back to article Train operator phlunks phishing test by teasing employees with non-existent COVID bonus

UK rail operator West Midlands Trains sent an email to 2,500 employees to thank them for hard work during COVID and promised a one-time bonus as a reward, but that lovely news turned out to be phishing training. Needless to say, it did not go over well. The deliberately inauthentic email first thanked staff for their hard work …

  1. Anonymous Coward
    Anonymous Coward

    they had a cunning original (not) plan...

    https://medium.datadriveninvestor.com/the-lesson-of-godaddys-fake-christmas-bonus-email-phishing-test-ede2d171f266

  2. Allan George Dyer
    Big Brother

    "live feedback form"?

    What's the betting that the link is actually another phishing test? They do say, “never click on a link that looks suspicious.”, what could be more suspicious than a link on a social media site?

  3. 2+2=5 Silver badge
    Joke

    Next test

    Next security test will be an email saying "New staff competition - 10 lucky winners will get the chance to punch one of the management team in the gob. Click here to enter."

    1. Anonymous Coward
      Anonymous Coward

      Re: Next test

      Physical violence is never a joke.

      1. small and stupid

        Re: Next test

        Oh yes it is. And pious self-righteousnes is funny as well.

      2. Throatwarbler Mangrove Silver badge
        Joke

        Re: Next test

        "Physical violence is never a joke"

        ... unless you're punching a clown.

        1. The Oncoming Scorn Silver badge
          Pint

          Re: Next test

          "Physical violence is never a joke"

          Oh yes it is! https://thumbs.gfycat.com/AmusedWellgroomedCobra.webp

        2. Kane Silver badge
          Joke

          Re: Next test

          "... unless you're punching a clown."

          That's not a joke, that's a public service.

  4. Flywheel Silver badge

    But isn't this what (real) criminals would do?

    So are the unions seriously expecting IT Security to send an email out with a disclaimer at the end (in small print of course) so that the potential victims have a clue? That's not what phishing is about, surely, or am I missing the point?

    Conversely, I would have thought that any email alleging to have come from train company management praising employees and offering money was suspicious in itself?

    1. John Robson Silver badge

      Re: But isn't this what (real) criminals would do?

      I've never had to register for a bonus - I would hope that they haven't been asked to register before.

      Exploiting current world events is a common tool, so this seems like a reasonable phish test to me.

      1. Kevin Johnston

        Re: But isn't this what (real) criminals would do?

        You presume there has been a bonus in the past for the low level workers (as opposed to the senior management). If it has never happened before then how would they know if they need to register or not?

        1. Anonymous Coward
          Anonymous Coward

          Re: But isn't this what (real) criminals would do?

          For bonuses in my company, I literally have to register on a website in a different country and a different language, then open a foreign bank account.

        2. Anonymous Coward
          Anonymous Coward

          Re: But isn't this what (real) criminals would do?

          We were reviewing a bit of corporate drivel and came across a section on bonuses for folks like us. As no one present had ever HEARD of anyone getting a bonus, a particularly cynical co-worker asked, "Is 'bonus' a noun or verb?"

      2. Anonymous Coward
        Anonymous Coward

        Re: But isn't this what (real) criminals would do?

        I have. It was some stock options from a company I was working for that did a merger and IPO, and I had to decide if I was going to accept or reject the options, and then decide if I was going to invest since the options had a very short window to purchase or not purchase the stock at the IPO price.

        I'd have lost less money if it was a scammer. I didn't lose the whole investment, only about 3/4 of it. If I'd bought Apple stock with that money instead and held it until now I'd have been a millionaire.

        1. richardcox13

          Re: But isn't this what (real) criminals would do?

          Stock and stock options are a different matter.

          As, you found, the benefit can be limited.

          And, there are potentially a whole load of tax implications that a cash bonus (given PAYE in the UK) does not imply.

    2. chivo243 Silver badge
      Meh

      Re: But isn't this what (real) criminals would do?

      Yes, they would. I'm torn on this one... shitty trick to play, but well played in the theater of security. I'm sure the Lads from Lagos are taking notes...

      1. Anonymous Coward
        Anonymous Coward

        Re: But isn't this what (real) criminals would do?

        Agreed - I think the "right way" to play it would be to use a genuine bonus as an opportunity for a phishing test - as in all staff will get the bonus without needing to register, but then send out an email asking them to register and those that click it get reminded of the importance of not clicking phishing links,

        I have in the past had to register for stock-based bonuses, but you can always tell its a legitimate email/link by the 18 pages of boilerplate terms and conditions that make it look like spam.

        1. Anonymous Coward Silver badge
          Big Brother

          Re: But isn't this what (real) criminals would do?

          And if you follow through and register (with your actual details), that excludes you from the bonus? (Or at least reduces it)

          Basically rewarding good infosec behaviour.

      2. Fred Daggy

        Re: But isn't this what (real) criminals would do?

        I wish I had more thumbs to thumbs up.

        Evil. Watch HR squirm as they then announce that there is in fact, no Covid Bonus after all.

        It's so evil I might start spamming that one myself. I don't need an excuse to get one up on HR. Just an opportunity. (Never saving nor recording passwords of course, I use my evil powers for good).

      3. Imhotep Silver badge

        Re: But isn't this what (real) criminals would do?

        My take is the same as yours. This is exactly the sort of enticement phishing can rely on to get people to click through. Getting them to click is the whole point.

        But I do understand why the employees who fell for it would be less than thrilled.

        1. the spectacularly refined chap

          Re: But isn't this what (real) criminals would do?

          But I do understand why the employees who fell for it would be less than thrilled.

          But they didn't "fall" for anything. There was an email legitimately sent on behalf of the company promising a bonus. It may have been designed to look like a scam but those facts hold. If your employer says "do this and we'll give you money" are you not entitled to expect that money?

          I'm reminded of the episode of Star Trek where a test was designed to see if some robots were alive. They initially appeared to have failed the test up until it was shown they had actually seen past the ruse and ignored it. You don't know the thought processes of the individuals involved so you are left with a simple promise made by whom it purports to be and the consequences of that promise.

          1. richardcox13

            Re: But isn't this what (real) criminals would do?

            From the article,

            > The deliberately inauthentic email first thanked staff[…]

            So they did fall for it, and clicked through because their "too good to be true so it isn't" check failed.

            1. the spectacularly refined chap

              Re: But isn't this what (real) criminals would do?

              But that's the point: it was an authentic email sent on behalf of the company. Making it look a bit "dodgy" does not change that reality.

              1. doublelayer Silver badge

                Re: But isn't this what (real) criminals would do?

                Just because someone did it doesn't make it the company's decision or authentic. If I decided to mess with my colleagues by sending them such an email, my company didn't agree to do what I made up. For the same reasons, the security test can involve things without requiring other parts of the company being obligated to do something that was clearly not intended.

              2. John Robson Silver badge

                Re: But isn't this what (real) criminals would do?

                "it was an authentic email"

                No it wasn't, it was a phishing test, and the email would likely not have been sent by the normal communications methods.

                I have a filter on my work email which automatically sorts all the company phishing tests into a specific directory - makes a fun read every so often

        2. Stuart Castle Silver badge

          Re: But isn't this what (real) criminals would do?

          As above, while I can see this would be extremely annoying to the employees, it *is* the sort of thing criminals might try, so they need to be aware. This kind of test is actually a good way to check if any training you offer is working.

      4. Anonymous Coward
        Anonymous Coward

        Re: But isn't this what (real) criminals would do?

        Yes, it's a valid test. It's also a great way to remind employees that they have been put through a particularly difficult time with no recognition from their employer except for this use of the situation to support an internal security audit. Benefit worth the cost?

    3. IanRS

      Re: But isn't this what (real) criminals would do?

      Exactly. The whole intention of a phishing attack is to make it both believable and tempting. The problem with many unions is that they will automatically consider any change to current conditions 'a bad thing' which needs all details to be communicated, discussed and agreed beforehand.

      I am a security consultant and one of the security education services my company is working on will allow test phishing emails to be sent if the client wants that part of the package. As long as there are clues in the email that it came from outside the organisation I would consider it an acceptable test. On that basis, GoDaddy screwed up by sending it from a legitimate internal address and providing no clues at all that it was meant to be fake, but this one I would consider a valid test.

      1. Naselus

        Re: But isn't this what (real) criminals would do?

