Bosses at West Midlands Trainline are facing a backlash after they used the promise of a company-wide bonus as a lure in a phishing simulation test.
Julian Edwards, the managing director of the train operator, emailed the company's 2,500 employees with a message saying it wanted to thank them for their hard work during the pandemic, according to the Guardian.
The email promised a one-off payment, but those who clicked the link for the bonus received a message telling them it was a "phishing simulation test" designed by the firm's IT team to entice employees.
The leader of the Transport Salaried Staffs Association, Manuel Cortes, called the email "crass and reprehensible", according to the Guardian, especially considering many of the people who work for West Midlands Trainline have had to do so on the front line throughout the pandemic.
However, while the initiative isn't ideal in the current climate, there's often a balance between upsetting the business vs what a malicious attacker would consider, according to Scott Nicholson, the co-CEO of cyber security firm Bridewell Consulting
"In reality, malicious phishing campaigns will devise the content that is most likely to achieve success," Nicholson told IT Pro. "However, on the other hand, there are many other topics that can be used and techniques to improve user behaviour and phishing defence, detection and response.
RELATED RESOURCE
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email security
"In this instance, employees will understandably feel frustrated and I wonder whether key business stakeholders were aware of the content and topic beforehand. Often, when developing internal phishing awareness campaigns, it is useful to have a small group of key stakeholders agree on phishing content so that an organisation can reduce the risk of phishing attacks but without demotivating or upsetting the workforce."
Nicholson added that phishing simulations are an essential awareness tool but he also warned that they should not be solely relied upon. The content of the attack requires careful consideration, he said, as businesses can achieve the same outcomes without upsetting their employees.
-
Meta just revived plans to train AI models using European user dataNews Meta has confirmed plans to train AI models using European users’ public content and conversations with its Meta AI chatbot.
-
AI is helping bad bots take over the internetNews Automated bot traffic has surpassed human activity for the first time in a decade, according to Imperva
-
Bugcrowd’s new MSP program looks to transform pen testing for small businessesNews Cybersecurity provider Bugcrowd has launched a new service aimed at helping MSP’s drive pen testing capabilities - with a particular focus on small businesses.
-
Building a new approach to security with the next generation of penetration testingSponsored Combining human-led testing with continuous automated scanning can elevate your security regime
-
OpenAI to pay up to $20k in rewards through new bug bounty programNews The move follows a period of unrest over data security concerns
-
Kali Linux releases first-ever defensive distro with score of new toolsNews Kali Purple marks the next step for the red-teaming platform on the project's tenth anniversary
-
Podcast transcript: Meet the cyborg hackerIT Pro Podcast Read the full transcript for this episode of the IT Pro Podcast
-
The IT Pro Podcast: Meet the cyborg hackerIT Pro Podcast Resistance is futile - offensive biotech implants are already here
-
Russia-linked state-sponsored hackers launch fresh attacks by abusing latest red team toolNews Researchers said the new tool has evaded the detection of many leading security products and is quickly growing in popularity
-
Taking a proactive approach to cyber securityWhitepaper A complete guide to penetration testing
