher", issued by a third-party, and containing a link in the email to (paraphrase) "Click here to view your reward and see spending options".

 

[Flange Squeal]

The TSSA union have published the text of the original email on their website, plus the reply that those who responded got. The two quotes below show each respective message.

Original email:

Dear All,

Thank you for your hard work. We realise that a huge strain was placed upon a large number of our workforce as a result of COVID-19. This has not been easy for any of us and we would like to offer you a one-off payment to say thank you for all of your hard work over the past 12 months or so.

Please visit the following link which has a personal message from Julian Edwards as well as the information of your one-off payment: Message From Julian -

Again, many thanks for your hard work and I hope that this gift will inspire you to keep up the good work.

Regards,

Finance and Payroll.

Company reply:

Dear (redacted)

I am writing to you to update you on the outcome of the recent phishing simulation test performed by IT. In the email, you were invited to click on a link, and on the next page to enter your Microsoft Office 365 login (your work account) details.

I am writing to confirm that this was a test designed by our IT team to entice you to click the link and used both the promise of thanks and financial reward to try and convince you to provide your details. This test was purposefully designed to closely mimic the tactics that, sadly, are being used on a daily basis by expert criminal organisations to try to gain access to company data and systems.

We, along with every organisation, remain susceptible to attempts to access our systems and data. It is crucial that we all play our part as just one error can be enough to result in significant damage.

Below are the main points to remember when using work systems at WMT:

· Be vigilant with all links and attachments.

· Never click on a link that looks suspicious.

· Never enter your work login details into anything other than the first time you log in to your WMT work system or known business provided systems.

· If you are unsure about whether something is suspicious, stop, do not proceed, and contact the WMT IT Service Desk team on 0344 7700 791.

· If you receive an email that suggests you must do something, sometimes quickly, in order to benefit (e.g. ‘click here now to receive this reward’, click this in the next 30 minutes to receive your payment’, ‘if you do not click this, you will miss out’), then it is likely to be a hoax and/or be part of a planned cyber-attack. In these situations, the best advice is to remember that you will not miss anything by not clicking a link in a work setting.

 

[TheEdge]

That wording is absolutely awful and crass given it's meant to be a phishing test. At least make it look like a phishing test, I don't think many people would think something written like that is a "scam".

Also I notice the link aims at a (now error) SharePoint address so anyone who took the moment to hover over the link would presumably have seen a legitimate WMR SharePoint address.

 

[ComUtoR]

Why would you click on a link to get a work-related bonus? Think about it... If they are paying a bonus it goes straight into your pay in the normal way, you don’t have to register for it.

My TOC paid a bonus recently. It came from an unannounced external source which required you to click a link to a random website to claim. It was paid in vouchers, not into the bank.

 

[Hadders]

The TSSA union have published the text of the original email on their website, plus the reply that those who responded got. The two quotes below show each respective message.

Original email:



Company reply:

I'm all for emulating realistic scenarios in test phishing emails but this is pretty insensitive. There would have been better ways of wording it, adding in some obvious spelling errors etc.

 

[chris_in_salop]

This has the stamp of an HR department on manoeuvres. It is entrapment, and about as subtle as having pretty policemen hanging around toilets, waiting to catch out gay men.

 

[Fawkes Cat]

This has the stamp of an HR department on manoeuvres. It is entrapment, and about as subtle as having pretty policemen hanging around toilets, waiting to catch out gay men.

A little unfair on HR I think. It looks to me much more like IT Security having a cunning plan to put out something that looks real, and not thinking through the implications.

The point that IT Security were trying to make is valid - not all phishing attempts are badly spelt. But this example fails because to use an issue as sensitive as coronavirus is (as someone said upthread) crass.

 

[GB]

But this example fails because to use an issue as sensitive as coronavirus is (as someone said upthread) crass.

I don't think using coronavirus is the main issue. I think its the fact the email apparently originated from an official internal source. If my MD sent an email from his work email address to my work email address with a link to official work resources then I would not constitute that a phishing.

 

[pitdiver]

Up thread it was mentioned thatstaff should be given time during the working day to complete an on line training exercise. I used to work for a large retailer who EXPECTED their staff to complete this type of training in their own time.

 

[Bletchleyite]

A little unfair on HR I think. It looks to me much more like IT Security having a cunning plan to put out something that looks real, and not thinking through the implications.

The point that IT Security were trying to make is valid - not all phishing attempts are badly spelt. But this example fails because to use an issue as sensitive as coronavirus is (as someone said upthread) crass.

Agreed. They could have picked something else - in the context of people having gone "above the call of duty" and been quite ill for COVID (and potentially lost colleagues, friends and family to it) this is really, really crass.

I'd say WMT should actually pay a bonus to all staff as a way of putting this right. Wouldn't have to be huge, few hundred perhaps. Just to accept that they got this very wrong and that they do agree with the sentiment.

 

[172007]

I am awaiting the next E-Pay email to say I have a new weekly timeshare or monthly pay slip. Would be easy to spoof that link and get people to click on it automatically.