        Yes, it's a perfectly valid and effecting phishing test. On the other hand, the timing might be considered poor taste.

        1. Doctor Syntax Silver badge

          Re: But isn't this what (real) criminals would do?

          "On the other hand, the timing might be considered poor taste."

          So is all genuine phishing.

      2. Pascal Monett Silver badge

        Re: The whole intention of a phishing attack is to make it both believable and tempting

        I'm sorry, how is it believable that you have to register for a company-wide bonus ?

        Either the company gives the bonus, or it doesn't, but it does not make its employees register for one. I think that would be grounds for a lawsuit.

        Not blaming the people who clicked the link, but I think this whole affair is going in the wrong direction.

        Somebody should have complained about the principle.

        1. Doctor Syntax Silver badge

          Re: The whole intention of a phishing attack is to make it both believable and tempting

          "Not blaming the people who clicked the link"

          Depending on how many clues there were to it looking like a genuine phishing email I might have to disagree with you.

          Unfortunately, these days marketing departments seem incapable of sending out emails that don't look like phishing attempts and it wouldn't surprise me if HR departments weren't far behind so it might be a close call on how much it looked like a phish.

          1. Naselus

            Re: The whole intention of a phishing attack is to make it both believable and tempting

            One of our customers spoofed one of our genuine email addresses to conduct an internal phishing test. And then some of their (blissfully unaware) users contacted us to warn us that someone had spoofed our email address.

            I'm still surprised we didn't sue them for wasting our whole IT department's time for a full morning tbh.

          2. skeptical i
            Paris Hilton

            Re: The whole intention of a phishing attack is to make it both believable and tempting

            re: "marketing departments seem incapable of sending out emails that don't look like phishing attempts"

            My related pet peeve: aside from the breathless hyperbole describing the organization's latest doings, many places also use "customer management" email programs that turn any links in the text of the email into insanely long cloaked trackable things that should be ringing "dodgy link, do not click!" bells in recipients' heads. So I for one wonder how email users are supposed to learn not to click dodgy links when, if my inbox is any representation of "the world", the emailings of many municipalities, non-profits, and basically well-intended organizations contain just those very things as a side-effect of whatever mass-mailing programs they use and most recipients will not take the time to chase down the source to which the link should have led.

        2. Anonymous Coward
          Anonymous Coward

          Re: The whole intention of a phishing attack is to make it both believable and tempting

          There are many situations when you would have to register for a company-wide bonus, particularly if it has tax implications or other potential downsides. Bonuses paid in stock are a good example, you are on the hook for the tax whether or not you make a profit on the stock, so its possible you can lose money. If the stock is floated on an exchange in the US but you are not, then you will have to start filing tax returns in the US. Some people may not want that, especially if its only for a few hundred quid.

      3. Anonymous Coward
        Anonymous Coward

        Re: But isn't this what (real) criminals would do?

        "As long as there are clues in the email that it came from outside the organisation I would consider it an acceptable test."

        My former employer had out-sourced several services which meant that, quite often, "legitimate" emails appeared to come from outside the organization. Still they would not accept that the sensib le policy would be not to have click-through links in emails.

    4. Dabooka Silver badge

      Re: But isn't this what (real) criminals would do?

      Been there, done that.

      We had one a couple of years ago pertaining to offer staff an Amazon voucher, click on the link etc.. Clearly to me (and others) it was a hoax as a) our outfit would never do that and b) our outfit would never do that. Ever. I even forwarded it to my Head of It to let him know these things were out there (he replied and said it was a test).

      However two things worthy of note.

      Firstly some of my colleagues who did click felt they had been 'tricked' into taking the training that 'they don't really need' (yeah I know).

      Secondly the genuine follow up email from the outfit hired to do the testing was the most shambolically written and presented email I have witnessed in ages. Utterly appalling. Courier font, no structure, brightly coloured text. It was like going back 20 years, and screamed spammer. It also included links to the training for everyone else to do should they feel the need to.

    5. Filippo Silver badge

      Re: But isn't this what (real) criminals would do?

      Yeah... there isn't any reliable way to tell a phishing attempt by writing style alone. You also can't trust the sender address; it can be spoofed.

      My main rule is to ask someone I trust for verification, before visiting any URL with a public-usage domain or a domain I don't know (remember to look at the actual link, and not at what the text says), or answering to an address from any such domain (remember to look at the reply-to field, and not at the from field). That should cover most cases.

      Also, I assume anyone who calls me on the phone and tells me he's from my (or any, really) bank/utility company/insurance provider/whatever is a scammer until he can prove otherwise. No, knowing my name, date of birth, or other easily obtainable information, is not proof.

      1. heyrick Silver badge

        Re: But isn't this what (real) criminals would do?

        A quick test I have with suspect emails is to begin to forward the email. They usually makes the nice friendly visible email address show its true nature - a bunch of random characters at a domain in Thailand.

        My standard behaviour is to simply delete anything that looks in any way suspect.

        As I mentioned to my advisor at the bank when she asked why I hadn't replied to her email. I told her that the bank messages are usually handled through the app/website, so a message by regular email claiming to be from the bank (without her name or the location of the bank in the sender or subject, and a generic subject line) was immediately deleted without even being looked at.

        Funny how we're all supposed to be experts at online security, but at the same time willing to accept all these stupid and lazy exceptions.

      2. Robert Carnegie Silver badge

        Re: But isn't this what (real) criminals would do?

        If your CEO's password to the web mail portal is "number1ceo" then it's perfectly possible for e-mail from her actual account to be spam or spearphishing.

        My work e-mail is text only - my choice - and I mousepoint at any URL in it to be shown where it really goes. But that can be disguised, too - funny character sets and do forth. So mainly I let someone else try first...

    6. steviebuk Silver badge

      Re: But isn't this what (real) criminals would do?

      I would of thought they could of worded it different and not related it to covid-19 as if I've read it right, one of their staff died of it.

      The most simple phishing email they could of sent out is one that spoofs a managers address and asks for urgent help with something. Sadly I've seen that work with people replying & actually paying money as they didn't bother telling anyone. It was spotted they'd replied and given out their mobile number, the rest was then done via txt that we can't and don't monitor. I really wanted to know what went on in their head and why they never double checked first!

      I've also witness a director fool for it when the spoof was the chief exec. Nothing better to see a director who is fearful of the CEO, fool for a phishing email all because they want to "please(kiss arse)". Forgetting the phishing issue, they shouldn't have a fear of the CEO, CEOs need to learn not to be cunts like that one was.

  5. Aaiieeee
    Thumb Down

    What a dick move

    Here is some money.. haha just kidding.

    For phishing to be any use it has to look dodgy; contain spelling mistakes, a really obviously bad url. Should staff have known a bonus was beyond reality and that was the clue?

    1. Anonymous Coward
      Anonymous Coward

      Re: What a dick move

      ...and a dodgy but plausible looking domain name.

      E.g. the one my old man received recently...

      vodafone.billing-center.com

      This "phishing test" done by these cretins proved nothing other than their employees are underpaid enough to click a link to a fake bonus.

      1. David Nash

        Re: What a dick move

        You don't have to be underpaid to appreciate a bonus.

    2. Jimmy2Cows Silver badge
      FAIL

      Re: spelling mistakes, a really obviously bad url

      A good phishing email won't contain mistakes, and the link URL will be convincingly plausible.

      1. Aaiieeee

        Re: spelling mistakes, a really obviously bad url

        Then there is nothing for staff to recognise and identify it as phishing. All you will get are lots of people failing the test.

        Remember during phishing training they show a 'bad' email with an obviously bad URL and it came from an obviously fake domain? Well if staff don't see that then why would they suspect it?

        An email that came from the director, from a valid looking domain, with a valid looking url and spelt correctly with legit content - why wouldn't staff click it?

        Are you suggesting staff should report every email from senior management as suspicious?

        1. Neil Barnes Silver badge

          Re: spelling mistakes, a really obviously bad url

          Are you suggesting staff should report every email from senior management as suspicious?

          Sounds reasonable to me!

        2. VirtualHacker

          Re: spelling mistakes, a really obviously bad url

          It's exactly that mindset that makes end users complacent. First rule of phishing attacks, if it sounds too good to be true, then it usually is! One also never enters logon credentials if you do click on a link in an email.

