Train firm slammed over 'bonus' phishing test

Security experts suggest businesses use other 'lures' to avoid upsetting workers in the current climate

A train operated by the West Midlands Trainline parked in a station

Bosses at West Midlands Trainline are facing a backlash after they used the promise of a company-wide bonus as a lure in a phishing simulation test

Julian Edwards, the managing director of the train operator, emailed the company's 2,500 employees with a message saying it wanted to thank them for their hard work during the pandemic, according to the Guardian.

The email promised a one-off payment, but those who clicked the link for the bonus received a message telling them it was a "phishing simulation test" designed by the firm's IT team to entice employees.

The leader of the Transport Salaried Staffs Association, Manuel Cortes, called the email "crass and reprehensible", according to the Guardian, especially considering many of the people who work for West Midlands Trainline have had to do so on the front line throughout the pandemic.

However, while the initiative isn't ideal in the current climate, there's often a balance between upsetting the business vs what a malicious attacker would consider, according to Scott Nicholson, the co-CEO of cyber security firm Bridewell Consulting

"In reality, malicious phishing campaigns will devise the content that is most likely to achieve success," Nicholson told IT Pro. "However, on the other hand, there are many other topics that can be used and techniques to improve user behaviour and phishing defence, detection and response.

Related Resource

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Prevent fraud and phishing attacks with DMARC - whitepaper from MimecastFree download

"In this instance, employees will understandably feel frustrated and I wonder whether key business stakeholders were aware of the content and topic beforehand. Often, when developing internal phishing awareness campaigns, it is useful to have a small group of key stakeholders agree on phishing content so that an organisation can reduce the risk of phishing attacks but without demotivating or upsetting the workforce." 

Nicholson added that phishing simulations are an essential awareness tool but he also warned that they should not be solely relied upon. The content of the attack requires careful consideration, he said, as businesses can achieve the same outcomes without upsetting their employees.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Attackers use CSS to fool anti-phishing systems
phishing

Attackers use CSS to fool anti-phishing systems

11 Nov 2021
X-rated phishing attacks just keep growing
phishing

X-rated phishing attacks just keep growing

4 Jun 2021
eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020
phishing

eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020

20 Apr 2021

Most Popular

Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
UK businesses urged to join four-day working week trial
Business operations

UK businesses urged to join four-day working week trial

17 Jan 2022