• Our booking engine at tickets.railforums.co.uk (powered by TrainSplit) helps support the running of the forum with every ticket purchase! Find out more and ask any questions/give us feedback in this thread!

West Midlands Trains (WMR/LNR) send staff an email about a bonus... as a cybersecurity test

Status
Not open for further replies.

flitwickbeds

Member
Joined
19 Apr 2017
Messages
515

West Midlands Trains emailed about 2,500 employees with a message saying its managing director, Julian Edwards, wanted to thank them for their hard work over the past year under Covid-19. The email said they would get a one-off payment as a thank you after “huge strain was placed upon a large number of our workforce”.

However, those who clicked through on the link to read Edwards’ thank you were instead emailed back with a message telling them it was a company-designed “phishing simulation test” and there was to be no bonus. It warned: “This was a test designed by our IT team to entice you to click the link and used both the promise of thanks and financial reward.”
 
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R

RailUK Forums

Fawkes Cat

Established Member
Joined
8 May 2017
Messages
2,943
I would so like to see the emails between IT Security and HR which I imagine followed this bright idea. I'm guessing that there's going to be 'guidance' issued to the company in general (and IT Security in particular) about getting future test messages cleared by someone who knows what they're talking about before issue.
 

Nexus

New Member
Joined
15 Mar 2018
Messages
4
I doubt a one-off phishing email test would raise staff awareness. You need a continuous educational program and periodic testing so that staff (or anyone) are trained to spot warning signs of a scam email.
 

Ediswan

Established Member
Joined
15 Nov 2012
Messages
2,842
Location
Stevenage
I doubt a one-off phishing email test would raise staff awareness. You need a continuous educational program and periodic testing so that staff (or anyone) are trained to spot warning signs of a scam email.
It is not even clear that there were any warning signs in the email.
 

Darandio

Established Member
Joined
24 Feb 2007
Messages
10,674
Location
Redcar
The WMR response is as hilarious as the whole test itself. The fact that someone believed this was a great idea boggles my mind.
 

Journeyman

Established Member
Joined
16 Apr 2014
Messages
6,295
Unbelievably stupid. It wouldn't surprise me if a ballot for strike action follows.
 

43096

On Moderation
Joined
23 Nov 2015
Messages
15,162
Promising a non-existent bonus. The RMT have downed tools for less.
Should be being thanked by the RMT for educating their members with an important life lesson not to click on every link.

This is a fairly standard IT practice in large organisations - typical of railway staff to throw their toys out of the pram about it.
 

bcarmicle

Member
Joined
11 May 2018
Messages
164
GoDaddy (a web hosting firm) did the same thing last Christmas, and made quite a splash in the news
 

Fuzzytop

Member
Joined
4 Jan 2017
Messages
293
IT tech here too. I recently noticed Microsoft 365 were promoting an Attack Simulator to do just these kinds of fake campaigns:


It struck me as a tad insensitive, if I'm honest. These spearphishing attacks are trouble, but running a test on staff - especially in the current circumstances - felt to me like it would break down more trust than anything else.
 

deltic

Established Member
Joined
8 Feb 2010
Messages
3,201
Our company periodically sends out such emails but not as crass as this
 

Energy

Established Member
Joined
29 Dec 2018
Messages
4,421
Should be being thanked by the RMT for educating their members with an important life lesson not to click on every link.

This is a fairly standard IT practice in large organisations - typical of railway staff to throw their toys out of the pram about it.
I personally think its a good idea, sure employees aren't expected to be cybersecurity experts but people are almost always the easiest weak point in cybersecurity so basic training like how to detect phishing links should be happening. Promising a bonus may be seen as insensitive during times when many have lost their jobs so maybe sending one pretending to be Microsoft Office (or other software they use) might be better.
 

D365

Veteran Member
Joined
29 Jun 2012
Messages
11,396
Our company periodically sends out such emails but not as crass as this
Ditto, it’s a pretend phishing exercise to keep us ”on guard”! But yes I agree this was very insensitive. As you’ll know, there are far better ways of executing this exercise.
 

DelayRepay

Established Member
Joined
21 May 2011
Messages
2,929
Our company periodically sends out such emails but not as crass as this
My (not railway) employer sends this type of message on a regular basis but they have never promised a bonus!

They typically say things like 'your parcel could not be delivered, click here to re-arrange delivery'.
 