          Cyber security is everyone's responsibility.

          1. Doctor Syntax Silver badge

            Re: spelling mistakes, a really obviously bad url

            "Cyber security is everyone's responsibility."

            There's a saying that if something's everyone's responsibility it ends up as nobody's responsibility. Sadly, that seems to be true.

        3. mmccul

          Re: spelling mistakes, a really obviously bad url

          The standard is any email from outside the corporate email system that is legitimate needs to have at least three business days in advance, a warning from the appropriate group inside the company, warning that the outside email will occur, including a description or mockup of the email to be received. If the emails are going to be regular/common, then state that in the warning email. If there is a response required, then that will be highlighted in the mail system, often with a second path warning of the coming emails that doesn't go through email, such as a notice through the supervisor.

          If the email came from the corporate email system, then it was a bad test.

          Modern phishing training that is any good does not talk about spelling mistakes or "obviously fake domains". They instead emphasize external sources, artificial sense of urgency and lack of corroborating emails from the official corporate email system.

          Yes, I've worked at shops that implemented that rule, and it significantly cut down on the phishing damage.

        4. David Nash

          Re: spelling mistakes, a really obviously bad url

          Tricky one but this teaches them that it could happen. Those who clicked should shrug and accept they've learned they should verify offers of free money before clicking. Rather than complaining they were tricked (that was the point).

        5. John Robson Silver badge

          Re: spelling mistakes, a really obviously bad url

          “ Are you suggesting staff should report every email from senior management as suspicious?”

          We do...

          That’s one advantage of a non email central chat system being available. For us that’s slack, other options available.

          Anything that is remotely dodgy gets checked.

      2. Anonymous Coward
        Anonymous Coward

        Re: spelling mistakes, a really obviously bad url

        A good phishing email balances on a knife edge. It needs to be sufficiently crap that someone trained to pick them out will automatically discard it without a second thought (perhaps not even open it) but plausible enough that an untrained individual will think it is legit.

        This is why phishing emails always have typos or grammatical errors. It's a way of filtering down the targets without having to specifically target anyone.

        Someone that can't easily spot the typos or grammatical mistakes is unlikely to spot that an email is a phishing attempt.

        1. mmccul

          Re: spelling mistakes, a really obviously bad url

          Actual phish emails I analyze haven't been typo riddled in a year or more. I get more typos and grammatical mistakes I see in the legitimate emails.

          Also, spearphishes are very often crafted quite well, including personal references.

          Don't train people on the exact wrong indicators.

          1. Anonymous Coward
            Anonymous Coward

            Re: spelling mistakes, a really obviously bad url

            A few years back my former employer ran a "better than usual" phishing test which caught out many. My annoyance with the whole matter of phishing was that by regularly sending out corporate emails that wanted the employee to click on a link, the company was setting up employees to fail.

            Having a full intranet service the company had other ways of communicating with employees which would not have been co-mingled with external communications (and genuine phishing attempts).

            But that seemed too much trouble. Ho hum!

          2. Anonymous Coward
            Anonymous Coward

            Re: spelling mistakes, a really obviously bad url

            I haven't ever gotten a well-written phishing email. Every single one has had bad grammar, etc. Usually with laughably-inauthentic website addresses.

            My company does these phishing tests. Theirs are always WAY more convincing than the real thing. The first time, I researched the destination of the link and confirmed it was a phishing test company. Having verified that it was actually from my company, I clicked the link - and they claimed I "fell for it" and automatically signed me up for remedial infosec training. Never mind that I *knew* it was from the company, and didn't provide any personal details, etc - apparently all it takes to compromise their entire corporate network is for a lowly employee to click a single link, so the employee must be at fault, right?

            1. doublelayer Silver badge

              Re: spelling mistakes, a really obviously bad url

              "Having verified that it was actually from my company, I clicked the link - and they claimed I "fell for it" and automatically signed me up for remedial infosec training. Never mind that I *knew* it was from the company, and didn't provide any personal details, etc - apparently all it takes to compromise their entire corporate network is for a lowly employee to click a single link, so the employee must be at fault, right?"

              Here's some more training. Don't click suspicious links. Clicking links and entering information is certainly worse, but just clicking the link can be a problem. It exposes you to whatever the page might have, including an attempt to steal an SSO token or even a possible (though very unlikely) zero-day in the browser. They were right to treat clicking the link as a partial failure.

            2. MachDiamond Silver badge

              Re: spelling mistakes, a really obviously bad url

              "apparently all it takes to compromise their entire corporate network is for a lowly employee to click a single link, so the employee must be at fault, right?"

              Unfortunately, yes. And that's the problem. Some low level employee in the housekeeping department of the hospital clicks on a link that triggers a ransomware lock down of the whole place. The problem is two-fold. The employee that clicks on links and the hospital's IT system that exposes the whole datacenter to attacks from something like a phishing email sent to a staff member.

        2. MachDiamond Silver badge

          Re: spelling mistakes, a really obviously bad url

          "This is why phishing emails always have typos or grammatical errors."

          I see loads of tripe generated by HR departments with horrendous spelling and grammatical errors. Even on the made up Biz-Speak carp they insist on using instead of proper words.

          I agree that most phishing emails rat themselves out, but not all. I've been impressed with a few that were very close to being perfect outside of that one fatal mistake. I sanitize and send those around to the family so they are on the look out. I worry about my mom losing her retirement savings from something like this. We just went to the bank and set up another disconnected account she can use to pay bills so her other accounts are shielded a bit. The banking lady wanted to push overdraft protection but saw what we were doing and agreed. A large number of accounts at that branch are held by pensioners that live in the local senior community. Now she nows. My mom is pretty sharp but we have a plan to put more oversight on her money if she "dulls" a bit. She'll be in charge, but transactions over a certain amount will be held until I or my sisters review them.

      3. fattybacon

        Re: spelling mistakes, a really obviously bad url

        No, successful phishing emails deliberately contain spelling mistakes, terrible urls and general weirdness which puts 99% of people off. They only want the 1% who fall for it

        1. Yet Another Anonymous coward Silver badge

          Re: spelling mistakes, a really obviously bad url

          For Nigerian Prince scams yes.

          If they want the logins and passwords of users at a bank then no, they will make them as official looking as possible.

        2. doublelayer Silver badge

          Re: spelling mistakes, a really obviously bad url

          You are being simplistic to the point of incorrectness. The attacks where spam is sent to massive lists use that tactic to try to filter out people at the first stage--if they're going to balk after interacting with the scammer, they've just wasted the scammer's time. When the list of targets is shorter, like the employees of a company, or when the goal is faster to attain, like just getting credentials, they want more people clicking right now. They can write well to get that to happen. They do this frequently and it works on occasion. Training must include this.

        3. Anonymous Coward
          Anonymous Coward

          Re: spelling mistakes, a really obviously bad url

          My last manager's emails were littered with spelling mistakes, grammatical howlers and 'general weirdness' (eg signed off 'thanks you')

          While I agree that it's a good idea to test the response to phishing, they have promised a bonus and they should be made to honour it. OK, so make the failures pay by giving them less, but a bonus has been promised

          1. jtaylor Bronze badge

            Re: spelling mistakes, a really obviously bad url

            they have promised a bonus and they should be made to honour it.

            Who has promised a bonus? The head of IT security? Was that person authorized to award bonuses? Does every inauthentic email oblige the purported sender to fulfill the promises made in the email?

      4. This post has been deleted by its author

    3. doublelayer Silver badge

      Re: What a dick move

      "For phishing to be any use it has to look dodgy; contain spelling mistakes, a really obviously bad url. Should staff have known a bonus was beyond reality and that was the clue?"

      Have you ever seen phishing? Not the kind that gets sent to billions of addresses, but the more tailored kind? If they're sending it to a small number of people, they'll work on that. They'll figure out your name. They will figure out where you work and what their emails look like. They'll copy pages exactly. They'll identify who your boss is and impersonate them before sending instructions about where to redirect the payment. You have to figure this out by certain less obvious details. I have received such messages. I haven't fallen for them. There are people who need training that such messages can happen and that vigilance is necessary. You might be one of those people.

      The method used in this case was regrettable, and people who fell for it and had expectations are understandably unhappy. Unfortunately, it's exactly the kind of phishing that people might try. I've seen COVID-themed phishing and it didn't do me the courtesy of being badly written.

