Train operator phlunks phishing test by teasing employees with non-existent COVID bonus UK rail operator West Midlands Trains sent an email to 2,500 employees to thank them for hard work during COVID and promised a one-time bonus as a reward, but that lovely news turned out to be phishing training. Needless to say, it did not go over well. The deliberately inauthentic email first thanked staff for their hard work …
So are the unions seriously expecting IT Security to send an email out with a disclaimer at the end (in small print of course) so that the potential victims have a clue? That's not what phishing is about, surely, or am I missing the point?
Conversely, I would have thought that any email alleging to have come from train company management praising employees and offering money was suspicious in itself?
I have. It was some stock options from a company I was working for that did a merger and IPO, and I had to decide if I was going to accept or reject the options, and then decide if I was going to invest since the options had a very short window to purchase or not purchase the stock at the IPO price.
I'd have lost less money if it was a scammer. I didn't lose the whole investment, only about 3/4 of it. If I'd bought Apple stock with that money instead and held it until now I'd have been a millionaire.
Agreed - I think the "right way" to play it would be to use a genuine bonus as an opportunity for a phishing test - as in all staff will get the bonus without needing to register, but then send out an email asking them to register and those that click it get reminded of the importance of not clicking phishing links,
I have in the past had to register for stock-based bonuses, but you can always tell its a legitimate email/link by the 18 pages of boilerplate terms and conditions that make it look like spam.
I wish I had more thumbs to thumbs up.
Evil. Watch HR squirm as they then announce that there is in fact, no Covid Bonus after all.
It's so evil I might start spamming that one myself. I don't need an excuse to get one up on HR. Just an opportunity. (Never saving nor recording passwords of course, I use my evil powers for good).
My take is the same as yours. This is exactly the sort of enticement phishing can rely on to get people to click through. Getting them to click is the whole point.
But I do understand why the employees who fell for it would be less than thrilled.
But I do understand why the employees who fell for it would be less than thrilled.
But they didn't "fall" for anything. There was an email legitimately sent on behalf of the company promising a bonus. It may have been designed to look like a scam but those facts hold. If your employer says "do this and we'll give you money" are you not entitled to expect that money?
I'm reminded of the episode of Star Trek where a test was designed to see if some robots were alive. They initially appeared to have failed the test up until it was shown they had actually seen past the ruse and ignored it. You don't know the thought processes of the individuals involved so you are left with a simple promise made by whom it purports to be and the consequences of that promise.
Just because someone did it doesn't make it the company's decision or authentic. If I decided to mess with my colleagues by sending them such an email, my company didn't agree to do what I made up. For the same reasons, the security test can involve things without requiring other parts of the company being obligated to do something that was clearly not intended.
"it was an authentic email"
No it wasn't, it was a phishing test, and the email would likely not have been sent by the normal communications methods.
I have a filter on my work email which automatically sorts all the company phishing tests into a specific directory - makes a fun read every so often
Yes, it's a valid test. It's also a great way to remind employees that they have been put through a particularly difficult time with no recognition from their employer except for this use of the situation to support an internal security audit. Benefit worth the cost?
Exactly. The whole intention of a phishing attack is to make it both believable and tempting. The problem with many unions is that they will automatically consider any change to current conditions 'a bad thing' which needs all details to be communicated, discussed and agreed beforehand.
I am a security consultant and one of the security education services my company is working on will allow test phishing emails to be sent if the client wants that part of the package. As long as there are clues in the email that it came from outside the organisation I would consider it an acceptable test. On that basis, GoDaddy screwed up by sending it from a legitimate internal address and providing no clues at all that it was meant to be fake, but this one I would consider a valid test.
I'm sorry, how is it believable that you have to register for a company-wide bonus ?
Either the company gives the bonus, or it doesn't, but it does not make its employees register for one. I think that would be grounds for a lawsuit.
Not blaming the people who clicked the link, but I think this whole affair is going in the wrong direction.
Somebody should have complained about the principle.
"Not blaming the people who clicked the link"
Depending on how many clues there were to it looking like a genuine phishing email I might have to disagree with you.
