Train firm slammed over 'bonus' phishing test

Security experts suggest businesses use other 'lures' to avoid upsetting workers in the current climate

A train operated by the West Midlands Trainline parked in a station

Bosses at West Midlands Trainline are facing a backlash after they used the promise of a company-wide bonus as a lure in a phishing simulation test

Julian Edwards, the managing director of the train operator, emailed the company's 2,500 employees with a message saying it wanted to thank them for their hard work during the pandemic, according to the Guardian.

The email promised a one-off payment, but those who clicked the link for the bonus received a message telling them it was a "phishing simulation test" designed by the firm's IT team to entice employees.

The leader of the Transport Salaried Staffs Association, Manuel Cortes, called the email "crass and reprehensible", according to the Guardian, especially considering many of the people who work for West Midlands Trainline have had to do so on the front line throughout the pandemic.

However, while the initiative isn't ideal in the current climate, there's often a balance between upsetting the business vs what a malicious attacker would consider, according to Scott Nicholson, the co-CEO of cyber security firm Bridewell Consulting

"In reality, malicious phishing campaigns will devise the content that is most likely to achieve success," Nicholson told IT Pro. "However, on the other hand, there are many other topics that can be used and techniques to improve user behaviour and phishing defence, detection and response.

Related Resource

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Prevent fraud and phishing attacks with DMARC - whitepaper from MimecastDownload now

"In this instance, employees will understandably feel frustrated and I wonder whether key business stakeholders were aware of the content and topic beforehand. Often, when developing internal phishing awareness campaigns, it is useful to have a small group of key stakeholders agree on phishing content so that an organisation can reduce the risk of phishing attacks but without demotivating or upsetting the workforce." 

Nicholson added that phishing simulations are an essential awareness tool but he also warned that they should not be solely relied upon. The content of the attack requires careful consideration, he said, as businesses can achieve the same outcomes without upsetting their employees.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

X-rated phishing attacks just keep growing
phishing

X-rated phishing attacks just keep growing

4 Jun 2021
eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020
phishing

eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020

20 Apr 2021

Most Popular

Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021