      1. MachDiamond Silver badge

        Re: What a dick move

        "I've seen COVID-themed phishing and it didn't do me the courtesy of being badly written."

        Before long there will be a major storm and that will be used as a pretext in a phishing email. Or a big fire. An international incident. The phishers use whatever they think might be a good lever to get people to do what they want.

        I'd be very suspicious of the promise of a bonus. I'd expect that supervisors would make a mention of it first to the people under them. A note in the current pay packet. A prep email from the company that announces the bonus but requires no immediate action. If employee input is required, they are to contact their supervisor.

        C-level and HR need to be expert in phishing tactics as well. They should never send regular communications out that in themselves look like phishing emails. They should also remind employees how they might request password changes or submission of personal/company info including what will never be done. The Social Security Administration in the US has to tell people constantly that they will never call people about fines and require payment immediately with gift cards. All communication is done via (indecipherable) snail mail notices. The same goes for pretty much every US government agency unless you call them first and are expecting a call back (good luck).

  6. Anonymous Coward
    Anonymous Coward

    Lessons learned

    If you're a phisher, offer anything that's related to Covid.

    1. monty75

      Re: Lessons learned

      If you're a phisher, offer anything that's related to money.

      FTFY

  7. Anonymous Coward
    Anonymous Coward

    Don't click external links...unless they're ours

    Our IT Security guys recently decided it would be a good idea to implement a new external domain to put all the security training on. They anounced this by sending an email from said unknown external domain, inviting us to click on a link to register using our internal domain credentials before taking part in the training. Many people reported it as a phishing attack, cue stroppy mail from IT Security berating us for being so stupid as to not believe their email that ticked all the boxes of being a phishing attack....

    1. Doctor Syntax Silver badge

      Re: Don't click external links...unless they're ours

      IOW your users were already ahead of IT security. Good for them.

      1. Yet Another Anonymous coward Silver badge

        Re: Don't click external links...unless they're ours

        Ours send out genuine training courses that are a bit.ly link to something like sap.succesfactors.leveraging.synergy.dynamics.eu which then makes you enter your password and RSA key

    2. Robert Carnegie Silver badge

      Re: Don't click external links...unless they're ours

      Phish them back. Nothing too malicious, just direct them to a web site that plays the Monty Python music at top volume and can't be closed. Explain this specifically in the boring bit of the e-mail that they won't read, so they were given notice.

  8. Howard Sway
    FAIL

    And the result of this test will be........

    Email arrives in inboxes : "Dear team, please prepare full progress report of your work on big important railway project for meeting next week, The Boss"

    Meeting starts.

    "OK, let's start with progress reports - how is the track maintenance going?"

    "Oh, I haven't done the report because I assumed it was a phishing email".

    "Safety audit team?"

    "Nope, we ignored the email too...."

    1. General Purpose Bronze badge

      Re: And the result of this test will be........

      "Everyone got the encouraging email about their mental health?"

      Hello. West Midlands Trains does care about its employees mental health, yes. We have delegated colleagues inside (and recommended people outside) the business that we can speak to. We also receive encouraging emails reminding us how we can improve our mental health. 1/2

      --tweeted on Monday

  9. Anonymous Coward
    Anonymous Coward

    Unfortunately,

    Management have de-trained their employees. In pre-email times, you would not have expected to get any direct messages from the management, now they are spamming you every day, asking you to welcome new managers etc (don't think new managers appreciate getting their brand spanking new mailbox stuffed with 10,000 'welcome' messages from the grunts, so I've never seen the point of these).

    Like the banks - "Oh, do be careful of spammers, you silly people" when most of them spent most of the last two decades (and some of them haven't stopped) phoning you up and asking you to "go through security" exactly normalising the behaviour they want you to avoid when anyone but them phones you up. All the time with the vast majority never coming up with any mechanism for proving that its actually them ...

    If I get an email from management, and it exhorts me to click a link, and the email's not auto-flagged by our mail system, and the link is internal, I'm not going to click it. Not because I suspect it's a phish, and not because I suspect it's a trick, but because I'm already bored out of my mind doing my own job and don't want to be even more bored doing something that doesn't even help me get my job done.

    1. Pascal Monett Silver badge

      Re: Unfortunately,

      I use Rules in my corporate mailbox. Every time someone sends out something that has absolutely no bearing on my daily job, I set up a rule to shove it into a folder labelled "Ignored".

      Given that I am a freelance consultant, and only log in when I am asked to by the customer, such rules are pretty easy to set up. If it doesn't concern the project I'm on, it's ignored.

    2. Doctor Syntax Silver badge

      Re: Unfortunately,

      "banks ...spent most of the last two decades (and some of them haven't stopped) phoning you up"

      Some banks still do that by phone? Can you give an example - I might move my account there. All those I've dealt with have moved onto email.

      I used to explain to the HSBC business bankers (sp?) that I'd told my bank that I wouldn't answer questions like that and, without confirming or denying that they were impersonating the right bank, they couldn't be my bank. This was routinely followed up a few days afterwards by a plaintive letter saying that they couldn't sell me anything help me.

      1. Anonymous Coward
        Anonymous Coward

        Re: Unfortunately,

        Handelsbanken. Not only do they call, they call from the branch our account is in so we usually know who it is anyway. Very highly recommended.

    3. imanidiot Silver badge

      Re: Unfortunately,

      Your bank calls YOU to ask for information???

      My bank has a very strict "we will never call you and ask for information" policy. If they do need information they ask you to call the main number and then navigate a phone menu or something (or log into their online environment and navigate to XYZ). They always make the customer take the initiative and initiate contact through a method the customer should know to be safe. To the point where at one point when I had someone on the line from a bank (they called me back about something) when it came to verifying something they had to ask me to hang up, call the main number, press 9 repeatedly until I got a human on the line and ask to be connected to mister xxx at extension yyy of department zzz. Even though I knew I was talking to the right person about the right thing.

    4. ChipsforBreakfast

      Re: Unfortunately,

      Calling me up and then demanding I pass 'security' is one of my pet hates.

      The lucky ones get away with a polite 'No, I don't give personal information to random callers'. The unlucky (or those who persevere) get the full on lecture/rant about just how stupid they are being.

      I've even had one insist that because the caller ID was from their published number (they will remain nameless to spare the blushes of their IT/security team who I'm certain know better) that I had to give them my details. I don't think my offer to call them back from their own CLI was particularly well received....

      1. heyrick Silver badge

        Re: Unfortunately,

        "Calling me up and then demanding I pass 'security' is one of my pet hates."

        Yeah, the NatWest tried that one on me a few years ago.

        I told them that if they really are who they claimed to be, they will have my account information so tell me any two direct debits and how much they are for.

        Person began with excuses. I think they were trying to tell me they were sales and didn't have that information. I don't know, I just spoke over them to say "authentication failed" and hung up.

        If you call ME then it is YOU that must pass "security", not the other way around.

      2. Robert Carnegie Silver badge

        Re: Unfortunately,

        BBC's "Moneybox" has been covering recently that fraudsters can fake the caller ID number. As most of us knew already.

      3. MachDiamond Silver badge

        Re: Unfortunately,

        "Calling me up and then demanding I pass 'security' is one of my pet hates."

        The line I get in the US is to "confirm" certain bits of information. By that they mean they want me to give them that information. I always refuse telling them that they have that info and "confirm" means they give it to me and I am supposed to "confirm" that it is correct or false.

        What really drives me nuts is when they want to have me jump through all of the hoops to "confirm" I am who I am when all I have is a simple, non-account related question about something. That and verifying my identity by the number I am calling from. It's too easy to spoof numbers and if somebody nicks your mobile and calls your bank, they might be given access to your accounts or let them order up another debit card. Your phone is then "found" and turned in to the business you were visiting when it went missing and you drop your guard. In the mean time, a shiny new plastic debit card is on it's way to "your new address".

    5. DJV Silver badge

      Re: phoning you up and asking you to "go through security"

      Yeah, I had that recently with $PENSION_COMPANY

      Earlier this year I'd had an arranged online meeting to discuss pension arrangements with $COMPANY_PERSON1 which all went ok. She didn't indicate that I would be getting a follow-up call regarding how the meeting went.

