Staff Bonus was “Crass” Phishing Simulation

A British train company has been criticized for running a cybersecurity test that made employees think they would receive a bonus for working hard during the pandemic.

West Midlands Trains sent an email purporting to be from the company’s managing director, Julian Edwards, out to its approximately 2,500 employees. The missive thanked staff for toiling through 2020 and told them that they would receive a one-off payment as a reward for their efforts.

But what appeared to be a welcome bonus during difficult times was actually a phishing simulation. When workers clicked on a link that appeared to connect to a personal thank you from Edwards, they were greeted with a message stating that the email was a cybersecurity test.

“This was a test designed by our IT team to entice you to click the link and used both the promise of thanks and financial reward,” read the message, reported by The Guardian.

The leader of the trade union the Transport Salaried Staffs’ Association (TSSA) slammed the simulation as “crass and reprehensible” because many West Midlands Trains workers had been ill with the coronavirus and one had died after contracting COVID-19.

Manuel Cortes, general secretary of the TSSA, said: “This was a cynical and shocking stunt by West Midlands Trains, designed to trick employees who have been on the frontline throughout this terrible pandemic—ensuring essential workers were able to travel.

“The company must now account for their totally crass and reprehensible behavior. They could and should have used any other pretext to test their internet security. It’s almost beyond belief that they chose to falsely offer a bonus to workers who have done so much in the fight against this virus.”

A spokesperson for West Midlands Trains said that the simulation was an accurate representation of threat actors’ attack methods.

“We take cybersecurity very seriously. We run regular training and it’s important to test your resilience,” said the spokesperson.

“The design of the email was just the sort of thing a criminal organization would use—and thankfully it was an exercise without the consequences of a real attack.”

About the Author
Manuel W. Lloyd, ITIL®
Just a dude that loves technology

Leave a Reply