Unfortunately, these days marketing departments seem incapable of sending out emails that don't look like phishing attempts and it wouldn't surprise me if HR departments weren't far behind so it might be a close call on how much it looked like a phish.
One of our customers spoofed one of our genuine email addresses to conduct an internal phishing test. And then some of their (blissfully unaware) users contacted us to warn us that someone had spoofed our email address.
I'm still surprised we didn't sue them for wasting our whole IT department's time for a full morning tbh.
re: "marketing departments seem incapable of sending out emails that don't look like phishing attempts"
My related pet peeve: aside from the breathless hyperbole describing the organization's latest doings, many places also use "customer management" email programs that turn any links in the text of the email into insanely long cloaked trackable things that should be ringing "dodgy link, do not click!" bells in recipients' heads. So I for one wonder how email users are supposed to learn not to click dodgy links when, if my inbox is any representation of "the world", the emailings of many municipalities, non-profits, and basically well-intended organizations contain just those very things as a side-effect of whatever mass-mailing programs they use and most recipients will not take the time to chase down the source to which the link should have led.
There are many situations when you would have to register for a company-wide bonus, particularly if it has tax implications or other potential downsides. Bonuses paid in stock are a good example, you are on the hook for the tax whether or not you make a profit on the stock, so its possible you can lose money. If the stock is floated on an exchange in the US but you are not, then you will have to start filing tax returns in the US. Some people may not want that, especially if its only for a few hundred quid.
"As long as there are clues in the email that it came from outside the organisation I would consider it an acceptable test."
My former employer had out-sourced several services which meant that, quite often, "legitimate" emails appeared to come from outside the organization. Still they would not accept that the sensib le policy would be not to have click-through links in emails.
Been there, done that.
We had one a couple of years ago pertaining to offer staff an Amazon voucher, click on the link etc.. Clearly to me (and others) it was a hoax as a) our outfit would never do that and b) our outfit would never do that. Ever. I even forwarded it to my Head of It to let him know these things were out there (he replied and said it was a test).
However two things worthy of note.
Firstly some of my colleagues who did click felt they had been 'tricked' into taking the training that 'they don't really need' (yeah I know).
Secondly the genuine follow up email from the outfit hired to do the testing was the most shambolically written and presented email I have witnessed in ages. Utterly appalling. Courier font, no structure, brightly coloured text. It was like going back 20 years, and screamed spammer. It also included links to the training for everyone else to do should they feel the need to.
Yeah... there isn't any reliable way to tell a phishing attempt by writing style alone. You also can't trust the sender address; it can be spoofed.
My main rule is to ask someone I trust for verification, before visiting any URL with a public-usage domain or a domain I don't know (remember to look at the actual link, and not at what the text says), or answering to an address from any such domain (remember to look at the reply-to field, and not at the from field). That should cover most cases.
Also, I assume anyone who calls me on the phone and tells me he's from my (or any, really) bank/utility company/insurance provider/whatever is a scammer until he can prove otherwise. No, knowing my name, date of birth, or other easily obtainable information, is not proof.
A quick test I have with suspect emails is to begin to forward the email. They usually makes the nice friendly visible email address show its true nature - a bunch of random characters at a domain in Thailand.
My standard behaviour is to simply delete anything that looks in any way suspect.
As I mentioned to my advisor at the bank when she asked why I hadn't replied to her email. I told her that the bank messages are usually handled through the app/website, so a message by regular email claiming to be from the bank (without her name or the location of the bank in the sender or subject, and a generic subject line) was immediately deleted without even being looked at.
Funny how we're all supposed to be experts at online security, but at the same time willing to accept all these stupid and lazy exceptions.
If your CEO's password to the web mail portal is "number1ceo" then it's perfectly possible for e-mail from her actual account to be spam or spearphishing.
My work e-mail is text only - my choice - and I mousepoint at any URL in it to be shown where it really goes. But that can be disguised, too - funny character sets and do forth. So mainly I let someone else try first...
I would of thought they could of worded it different and not related it to covid-19 as if I've read it right, one of their staff died of it.