      Then, a few days later, I had a call on my mobile phone with the number withheld (alarm bell 1 goes off) from someone (let's call her $COMPANY_PERSON2) who claimed to be from $PENSION_COMPANY. She wanted to talk to me about my "recent contact" (very vague - alarm bell 2 goes off) with the company. She then asked me to provide answers to security questions. I refused and asked her to prove that she really was from $PENSION_COMPANY and why was she calling from a withheld number when this is now extremely frowned upon (though, I believe, not actually illegal). I thought it reasonable to ask her to provide me with either one of my policy numbers or some digits (and their positions) from one of those numbers. She refused saying it was personal information and, after getting in a bit of a strop about my refusal to do what SHE wanted, in the end hung up on me.

      I immediately contacted $COMPANY_PERSON1 and told her about my experience. She agreed that it sounded very suspicious and asked if I wanted to officially report it, which I agreed to. She took the full details and said I would be hearing from someone in a few days.

      A few days later I received a call from $COMPANY_PERSON3 from a number that was associated with $PENSION_COMPANY and, as he had details about the "rogue" call and other things that only someone from the $PENSION_COMPANY should have possessed, I was happy to talk to him. He apologised as it turned out that the "rogue" call HAD come from someone employed by $PENSION_COMPANY who was working from home but hadn't done as she should have and routed the call via $PENSION_COMPANY's normal phone network. We spent some time discussing ways in which $PENSION_COMPANY could improve their ability to prove their own identity when asked for it (mainly the same as I'd asked $COMPANY_PERSON2 to do, which he thought was a reasonable way of going about things).

      Then he asked, "Is £75 compensation for all the hassle ok?" Having not expected anything of the sort, I readily agreed. This was duly paid into my bank account a few days later and, also around the same time, I received a package containing a written apology along with 2 bottles of wine and a box of chocolates!

      So, I think the lesson there is, if you complain properly, you can actually get good results and a proper company will learn from its mistakes. I do wonder, though, what sort of reprimand $COMPANY_PERSON2 got!

      1. Anonymous Coward
        Anonymous Coward

        Re: phoning you up and asking you to "go through security"

        " I received a package containing a written apology along with 2 bottles of wine and a box of chocolates!"

        But what if you are a vegan recovering alcoholic? That's got to be grounds for further compensation.

        1. MachDiamond Silver badge

          Re: phoning you up and asking you to "go through security"

          "But what if you are a vegan recovering alcoholic? That's got to be grounds for further compensation."

          and everybody you known is the same? There isn't anybody you'd like to have it off with that might be plied with wine and chocolates?

          I was taught to always smile and thank people for their kind gifts. When I got older I was taken aside and quietly told that if the gift sucks/inappropriate/ugly, fob it off on somebody else. Even if the gift doesn't fit the new recipient, you have done your duty in the gift giving department and can wipe that social debt off of the ledger.

      2. Anonymous Coward
        Anonymous Coward

        Re: phoning you up and asking you to "go through security"

        C.f. my HSA company (selected by my employer, probably based on "they're the cheapest"), who has a known issue with their website not showing the correct account balance, which often requires clearing cache and cookies... logging me out of every website everywhere in the process. And their only 2FA option is sending me an SMS, which El Reg has written about its insecurity multiple times. And the website help chat (or via email) can't do tech support, so I have to call them. And if THEY call ME, they expect me to authenticate using personal info...

      3. MachDiamond Silver badge

        Re: phoning you up and asking you to "go through security"

        My local police department has a blocked number. I knew it was them calling back late one night and mentioned that the ID was blocked and got a snippy "I know". I advised her that she shouldn't call back as I normally don't answer blocked ID calls.

  10. 0laf Silver badge
    FAIL

    What do they expect, phishers to send a nice header that says "THIS IS A PHISH!!!"

    If they were using this as a screen to take disciplinary action against staff then it might be a bit rich but to identify areas for education tough, suck it up buttercup.

    I've done the same exercises internally and had the same kickback, Unions insisting that we were "entrapping staff" despite there being nothing at the end of failed test except awareness training. Interestingly those who pushed back hardest against training were usually the worst at spotting them.

    I'm aware of one organisation that was forced to alert staff that a test was being carried out.

    1. John H Woods Silver badge

      Context missing

      So, if the email and/or the link was obviously external I have less sympathy for the recipients. Well, I have sympathy on a personal level, obviously, but I don't think they have been treated unfairly. That is even more the case if the email was flagged by the mail system as a possible phish and they still persisted ... then even my personal sympathy starts to wane.

      However, if the link is on the intranet that is, IMHO, a completely different story. You don't know the thought process the user goes through. "Hah, hah, this can't be true! *hovers link* Wow, what do you know? Maybe my company is following the example of Aldi, etc! *clicks*"

      In the latter case, I think the recipient is completely justified in considering themself to have been mistreated by management. I think management would have to prove they had never, ever sent an email with a link to even have a chance of getting away with this, and I'll eat my riding hat if they can do that.

      Also, any sensible management would have paid a small bonus anyway. "You're all getting an extra 20 quid, but you should have realised you wouldn't have to register for it - we know who's on the payroll ;-) Be careful not to click links! Love, management xx" - PR success instead of disaster and a phishing test that might actually get remembered.

      1. Doctor Syntax Silver badge

        Re: Context missing

        "Also, any sensible management would have paid a small bonus anyway."

        It takes management to do the right thing in the wrong way. But make that a big bonus because I'm sure their staff would deserve every penny of it.

        1. quxinot Silver badge

          Re: Context missing

          Any management would have paid a large bonus anyway.

          To themselves.

          They're management.

  11. JimmyPage
    Stop

    More a test of critical thinking skills

    I leave it to other commentards as to what it proved.

  12. Sodditall

    About par for the quality of management.

    They must be so proud.

  13. Anonymous Coward
    Anonymous Coward

    Easily Done

    I fell for a phising test from my employer, an Indian IT services provider. My lame excuse (to myself) was that I was under pressure at the time doing several things at once and I confess that I did wonder about that particular e-mail at the time, but it _really_ did look similar to other e-mails that I had received. The outcome was an electronic rap on the knuckles and a requirement to retake my cyber security training.

    They have since repeated the exercise at least three times, but the old adage of "once bitten, twice shy" is good in my case. Yes, I was embarrassed and yes, I was kicking myself, but lesson learnt.

    In my case it was a bog-standard admin-style of e-mail; if it had been promising me a bonus, I wouldn't have clicked. However, as others have correctly pointed out, a real-life phisher would possibly mention money or some other vast riches.

    1. Anonymous Coward
      Anonymous Coward

      Re: Easily Done

      Yeah it's very easy to just be on autopilot once and before you know it you've clicked on a link you'd avoid and report the other 99/100 times. Been there done that.

      Fortunately most of the test phishy emails we get all use the same display email domain. And they all have the same domains (be it email or URL) in the headers. So mostly easy to spot and act accordingly. Every now and again they'll have a good attempt. But a lot of the work is undone when they've hired a US-based company to do all this and so you get some real Americanisms in emails purportedly coming from UK HR...

      1. MachDiamond Silver badge

        Re: Easily Done

        " But a lot of the work is undone when they've hired a US-based company to do all this and so you get some real Americanisms in emails purportedly coming from UK HR..."

        and vice versa. It's even worse when biz-speak is being used and acronyms employed.

    2. Anonymous Coward
      Anonymous Coward

      Re: Easily Done

      The vast majority of phishing emails that we receive (maybe most others get eaten by other spam defences first before they ever reach users, I don't know) seem to be either "Your account is about to expire, login here to reactivate your account", or "Your mailbox quota is full, login here to manage your account". Sadly, both of these are very good at sending some people into a panic, rather than thinking "Stop, and ask for help through normal channels" (which is what genuine automated emails about either scenario do).

      Although they are getting better at spoofing the From: address, at least one of the From: or Reply-To: addresses is usually something like dodgygeezer@crappy-webmail.example.com, and the phishy link something like https://www.badly-secured-site.some-other-country.example.com/haxx0red-site/phishyphishy/eatme.html (the sort of thing that anyone can check without having to look at the message source/headers), but some people still get caught out.

      But some of the fault has to belong to idiotic mail programs which don't show the email address along with the name in the From: line (which, although no guarantee that it hasn't been spoofed, at least rules out the obviously incorrect), or which don't make web link destinations clear when you hover over them.

