UK rail operator West Midlands Trains sent an email to 2,500 employees to thank them for hard work during COVID and promised a one-time bonus as a reward, but that lovely news turned out to be phishing training. Needless to say, it did not go over well.
The deliberately inauthentic email first thanked staff for their hard work, then added: "We realise that a huge strain was placed upon a large number of our workforce as a result of COVID-19 ... and we would like to offer you a one-off payment to say thank you for all of your hard work over the past 12 months or so."
Readers were told to click on a link to register for their bonus, but those who followed instructions were sent news of their infosec failings and offered handy tips for the future like "be vigilant with all links and attachments" and "never click on a link that looks suspicious."
The email to employees from West Midland Trains rationalised the test with the following text:
This test was purposefully designed to closely mimic the tactics that, sadly, are being used on a daily basis by expert criminal organisations to try to gain access to company data and systems.
The Transport Salaried Staffs' Association (TSSA) issued a statement in which general secretary Manuel Cortes called the cybersecurity-drill-gone-wrong a "cynical and shocking stunt." The union described the behaviour as "totally crass and reprehensible" and cited the many COVID cases and one death among the company's essential workers as evidence of management's insensitivity.
The event may end up costing the UK train operating company as Cortes has demanded the company make good and provide the promised bonuses.
Furthermore, while the "test" may have made it easy for the IT team to find security flaws, it looks like making plenty of work for West Midland Trains' crisis public relations team, although it appears they have not yet seemed to catch on.
Some of the jobs at at West Midlands Railway pay half the national average, a fraction of the pay of a senior director.— Iain Collins (@iaincollins) May 10, 2021
It's lazy & unethical to exploit low paid staff risking their lives in a pandemic with false promises of a bonus to check if your IT training is up to scratch.
West Midlands Railway suggested if you are not happy with their response to date, or lack thereof, you can make a formal complaint online.
Hello. sorry you are not happy. I can see that you have read our reply as to why the email was sent out, however if you would like to make a formal complaint then please use the live feedback form as above or to receive an official reply, use https://t.co/KzsifNQEtz— West Midlands Railway (@WestMidRailway) May 10, 2021
The phishing test email claimed to come from the desk of recently appointed West Midland Trains managing director Julian Edwards.
Which just goes to prove the old saying that the phish rots from the head. ®