The most simple phishing email they could of sent out is one that spoofs a managers address and asks for urgent help with something. Sadly I've seen that work with people replying & actually paying money as they didn't bother telling anyone. It was spotted they'd replied and given out their mobile number, the rest was then done via txt that we can't and don't monitor. I really wanted to know what went on in their head and why they never double checked first!
I've also witness a director fool for it when the spoof was the chief exec. Nothing better to see a director who is fearful of the CEO, fool for a phishing email all because they want to "please(kiss arse)". Forgetting the phishing issue, they shouldn't have a fear of the CEO, CEOs need to learn not to be cunts like that one was.
Then there is nothing for staff to recognise and identify it as phishing. All you will get are lots of people failing the test.
Remember during phishing training they show a 'bad' email with an obviously bad URL and it came from an obviously fake domain? Well if staff don't see that then why would they suspect it?
An email that came from the director, from a valid looking domain, with a valid looking url and spelt correctly with legit content - why wouldn't staff click it?
Are you suggesting staff should report every email from senior management as suspicious?
It's exactly that mindset that makes end users complacent. First rule of phishing attacks, if it sounds too good to be true, then it usually is! One also never enters logon credentials if you do click on a link in an email.
Cyber security is everyone's responsibility.
The standard is any email from outside the corporate email system that is legitimate needs to have at least three business days in advance, a warning from the appropriate group inside the company, warning that the outside email will occur, including a description or mockup of the email to be received. If the emails are going to be regular/common, then state that in the warning email. If there is a response required, then that will be highlighted in the mail system, often with a second path warning of the coming emails that doesn't go through email, such as a notice through the supervisor.
If the email came from the corporate email system, then it was a bad test.
Modern phishing training that is any good does not talk about spelling mistakes or "obviously fake domains". They instead emphasize external sources, artificial sense of urgency and lack of corroborating emails from the official corporate email system.
Yes, I've worked at shops that implemented that rule, and it significantly cut down on the phishing damage.
“ Are you suggesting staff should report every email from senior management as suspicious?”
We do...
That’s one advantage of a non email central chat system being available. For us that’s slack, other options available.
Anything that is remotely dodgy gets checked.
A good phishing email balances on a knife edge. It needs to be sufficiently crap that someone trained to pick them out will automatically discard it without a second thought (perhaps not even open it) but plausible enough that an untrained individual will think it is legit.
This is why phishing emails always have typos or grammatical errors. It's a way of filtering down the targets without having to specifically target anyone.
Someone that can't easily spot the typos or grammatical mistakes is unlikely to spot that an email is a phishing attempt.
Actual phish emails I analyze haven't been typo riddled in a year or more. I get more typos and grammatical mistakes I see in the legitimate emails.
Also, spearphishes are very often crafted quite well, including personal references.
Don't train people on the exact wrong indicators.
A few years back my former employer ran a "better than usual" phishing test which caught out many. My annoyance with the whole matter of phishing was that by regularly sending out corporate emails that wanted the employee to click on a link, the company was setting up employees to fail.
Having a full intranet service the company had other ways of communicating with employees which would not have been co-mingled with external communications (and genuine phishing attempts).
But that seemed too much trouble. Ho hum!
I haven't ever gotten a well-written phishing email. Every single one has had bad grammar, etc. Usually with laughably-inauthentic website addresses.
My company does these phishing tests. Theirs are always WAY more convincing than the real thing. The first time, I researched the destination of the link and confirmed it was a phishing test company. Having verified that it was actually from my company, I clicked the link - and they claimed I "fell for it" and automatically signed me up for remedial infosec training. Never mind that I *knew* it was from the company, and didn't provide any personal details, etc - apparently all it takes to compromise their entire corporate network is for a lowly employee to click a single link, so the employee must be at fault, right?
"Having verified that it was actually from my company, I clicked the link - and they claimed I "fell for it" and automatically signed me up for remedial infosec training. Never mind that I *knew* it was from the company, and didn't provide any personal details, etc - apparently all it takes to compromise their entire corporate network is for a lowly employee to click a single link, so the employee must be at fault, right?"
