This article is more than 1 year old

Train operator phlunks phishing test by teasing employees with non-existent COVID bonus

Someone at West Midlands Trains approved nasty cybersecurity drill

UK rail operator West Midlands Trains sent an email to 2,500 employees to thank them for hard work during COVID and promised a one-time bonus as a reward, but that lovely news turned out to be phishing training. Needless to say, it did not go over well.

The deliberately inauthentic email first thanked staff for their hard work, then added: "We realise that a huge strain was placed upon a large number of our workforce as a result of COVID-19 ... and we would like to offer you a one-off payment to say thank you for all of your hard work over the past 12 months or so."

Readers were told to click on a link to register for their bonus, but those who followed instructions were sent news of their infosec failings and offered handy tips for the future like "be vigilant with all links and attachments" and "never click on a link that looks suspicious."

The email to employees from West Midland Trains rationalised the test with the following text:

This test was purposefully designed to closely mimic the tactics that, sadly, are being used on a daily basis by expert criminal organisations to try to gain access to company data and systems.

The Transport Salaried Staffs' Association (TSSA) issued a statement in which general secretary Manuel Cortes called the cybersecurity-drill-gone-wrong a "cynical and shocking stunt." The union described the behaviour as "totally crass and reprehensible" and cited the many COVID cases and one death among the company's essential workers as evidence of management's insensitivity.

The event may end up costing the UK train operating company as Cortes has demanded the company make good and provide the promised bonuses.

Furthermore, while the "test" may have made it easy for the IT team to find security flaws, it looks like making plenty of work for West Midland Trains' crisis public relations team, although it appears they have not yet seemed to catch on.

West Midlands Railway suggested if you are not happy with their response to date, or lack thereof, you can make a formal complaint online.

The phishing test email claimed to come from the desk of recently appointed West Midland Trains managing director Julian Edwards.

Which just goes to prove the old saying that the phish rots from the head. ®

More about

More about

More about


Send us news

Other stories you might like