      1. Anonymous Coward
        Anonymous Coward

        Re: Easily Done

        My company recently introduced, but didn't announce, email protection of links in emails, which means the links are modified and now hundreds of characters long rather than a simple URL. The security team must have been mightily fed up replying to all of us forwarding them legit emails as 'spam'!

        1. Anonymous Coward
          Anonymous Coward

          Re: Easily Done

          Mine does that too, making it much more difficult to determine if a link is legitimate!

      2. MachDiamond Silver badge

        Re: Easily Done

        "seem to be either "Your account is about to expire, login here to reactivate your account", or "Your mailbox quota is full, login here to manage your account"."

        The one I get a lot is about my visiting "adult" web sites and they have video of me "doing things". Uhhhhh, my desktop doesn't have a video camera/microphone and both are physically disabled on my infrequently used laptop. They did do a good job spoofing the email address to make it look like it came from my own account. At least until I look at the raw source.

    3. MachDiamond Silver badge

      Re: Easily Done

      "I confess that I did wonder about that particular e-mail at the time, but it _really_ did look similar to other e-mails that I had received. "

      There have been some TV shows on people buying homes that were scammed after getting a message that they needed to send the final payment to the solicitor's new payment account. The email was faked with the graphics and format of the solicitor's office and looked identical to all of the notices they had been receiving during the whole transaction. I can't recall if they explained how the criminals knew about the transaction, but it was suspected that it was either through things put in the rubbish or some clever social engineering. There are so many people and so much paperwork involved in property purchases and sales, that it can be hard to keep track of who's who.

      High value phishing will look very good. It's also getting worse as people abandon every form of communication outside of text and email. I'd want to place a call with the number I have and talk to somebody about a change in arrangements if there were a lot of money involved. Things like that are often spelled out in contracts and can't be changed through email.

      1. Ken Moorhouse Silver badge

        Re: I can't recall if they explained how the criminals knew about the transaction

        What I found out was when your neighbour wants to carry out work on their property which involves "party walls" I got a whole load of surveyors vying for the business, writing (yes: through the post, no less!) to tell me what needed to be done and how they could assist. There must be some company that scours the planning applications at the town hall for submissions that mean money for anyone subscribing to their list.

        For house purchases there will be conveyancing search requests made of the council asking questions about planned development work, etc. The flat I once owned had plans submitted for demolishing the houses either side of mine, plus the church at the back, which were a massive red flag to any potential buyer. Presumably these requests for searches are supposedly confidential, but could be picked up by anyone working in that department - and everything required to successfully scam the seller would be in there: solicitor's details, solicitor's reference, property address. Owner name would come from the electoral roll or elsewhere, hardly rocket science.

  14. Anonymous Coward
    Anonymous Coward

    HR

    IT recently sent around a very plausibly worded email related to our 2FA security system.

    We all spotted it was a phish, some of us even reported it. The only person caught in the UK was the European HR Manager.

    She was invited to a security refresher course!

    1. Doctor Syntax Silver badge

      Re: HR

      The only person? The only explanation I can think of is that you don't have a UK marketing team. Judging by the crap sent out by every marketing department I've encountered they assume that everyone will click on any link in any unsolicited email.

  15. VirtualHacker

    This is why people like myself and all cyber security professionals roll our eyes when end users out there say that they could never get caught by spear-phishing attacks. They all still think that the attacks have poor grammar and spelling and are glaringly obvious. This is NOT TRUE! Hackers and cyber criminals use semi sophisticated attacks such as these to gain access to sensitive corporate systems.

    This is exactly the attack vector that have breached numerous countries governments, health authorities, police networks, companies and yes Pipeline control systems, Colonial Oil in the states.

    I use this type of attack on a regular basis and have caught hundreds of people out, just by dangling the right carrot in front of their noses. The head of the union, in this story, who complained that the test was "cynical and shocking stunt." and "totally crass and reprehensible" wants to wake up and smell what it is he's shovelling. This will hopefully educate end users that this is exactly what they can expect and that they need to think before they click!

    Stop passing the cyber security buck to other people.... the buck stops with you!

    1. Pascal Monett Silver badge

      Re: "They all still think that the attacks have poor grammar and spelling"

      They most often do, and that is a major factor in sorting the wheat from the chaff, but the truth is in the link.

      If the link you're asked to click on does not obviously belong to the corporate address the mail is supposed to be from, then good bye, nice try.

      But if the link is to a verifiable corporate domain and you come tell me that it was a phishing exercise, I will rip you a new one.

      1. Doctor Syntax Silver badge

        Re: "They all still think that the attacks have poor grammar and spelling"

        It depends on who the target is. If it's a matter on inveigling someone into sending money to qualify for a payment then, yes, they want to filter out those who'll sus it out and not waste their time on them. But for someone wanting to gain a foothold in a corporate network they have to look corporate themselves. They want someone who'll be fooled by good grammar and spelling.

      2. doublelayer Silver badge

        Re: "They all still think that the attacks have poor grammar and spelling"

        Yes, if the complainants can prove that IT used an internal domain, then the complaints are more justifiable. I haven't seen that, but I'm doubting that was the case. This sounds like some people got annoyed that they were caught and now want to punish those who caught them.

      3. Robert Carnegie Silver badge

        Re: "They all still think that the attacks have poor grammar and spelling"

        You'd be all right with us. We get our "internal" invite to security training sent from companyname@penetration-education.co.uk and our regular staff satisfaction census from Pollcat.com. Absolutely no effort to make them look like genuine communications from management, which apparently they are.

        Meanwhile, an online retailer's third party hosted customer survey received my impressions of the service, positive until that point, but did not receive my name and address for an alleged chance to win a substantial shopping voucher.

      4. MachDiamond Silver badge

        Re: "They all still think that the attacks have poor grammar and spelling"

        "But if the link is to a verifiable corporate domain and you come tell me that it was a phishing exercise, I will rip you a new one."

        The easiest solution is to never send links in an email. I know the domain of my bank and can type it in with nary a breeze. I do not want them to ever send me a link since I will never click on it. I will click on a link once I have logged in and find a message in my messages for the account. Paypal has been doing stupid things like "verifying" me through my computer and simplifying my online experience by making it rare that I'll have to type in my user name and password. To reverse this, the only way to get to the F-off page is to click the link in the email they send... Grrrrrrrr. I call and bitch when this happens, but there is no way to keep them from NOT doing this. They don't get it that I don't EVER want it possible to NOT have to type in my user name and password to access my account. Since eBay is insisting they handle all monies now, I'll be packing up the PayPal account.

    2. imanidiot Silver badge

      Sounds like a gray-hat should spearfish him and stuff his nose in the smelly heap this union person left on the carpet

  16. Inventor of the Marmite Laser
    Facepalm

    Boot, other phoot

    I was working for a large multinational, who should have REALLY known better.

    An email circular arrived, completely unannounced, from an outside company.

    The email was poorly written and stated that said company was looking after licence information for anyone driving a car on company business. We were asked to complete a form (downloaded from a URL that didn't seem to be applicable to either my employer nor this outside company) and send send a scan of my licence to a URL that was again apparently nothing to do with my employer nor this outside company's.

    In short, ALL the hallmarks of a phishing scam.

    I flagged the issue with HR, asking if the email was genuine - it was - and pointing out the glaring issues.

    A year came and went and it was time for another round of driver verification.

    EXACTLY the same happened.

    They never learn, yet this was a billion pound international company.

    1. Doctor Syntax Silver badge

      Re: Boot, other phoot

      You don't get to be a billion pound company by not being cheap.

    2. MachDiamond Silver badge

      Re: Boot, other phoot

      "The email was poorly written and stated that said company was looking after licence information for anyone driving a car on company business."

      I would respond with "none of your business". I wouldn't send anybody a copy of my DL or other documents just for the asking. If I were working for a company that provided vehicles for my use, I'd be ok with giving them a copy, but only on receipt of a privacy statement I approved of. Approval being based mainly on the information not being "shared" or made public or used for anything outside of verification of driving privileges/insurance. A third party agreement would be beyond the pale. I see it as just more useless outsourcing for some vague indemnification.

  17. Evil Scot

    But what if you spot it is an HR phishing trip.

    Received a "sandwich" treat email from my boss who I knew was undergoing Chemotherapy. Hence knew link was safe.