Here's some more training. Don't click suspicious links. Clicking links and entering information is certainly worse, but just clicking the link can be a problem. It exposes you to whatever the page might have, including an attempt to steal an SSO token or even a possible (though very unlikely) zero-day in the browser. They were right to treat clicking the link as a partial failure.
"apparently all it takes to compromise their entire corporate network is for a lowly employee to click a single link, so the employee must be at fault, right?"
Unfortunately, yes. And that's the problem. Some low level employee in the housekeeping department of the hospital clicks on a link that triggers a ransomware lock down of the whole place. The problem is two-fold. The employee that clicks on links and the hospital's IT system that exposes the whole datacenter to attacks from something like a phishing email sent to a staff member.
"This is why phishing emails always have typos or grammatical errors."
I see loads of tripe generated by HR departments with horrendous spelling and grammatical errors. Even on the made up Biz-Speak carp they insist on using instead of proper words.
I agree that most phishing emails rat themselves out, but not all. I've been impressed with a few that were very close to being perfect outside of that one fatal mistake. I sanitize and send those around to the family so they are on the look out. I worry about my mom losing her retirement savings from something like this. We just went to the bank and set up another disconnected account she can use to pay bills so her other accounts are shielded a bit. The banking lady wanted to push overdraft protection but saw what we were doing and agreed. A large number of accounts at that branch are held by pensioners that live in the local senior community. Now she nows. My mom is pretty sharp but we have a plan to put more oversight on her money if she "dulls" a bit. She'll be in charge, but transactions over a certain amount will be held until I or my sisters review them.
You are being simplistic to the point of incorrectness. The attacks where spam is sent to massive lists use that tactic to try to filter out people at the first stage--if they're going to balk after interacting with the scammer, they've just wasted the scammer's time. When the list of targets is shorter, like the employees of a company, or when the goal is faster to attain, like just getting credentials, they want more people clicking right now. They can write well to get that to happen. They do this frequently and it works on occasion. Training must include this.
My last manager's emails were littered with spelling mistakes, grammatical howlers and 'general weirdness' (eg signed off 'thanks you')
While I agree that it's a good idea to test the response to phishing, they have promised a bonus and they should be made to honour it. OK, so make the failures pay by giving them less, but a bonus has been promised
they have promised a bonus and they should be made to honour it.
Who has promised a bonus? The head of IT security? Was that person authorized to award bonuses? Does every inauthentic email oblige the purported sender to fulfill the promises made in the email?
This post has been deleted by its author
"For phishing to be any use it has to look dodgy; contain spelling mistakes, a really obviously bad url. Should staff have known a bonus was beyond reality and that was the clue?"
Have you ever seen phishing? Not the kind that gets sent to billions of addresses, but the more tailored kind? If they're sending it to a small number of people, they'll work on that. They'll figure out your name. They will figure out where you work and what their emails look like. They'll copy pages exactly. They'll identify who your boss is and impersonate them before sending instructions about where to redirect the payment. You have to figure this out by certain less obvious details. I have received such messages. I haven't fallen for them. There are people who need training that such messages can happen and that vigilance is necessary. You might be one of those people.
The method used in this case was regrettable, and people who fell for it and had expectations are understandably unhappy. Unfortunately, it's exactly the kind of phishing that people might try. I've seen COVID-themed phishing and it didn't do me the courtesy of being badly written.
"I've seen COVID-themed phishing and it didn't do me the courtesy of being badly written."
Before long there will be a major storm and that will be used as a pretext in a phishing email. Or a big fire. An international incident. The phishers use whatever they think might be a good lever to get people to do what they want.
I'd be very suspicious of the promise of a bonus. I'd expect that supervisors would make a mention of it first to the people under them. A note in the current pay packet. A prep email from the company that announces the bonus but requires no immediate action. If employee input is required, they are to contact their supervisor.
C-level and HR need to be expert in phishing tactics as well. They should never send regular communications out that in themselves look like phishing emails. They should also remind employees how they might request password changes or submission of personal/company info including what will never be done. The Social Security Administration in the US has to tell people constantly that they will never call people about fines and require payment immediately with gift cards. All communication is done via (indecipherable) snail mail notices. The same goes for pretty much every US government agency unless you call them first and are expecting a call back (good luck).