LowLevel

Established Member
Joined
26 Oct 2013
Messages
7,543
I personally think its a good idea, sure employees aren't expected to be cybersecurity experts but people are almost always the easiest weak point in cybersecurity so basic training like how to detect phishing links should be happening. Promising a bonus may be seen as insensitive during times when many have lost their jobs so maybe sending one pretending to be Microsoft Office (or other software they use) might be better.

It is a standard thing within Abellio companies, but it usually takes the form of something less offensive and irritating, albeit enticing, like "click this link for a free voucher for StarBocks"
 

Fawkes Cat

Established Member
Joined
8 May 2017
Messages
2,943
It's not the anti-phishing education which is a problem - lots of employers do that, however annoying it might be. It's the purporting to make a commitment on behalf of another part of management that's likely to cause trouble.
 

satisnek

Member
Joined
5 Sep 2014
Messages
886
Location
Kidderminster/Mercia Marina
Wow... My own employer's IT department has teamed up with this outfit (read all about it and make up your own mind) which sends out simulated phishing emails. Since I use my work email solely for internal use and one-to-one correspondence with customers, these things stick out like a sore thumb and as far as I'm concerned it constitutes harassment. But this takes things to a whole new level...
 

Solent&Wessex

Established Member
Joined
9 Jul 2009
Messages
2,683
Something very similar (but not offering rewards of bonuses!) happened at another TOC (with a different owning group) a few years ago. The phishing email went to some but not all staff including front line staff who only have email access on their phone and some who aren't very IT literate at all. If you were unfortunate enough to click through on the link in the email then you got ordered to complete an online course and end of course test about IT security.

There was a big hullabaloo about it with the union as a) the union were not aware of it and most importantly b) the company, initially, refused to release front line staff from their duties to complete the online course and said they would have to do it either during their working day (not that easy when you are frontline staff without company computer access and working on a train all day apart from break periods in messrooms) or in their own time and if they didn't complete it by a set date disciplinary action may be taken.
 

RPM

Established Member
Joined
24 Sep 2009
Messages
1,466
Location
Buckinghamshire
No honourable way out of this other than paying some sort of bonus. It won't happen though, obviously.
 

JaJaWa

Established Member
Joined
14 Feb 2013
Messages
1,704
Location
These emails are standard at many companies, I have received them before.
 

Energy

Established Member
Joined
29 Dec 2018
Messages
4,421
and as far as I'm concerned it constitutes harassment.
However irritating they are they serve an important purpose, phishing emails are common and it only takes one person to fall for it for quite a lot of damage to be done.
a) the union were not aware of it
Thats a bit of a stupid reason, the scammers who send them don't warn people.
b) the company, initially, refused to release front line staff from their duties to complete the online course and said they would have to do it either during their working day (not that easy when you are frontline staff without company computer access and working on a train all day apart from break periods in messrooms) or in their own time and if they didn't complete it by a set date disciplinary action may be taken.
That is a fair reason, the training is important and is still training so they should be given 10-20 minutes to complete it.
 

popeter45

Member
Joined
7 Dec 2019
Messages
1,105
Location
london
as somebody who works in IT security i can see both sides of this
on one hand yes this was crass but also cyber-criminals wont dumb down there attack becuase the end user isnt a IT wiz
No honourable way out of this other than paying some sort of bonus. It won't happen though, obviously.
issue there is it sort of rewards people for failing a security test and potentally creates a culture where such attacks are way more likly to succeed
 

Hadders

Veteran Member
Associate Staff
Senior Fares Advisor
Joined
27 Apr 2011
Messages
12,980
The company I work for sends out test phishing emails.

To be fair to WMR it would be good to see the actual text of the email. For example many phishing emails have spelling mistakes, would ask you to click links that don't looks legitimate etc in a similar fashion to the sort of phishing emails you get claiming to be from HMRC etc.

I suspect this is what has happened here.
 

43096

On Moderation
Joined
23 Nov 2015
Messages
15,162
The company I work for sends out test phishing emails.

To be fair to WMR it would be good to see the actual text of the email. For example many phishing emails have spelling mistakes, would ask you to click links that don't looks legitimate etc in a similar fashion to the sort of phishing emails you get claiming to be from HMRC etc.

I suspect this is what has happened here.
It would be interesting to see what the text was. If it says "Click here to claim your bonus" or whatever, then it just shows people are not thinking before they're clicking. Who has ever had to click a link for a bonus: normally you get told about it and it appears in your bank account - you don't have to claim it.
 
Status
Not open for further replies.

Top