    If I got called in by HR I would have talked about Observer Bias.

  18. TRT Silver badge

    Sent out using a script from their IT Security team leader...

    Ruby. On rails.

  19. TVC

    I did something similar

    I created a spurious email account that had the real company name in it then sent a random selection of staff an email saying we were upgrading their computer to make it faster and asked them to send me their passwords.

    25% did. One even admitted they thought it was a scam, but still sent it.

    These were generally highly educated, well paid individuals, but obviously idiots.

    On another occasion I went round and inserted key loggers into some machines to see what rubbish passwords they were using and to test their eyesight - some were left in plain sight. No one noticed, many were using stupid passwords.

    1. Naselus

      Re: I did something similar

      I recall at least one very long day back on the helldesk twenty years ago wasting several hours trying to explain to a customer's CEO that no, I could not get the money he'd sent over to the Nigerian Prince two weeks earlier back. All while trying desperately not to use the term 'your own stupid fault'.

      Often, more highly educated people are more vulnerable, since they're more likely to be in position where they get used to receiving legitimate emails asking for them to send money around. This idiot thought it was a genuine business opportunity because he got real business emails every day which weren't particularly different from this - emails sent from blackberries with awful spelling asking him to transfer 20 grand over.

      1. Imhotep Silver badge

        Re: I did something similar

        There was a case here in the US where the scammers hooked the dean of a university and played him for multiple payments.

        Yes, a Nigerian Prince kind of scheme and he kept paying hoping it would come true.

        And one of my reports IT Manager, sold some cheap furniture on Craigs List here in Tennessee. He told me someone in California had bought it, accidentally send a cashiers check for acouple thousand - and he was just supposed to send back the extra cas after shipping.

        He didn't think it odd that someone would buy cheap, used furniture, and pay more than it was worth to ship it. And he was convinced that a Cashier's check was guaranteed to be good.

        1. Ken Moorhouse Silver badge

          Re: Nigerian Prince

          I used to support a criminal law solicitor who defended a "Nigerian Prince". Interesting to hear the way money is prised from the unenlightened.

          ===

          Craigslist: A warning for those that haven't seen this:-

          https://www.theregister.com/2016/06/06/printer_craigslist/

        2. MachDiamond Silver badge

          Re: I did something similar

          "And one of my reports IT Manager, sold some cheap furniture on Craigs List here in Tennessee"

          I get that scam attempt all of the time when I post things on Craigslist worth a few bob. Even when I list that I'll accept cash only and won't ship. The reason I post things on CL is they are too heavy, fragile or awkward to ship and it would be easier to meet up with somebody face to face and exchange goods for cash.

      2. Robert Carnegie Silver badge

        Re: I did something similar

        I mostly see "Nigerian Prince" e-mails where my contribution is to be used to bribe people to divert money our way - in other words, to commit a crime myself apparently. I suspect this is to discourage me from going public when I realise I was the sucker.

        Of course when you've been warned or you have seen more than a couple of these messages where you are the one person from a million that they chose to invite, then you don't fall for it anyway.

    2. MachDiamond Silver badge

      Re: I did something similar

      "No one noticed, many were using stupid passwords."

      Good passwords are more of a chore to remember so when companies make it mandatory to change passwords every month or so, you get stupid, easy to remember passwords. People will also write them down on Post-It notes and stick them to their monitor.

  20. WonkoTheSane
    Facepalm

    Some are too easy to spot

    I get "Phake Phish" emails too, but as I work for a UK subsidiary of a 'Merkin MegaCorp, any mention of 401K, IRS or Medicare is a dead giveaway.

  21. Eclectic Man Silver badge
    Facepalm

    Evidence

    Is there any chance of seeing the original phishing e-mail? How many clues does it contain to suggest it is not genuine? The parts quoted in the article would seem to be reasonable English, grammatically correct etc. Were any of the 'clues' that the e-mail was not genuine detailed in any recent anti-phishing training provided to the staff?

    Legally, if it was sent by 'an officer of the company' then it might just be legally binding on the employer to honour the offer of a bonus - what do el Reg's lawyers think?

    It would be 'interesting' to hear whether the company does indeed think their staff have worked hard during the Covid crisis and deserve thanks. If they don't think that, their public explanation is going to be one hum-dinger of a PR exercise.

    1. Robert Carnegie Silver badge

      Re: Evidence

      A children's book series that I enjoyed was adventures of Agaton Sax, a Swedish genius who often assisted British police. One story ultimately involved luring criminals to steal a large consignment of cash, which actually was fake banknotes but printed by the Bank of England so that the criminals would not know they were fakes. When the criminsls were foiled, Agaton Sax claimed that it was a narrow escape after all, because notes from the Bank of England would actually be genuine money. It's possible that he was joking,

      This time it's not very funny.

  22. Ken Moorhouse Silver badge

    If the email was from e.g., a gmail account...

    Then management could theoretically argue their point of view.

    However, if it was from the official email server of the company then, if I were the union shop steward, I would be recommending to members that they should not open any email whatsoever from their company, as it could also be a scam. There is no way to segregate what is genuine from what is fake so, therefore blanket ban everything until management come to their senses.

    1. ChipsforBreakfast

      Re: If the email was from e.g., a gmail account...

      Without the details of the message it's impossible to say whether it should or shouldn't have been spotted.

      Doing (as I have to do on occasion) phishing training/testing for companies is a very fine line. You need to make the message as realistic as possible but not so realistic it genuinely cannot be spotted. You also need to consider the target audience - for example a message I'd send to a bunch of trained IT support people would likely only have one, hard to identify, indicator as I'd expect them to have a much higher level of awareness and skills than most. A message going out to a group of office workers/managers would have more and easier to identify indicators in it.

      There is a lot of truth in the maxim 'Train hard, fight easy'

      1. Eclectic Man Silver badge

        Re: If the email was from e.g., a gmail account...

        Begin \SARCASM ALERT

        Maybe the solution is to refer all emails purporting to emanate from your employer's official email address to the company's official 'phishing reporting' team. And wait to see what response they make*.

        End \SARCASM ALERT

        *

        Ohh, hang on, the company's phishing reporting team will have an official company email address. But then, no one would fake that would they?

      2. Doctor Syntax Silver badge

        Re: If the email was from e.g., a gmail account...

        "a message I'd send to a bunch of trained IT support people would likely only have one, hard to identify, indicator as I'd expect them to have a much higher level of awareness and skills than most. A message going out to a group of office workers/managers would have more and easier to identify indicators in it."

        I'm not sure of the logic of this. You seem to think that genuine phishing emails to IT support would only have one hard to find identifier whilst those to managers or office workers would have several. I'd have thought that genuine phishing emails to anyone would have been made as hard to identify as possible irrespective of the target.

  23. General Purpose Bronze badge

    They do care

    Later on Monday, the Twitter account of their London Northwestern Railway brand tweeted

    Hello. West Midlands Trains does care about its employees mental health, yes. We have delegated colleagues inside (and recommended people outside) the business that we can speak to. We also receive encouraging emails reminding us how we can improve our mental health. 1/2

    Those encouraging emails can now go in the bin along with the lies about bonuses that have done so much for their mental health.

  24. L1st3r23

    IT Security always gets a bad rap.

    I work in IT and have been for 25 years. We routinely (monthly) send out phishing email tests and our biggest fails are always HR related phishing emails. Our first ever test for a baseline was one to update your employee information for payroll purposes it was a dismal 48% failure rate. It contained all the hallmarks for a typical phishing email, misspelled words, dodgy email spoofed to look internal, bizarre link to a .io domain...

    Needless to say after training users we are now hitting 6-10% failures when we send them out but HR related tests always bump the percentage up. My favorite is sending out emails with lists of employee's slated for termination that look like it is meant for directors. It has a bogus spreadsheet attached and when it is opened it throws a fake BSOD... Don't get many calls from that one from users though and it's usually a call that starts with you got me.

    We do get far more reports of suspicious emails even if they are not, but it is worth it to me. Also what we use automatically put failed user in a high risk users and generates training requirements for them to complete.

    All that being said I bet the headline would be far different and more critical of IT practices if it read West Midlands Trains operator crippled by Ransomware attack due to Lax IT training....

    1. Eclectic Man Silver badge
      Facepalm

      Re: IT Security always gets a bad rap.