Our IT Security guys recently decided it would be a good idea to implement a new external domain to put all the security training on. They anounced this by sending an email from said unknown external domain, inviting us to click on a link to register using our internal domain credentials before taking part in the training. Many people reported it as a phishing attack, cue stroppy mail from IT Security berating us for being so stupid as to not believe their email that ticked all the boxes of being a phishing attack....
Phish them back. Nothing too malicious, just direct them to a web site that plays the Monty Python music at top volume and can't be closed. Explain this specifically in the boring bit of the e-mail that they won't read, so they were given notice.
Email arrives in inboxes : "Dear team, please prepare full progress report of your work on big important railway project for meeting next week, The Boss"
Meeting starts.
"OK, let's start with progress reports - how is the track maintenance going?"
"Oh, I haven't done the report because I assumed it was a phishing email".
"Safety audit team?"
"Nope, we ignored the email too...."
"Everyone got the encouraging email about their mental health?"
Hello. West Midlands Trains does care about its employees mental health, yes. We have delegated colleagues inside (and recommended people outside) the business that we can speak to. We also receive encouraging emails reminding us how we can improve our mental health. 1/2
Management have de-trained their employees. In pre-email times, you would not have expected to get any direct messages from the management, now they are spamming you every day, asking you to welcome new managers etc (don't think new managers appreciate getting their brand spanking new mailbox stuffed with 10,000 'welcome' messages from the grunts, so I've never seen the point of these).
Like the banks - "Oh, do be careful of spammers, you silly people" when most of them spent most of the last two decades (and some of them haven't stopped) phoning you up and asking you to "go through security" exactly normalising the behaviour they want you to avoid when anyone but them phones you up. All the time with the vast majority never coming up with any mechanism for proving that its actually them ...
If I get an email from management, and it exhorts me to click a link, and the email's not auto-flagged by our mail system, and the link is internal, I'm not going to click it. Not because I suspect it's a phish, and not because I suspect it's a trick, but because I'm already bored out of my mind doing my own job and don't want to be even more bored doing something that doesn't even help me get my job done.
I use Rules in my corporate mailbox. Every time someone sends out something that has absolutely no bearing on my daily job, I set up a rule to shove it into a folder labelled "Ignored".
Given that I am a freelance consultant, and only log in when I am asked to by the customer, such rules are pretty easy to set up. If it doesn't concern the project I'm on, it's ignored.
"banks ...spent most of the last two decades (and some of them haven't stopped) phoning you up"
Some banks still do that by phone? Can you give an example - I might move my account there. All those I've dealt with have moved onto email.
I used to explain to the HSBC business bankers (sp?) that I'd told my bank that I wouldn't answer questions like that and, without confirming or denying that they were impersonating the right bank, they couldn't be my bank. This was routinely followed up a few days afterwards by a plaintive letter saying that they couldn't sell me anything help me.
Your bank calls YOU to ask for information???
My bank has a very strict "we will never call you and ask for information" policy. If they do need information they ask you to call the main number and then navigate a phone menu or something (or log into their online environment and navigate to XYZ). They always make the customer take the initiative and initiate contact through a method the customer should know to be safe. To the point where at one point when I had someone on the line from a bank (they called me back about something) when it came to verifying something they had to ask me to hang up, call the main number, press 9 repeatedly until I got a human on the line and ask to be connected to mister xxx at extension yyy of department zzz. Even though I knew I was talking to the right person about the right thing.
Calling me up and then demanding I pass 'security' is one of my pet hates.
The lucky ones get away with a polite 'No, I don't give personal information to random callers'. The unlucky (or those who persevere) get the full on lecture/rant about just how stupid they are being.
I've even had one insist that because the caller ID was from their published number (they will remain nameless to spare the blushes of their IT/security team who I'm certain know better) that I had to give them my details. I don't think my offer to call them back from their own CLI was particularly well received....
"Calling me up and then demanding I pass 'security' is one of my pet hates."
Yeah, the NatWest tried that one on me a few years ago.
I told them that if they really are who they claimed to be, they will have my account information so tell me any two direct debits and how much they are for.
