Bosses at West Midlands Trainline are facing a backlash after they used the promise of a company-wide bonus as a lure in a phishing simulation test.
Julian Edwards, the managing director of the train operator, emailed the company's 2,500 employees with a message saying it wanted to thank them for their hard work during the pandemic, according to the Guardian.
The email promised a one-off payment, but those who clicked the link for the bonus received a message telling them it was a "phishing simulation test" designed by the firm's IT team to entice employees.
The leader of the Transport Salaried Staffs Association, Manuel Cortes, called the email "crass and reprehensible", according to the Guardian, especially considering many of the people who work for West Midlands Trainline have had to do so on the front line throughout the pandemic.
However, while the initiative isn't ideal in the current climate, there's often a balance between upsetting the business vs what a malicious attacker would consider, according to Scott Nicholson, the co-CEO of cyber security firm Bridewell Consulting
"In reality, malicious phishing campaigns will devise the content that is most likely to achieve success," Nicholson told IT Pro. "However, on the other hand, there are many other topics that can be used and techniques to improve user behaviour and phishing defence, detection and response.
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email security
"In this instance, employees will understandably feel frustrated and I wonder whether key business stakeholders were aware of the content and topic beforehand. Often, when developing internal phishing awareness campaigns, it is useful to have a small group of key stakeholders agree on phishing content so that an organisation can reduce the risk of phishing attacks but without demotivating or upsetting the workforce."
Nicholson added that phishing simulations are an essential awareness tool but he also warned that they should not be solely relied upon. The content of the attack requires careful consideration, he said, as businesses can achieve the same outcomes without upsetting their employees.
