Phishing simulations are an important way to test resilience to phishing attacks, but a British train company has discovered these campaigns can easily backfire if care is not taken when selecting suitable lures for the phishing simulation emails.
West Midland Trains recently sent a phishing simulation email to staff that had all the hallmarks of a real-world phishing attack. The emails looked realistic, they appeared to have been sent by the train company’s managing director, and recipients of the email were offered a financial reward to entice them into taking an action which, in a normal phishing email, could have installed malware or resulted in the theft of credentials.
The subject of the emails? Employees were told that in response to their hard work as key workers during the COVID-19 pandemic, they were eligible for a one-off payment as a reward for their efforts. The payment was being offered because a “huge strain was placed on a large number of our workforce,” which warranted a bonus.
The phishing simulation emails were sent to approximately 2,500 employees. The emails included a link that employees were encouraged to click for further information. If that link was clicked, the employees were directed to a web page where they were informed, “This was a test designed by our IT team to entice you to click the link and used both the promise of thanks and financial reward.”
Understandably there has been backlash from employees and unions over the phishing simulation. The Transport Salaried Staffs’ Association (TSSA) union called the ill-thought-out campaign “crass and reprehensible.”
A spokesperson for West Midland Trains issued a statement explaining, “The design of the email was just the sort of thing a criminal organization would use—and thankfully it was an exercise without the consequences of a real attack.”
TSSA general secretary Manuel Cortes said, “Our members have made real sacrifices these past 12 months and more. Some WMT staff have caught the disease at work, one has tragically died, and others have placed family members at great risk.” Cortes is seeking an apology from West Midland Trains and has suggested an actual bonus should now be paid to staff.
This is of course not the first time that a company has chosen a bonus or pay rise as a theme for their phishing simulations, only for the messages to cause outrage amongst staff. In September 2020, Tribune Publishing similarly conducted a phishing simulation in which its employees were offered a $10,000 bonus. Employees were outraged, with the Sentinel Guild, a union of employees at the Orlando Sentinel, calling the phishing simulation “a slap in the face and tone-deaf.”
Tribune Publishing later issued a statement apologizing for the phishing simulation, “In retrospect, the topic of the email was misleading and insensitive, and the company apologizes for its use.”
Phishing simulations are important for testing the effectiveness of security awareness training courses and resilience to phishing attacks. They allow companies to identify individuals who are susceptible to phishing attacks so they can receive further training. While it is important to make sure the phishing emails are realistic and mirror real-world phishing lures, care should be taken when selecting lures in simulated phishing campaigns to keep the staff on side.