Person began with excuses. I think they were trying to tell me they were sales and didn't have that information. I don't know, I just spoke over them to say "authentication failed" and hung up.
If you call ME then it is YOU that must pass "security", not the other way around.
"Calling me up and then demanding I pass 'security' is one of my pet hates."
The line I get in the US is to "confirm" certain bits of information. By that they mean they want me to give them that information. I always refuse telling them that they have that info and "confirm" means they give it to me and I am supposed to "confirm" that it is correct or false.
What really drives me nuts is when they want to have me jump through all of the hoops to "confirm" I am who I am when all I have is a simple, non-account related question about something. That and verifying my identity by the number I am calling from. It's too easy to spoof numbers and if somebody nicks your mobile and calls your bank, they might be given access to your accounts or let them order up another debit card. Your phone is then "found" and turned in to the business you were visiting when it went missing and you drop your guard. In the mean time, a shiny new plastic debit card is on it's way to "your new address".
Yeah, I had that recently with $PENSION_COMPANY
Earlier this year I'd had an arranged online meeting to discuss pension arrangements with $COMPANY_PERSON1 which all went ok. She didn't indicate that I would be getting a follow-up call regarding how the meeting went.
Then, a few days later, I had a call on my mobile phone with the number withheld (alarm bell 1 goes off) from someone (let's call her $COMPANY_PERSON2) who claimed to be from $PENSION_COMPANY. She wanted to talk to me about my "recent contact" (very vague - alarm bell 2 goes off) with the company. She then asked me to provide answers to security questions. I refused and asked her to prove that she really was from $PENSION_COMPANY and why was she calling from a withheld number when this is now extremely frowned upon (though, I believe, not actually illegal). I thought it reasonable to ask her to provide me with either one of my policy numbers or some digits (and their positions) from one of those numbers. She refused saying it was personal information and, after getting in a bit of a strop about my refusal to do what SHE wanted, in the end hung up on me.
I immediately contacted $COMPANY_PERSON1 and told her about my experience. She agreed that it sounded very suspicious and asked if I wanted to officially report it, which I agreed to. She took the full details and said I would be hearing from someone in a few days.
A few days later I received a call from $COMPANY_PERSON3 from a number that was associated with $PENSION_COMPANY and, as he had details about the "rogue" call and other things that only someone from the $PENSION_COMPANY should have possessed, I was happy to talk to him. He apologised as it turned out that the "rogue" call HAD come from someone employed by $PENSION_COMPANY who was working from home but hadn't done as she should have and routed the call via $PENSION_COMPANY's normal phone network. We spent some time discussing ways in which $PENSION_COMPANY could improve their ability to prove their own identity when asked for it (mainly the same as I'd asked $COMPANY_PERSON2 to do, which he thought was a reasonable way of going about things).
Then he asked, "Is £75 compensation for all the hassle ok?" Having not expected anything of the sort, I readily agreed. This was duly paid into my bank account a few days later and, also around the same time, I received a package containing a written apology along with 2 bottles of wine and a box of chocolates!
So, I think the lesson there is, if you complain properly, you can actually get good results and a proper company will learn from its mistakes. I do wonder, though, what sort of reprimand $COMPANY_PERSON2 got!
"But what if you are a vegan recovering alcoholic? That's got to be grounds for further compensation."
and everybody you known is the same? There isn't anybody you'd like to have it off with that might be plied with wine and chocolates?
I was taught to always smile and thank people for their kind gifts. When I got older I was taken aside and quietly told that if the gift sucks/inappropriate/ugly, fob it off on somebody else. Even if the gift doesn't fit the new recipient, you have done your duty in the gift giving department and can wipe that social debt off of the ledger.
C.f. my HSA company (selected by my employer, probably based on "they're the cheapest"), who has a known issue with their website not showing the correct account balance, which often requires clearing cache and cookies... logging me out of every website everywhere in the process. And their only 2FA option is sending me an SMS, which El Reg has written about its insecurity multiple times. And the website help chat (or via email) can't do tech support, so I have to call them. And if THEY call ME, they expect me to authenticate using personal info...