      "My favorite is sending out emails with lists of employee's slated for termination* that look like it is meant for directors."

      I worked for an IT Security consultancy (long since taken over by a major IT/engineering company). Anyway, we provided consultancy in things like Information Security ISO27001**, how to secure your network including installation of the latest firewalls and ISO27001, and Business Continuity and Disaster Recovery Planning and ISO 27001 (did I mention we also did ISO27001?) Oh and were certified to ISO 27001 :o)

      So I was somewhat surprised that the WHOLE COMPANY got sent a spreadsheet to check that our holiday and sick leave was recorded correctly as the spreadsheet included listed not only EVERYONE'S sick leave but also the medical reasons provided (I did mention we provided ISO27001 consultancy, didn't I). Did I and everyone else really need to know that the senior company gasbag had taken 3 weeks off with stress?

      *I'm hoping that the poster means 'termination of employment', but then it has the USAfolk spelling of "favorite", so I'm not sure, we've all seen 'Goodfellas' after all ...

      **ISO27001 Standard for Information Security Management Systems, including data protection which includes protection of personal and sensitive personal data, like, e.g. medical data of identifiable individuals...

      (Am I overdoing the ellipsis?)

      1. Ken Moorhouse Silver badge

        Re: ISO27001

        The cobbler always wears the worst shoes.

      2. Anonymous Coward
        Anonymous Coward

        Re: IT Security always gets a bad rap.

        We once got an email from <senior manager> with an attachment that was swiftly recalled.

        This was followed by an email from on high saying to delete any copies, including ones in the deleted folder... followed by the office manager coming round to check everybody's PCs to confirm.

        Turns out the idiot had managed to email a copy of his remuneration to a large chunk of the company at some ungodly hour (so most of us never got to see it, shame!)

        (for some reason he swiftly moved on to pastures new...)

    2. grumpyoldeyore
      FAIL

      Re: IT Security always gets a bad rap.

      The last company I worked for - an SME with R&D and manufacturing in the UK and big sales in the US:

      1) Signed all employees up to PerkBox ( a ligitimate enterprise) but the invite emails came from Perkbox before the briefing from the company ......

      2) Signed all UK employees up to an online training portal but the invite emails came out before the company briefing....

      3) Changed the financial institution supplying the UK pension scheme but again failed to brief employees, not only before the invite emails came out but also before the switch had actually been made

      4) On at least 3 occasions the CFO (US based) sent out warnings to the whole company of fake invoice emails ... by forwarding the fake invoice emails with the live link .....

      5) We had to go through a mass password reset after the CEO (US based) fell for a phising email (possibly off the LinkedIn leak) and gave away her domain login credentials ....

      1. Doctor Syntax Silver badge

        Re: IT Security always gets a bad rap.

        "1) Signed all employees up to PerkBox ( a ligitimate enterprise) but the invite emails came from Perkbox before the briefing from the company ......"

        I worked for a large UK comms company (guess which!) which did the same thing with Amex. I'd already cut up the obviously fake Amex card before the briefing came round.

    3. Doctor Syntax Silver badge

      Re: IT Security always gets a bad rap.

      We routinely (monthly) send out phishing email tests

      If it's that routine surely they're easily spotted - "Last Friday of the month. The Phishing test should be along shortly."

      It contained all the hallmarks for a typical phishing email, misspelled words

      Depending on the quality of your HR staff this might be a strong indicator that it was genuine.

  25. Anonymous Coward
    Anonymous Coward

    Having worked in parts of the railway with over reliance on shared computers AND shared log-ins, I have seen:

    Peoples utility bills,

    Peoples Internet banking usernames,

    Peoples logins to social media,

    Peoples Netflix Accounts

    ..... and a credit agreement PDF for the purchase of an air rifle.

    So the fact that WMT managed to pull this off does not surprise me.

  26. Bryan Hall

    Brilliant

    I don't see anything wrong with it, that IS how people worm into a company with email. Great training for the gullible snowflakes out there.

  27. AndrueC Silver badge
    Meh

    They got phished...

    ...and fell for it.

    Unions can bleat all they want as can the staff but that's the bottom line here. Yes, using Covid is a dick move. Unfortunately dick moves are a speciality of phishers.

  28. Claptrap314 Silver badge

    Use a contractor

    Seriously, there are some things that you should not do yourself. Some newly-highered training manager is NOT part of the IT department. Any bets that this clown did not even have a proper sitdown with the security team before sending out this email?

  29. The Oncoming Scorn Silver badge
    FAIL

    Not Only But Also

    We as a company went through a spate of receiving emails once\twice a month regarding our pay rise, nobody was to my recall taken in by it.

    The classic was the female who gave away her credentials to view a invoice, after she had queried it with the phisher & told it was safe to proceed.

    The invoice said "Thank You" at this point she stated back to the phisher that she was suspicious that it was a (successful) attempt to gain her credentials (Penny still hadn't dropped).

    Three weeks later, she doesn't receive any emails for about 36 hours, receives phone calls & heads around office doors querying e-mails shes "sent out" & decides after shes gone home for the weekend to log a ticket regarding the non receipt of e-mails. Eventually when pressed she finally confesses that she "may have" given away her credentials into a One Drive portal.

  30. Winkypop Silver badge
    Facepalm

    If you’re going to tout a bonus via such a scheme

    Make sure there’s a genuine bonus for all at the end.

  31. Potemkine! Silver badge

    That's insensitive, but efficient. But insensitive. A good manager has to take into account he/she's dealing with human beings, and has to take care of their feelings.

    If that company had a little clever management, it would have given the bonus afterwards to everybody, explaining the people that registering to get one is not a standard policy, and educating on phishing. Giving a extra-bonus for the ones who didn't fell in the trap could be a good idea, but i guess the ones who missed the test would have protested anyway.

  32. Goitery

    Big blue did this as well, and was treated as a typical insensitive thing that they do (with RAs around).

    But the sort of front line work done by train workers means their job is far more risky, and I share their anger.

  33. rskurat
    Facepalm

    This isn't a crisis of PR, this is a crisis of employee stupidity. I think for the first time in my life I'm on the side of manglement.

  34. Binraider Bronze badge

    This is an interesting one. We have ran exercises with deliberate "signatures" of phishing mails to see what proportions a) just deleted it, b) reported it, or c) clicked on the link. But the lure was not quite so "tasty" as one promising a COVID thankyou bonus; a not implausible lure I have to say.

    It raises the question whether "important" corporate messages be sent by email at all?

    At one point we were considering a USB dead drop exercise of a similar nature; to see who is daft enough to plug in any random stick they find in the car park in... Though this was kyboshed by precisely the sort of concerns flagged here.

    The needs of the businesses have evolved beyond the technologies and ideas of 1980's email; it is surely time for a more suitable replacement to be developed?

  35. Ordinary Donkey

    Just putting my bofh hat on for a moment...

    If I were working in IT for West Midlands Trains and I was pissed off that management hadn't given us a bonus, but I didn't want to stick my neck out, what else might I do?

    I mean I could do something like this. I might hope that other people would have a strop on my behalf and the press would have a field day. As we can see people couldn't really blame me for a successful security check. Not and have it stick.

    The only missing step would be to persuade someone else in IT to actually send the emails. To be bofh level there should be no verifiable trail.

    1. Doctor Syntax Silver badge

      Re: Just putting my bofh hat on for a moment...

      "The only missing step would be to persuade someone else in IT to actually send the emails."

      Not in IT. In HR (two birds, one stone). You send them a phishing email as from the CEO telling them to do it. Being a BOFH it would, of course, genuinely be from the CEO's email account.

  36. 2Fat2Bald

    This does not seem classy behavior.

    What would really be funny would be if someone took them to court & the beak applied the logic that, since it was indeed sent by the organisation or their agents, it was actually a legally enforceable contract. The thing is, you can only take the "just a joke" get-out-of-contract card so far.... Sure you can claim later that you didn't mean it, it was just a test, just a joke or a mistake - but clearly at some point that becomes unreasonable & they clearly already have a contractual relationship of some sort with their staff. Of course life doesn't work like that, but it's a happy little thought on a Friday.

    1. jtaylor Bronze badge

      Completely agree. Phishing or other attacks are just not on.

      If it would be funny for the courts to disallow such training, would it be funny for them to disallow other safety training?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021