My local police department has a blocked number. I knew it was them calling back late one night and mentioned that the ID was blocked and got a snippy "I know". I advised her that she shouldn't call back as I normally don't answer blocked ID calls.
What do they expect, phishers to send a nice header that says "THIS IS A PHISH!!!"
If they were using this as a screen to take disciplinary action against staff then it might be a bit rich but to identify areas for education tough, suck it up buttercup.
I've done the same exercises internally and had the same kickback, Unions insisting that we were "entrapping staff" despite there being nothing at the end of failed test except awareness training. Interestingly those who pushed back hardest against training were usually the worst at spotting them.
I'm aware of one organisation that was forced to alert staff that a test was being carried out.
So, if the email and/or the link was obviously external I have less sympathy for the recipients. Well, I have sympathy on a personal level, obviously, but I don't think they have been treated unfairly. That is even more the case if the email was flagged by the mail system as a possible phish and they still persisted ... then even my personal sympathy starts to wane.
However, if the link is on the intranet that is, IMHO, a completely different story. You don't know the thought process the user goes through. "Hah, hah, this can't be true! *hovers link* Wow, what do you know? Maybe my company is following the example of Aldi, etc! *clicks*"
In the latter case, I think the recipient is completely justified in considering themself to have been mistreated by management. I think management would have to prove they had never, ever sent an email with a link to even have a chance of getting away with this, and I'll eat my riding hat if they can do that.
Also, any sensible management would have paid a small bonus anyway. "You're all getting an extra 20 quid, but you should have realised you wouldn't have to register for it - we know who's on the payroll ;-) Be careful not to click links! Love, management xx" - PR success instead of disaster and a phishing test that might actually get remembered.
I fell for a phising test from my employer, an Indian IT services provider. My lame excuse (to myself) was that I was under pressure at the time doing several things at once and I confess that I did wonder about that particular e-mail at the time, but it _really_ did look similar to other e-mails that I had received. The outcome was an electronic rap on the knuckles and a requirement to retake my cyber security training.
They have since repeated the exercise at least three times, but the old adage of "once bitten, twice shy" is good in my case. Yes, I was embarrassed and yes, I was kicking myself, but lesson learnt.
In my case it was a bog-standard admin-style of e-mail; if it had been promising me a bonus, I wouldn't have clicked. However, as others have correctly pointed out, a real-life phisher would possibly mention money or some other vast riches.
Yeah it's very easy to just be on autopilot once and before you know it you've clicked on a link you'd avoid and report the other 99/100 times. Been there done that.
Fortunately most of the test phishy emails we get all use the same display email domain. And they all have the same domains (be it email or URL) in the headers. So mostly easy to spot and act accordingly. Every now and again they'll have a good attempt. But a lot of the work is undone when they've hired a US-based company to do all this and so you get some real Americanisms in emails purportedly coming from UK HR...
The vast majority of phishing emails that we receive (maybe most others get eaten by other spam defences first before they ever reach users, I don't know) seem to be either "Your account is about to expire, login here to reactivate your account", or "Your mailbox quota is full, login here to manage your account". Sadly, both of these are very good at sending some people into a panic, rather than thinking "Stop, and ask for help through normal channels" (which is what genuine automated emails about either scenario do).
Although they are getting better at spoofing the From: address, at least one of the From: or Reply-To: addresses is usually something like dodgygeezer@crappy-webmail.example.com, and the phishy link something like https://www.badly-secured-site.some-other-country.example.com/haxx0red-site/phishyphishy/eatme.html (the sort of thing that anyone can check without having to look at the message source/headers), but some people still get caught out.
But some of the fault has to belong to idiotic mail programs which don't show the email address along with the name in the From: line (which, although no guarantee that it hasn't been spoofed, at least rules out the obviously incorrect), or which don't make web link destinations clear when you hover over them.
My company recently introduced, but didn't announce, email protection of links in emails, which means the links are modified and now hundreds of characters long rather than a simple URL. The security team must have been mightily fed up replying to all of us forwarding them legit emails as 'spam'!
"seem to be either "Your account is about to expire, login here to reactivate your account", or "Your mailbox quota is full, login here to manage your account"."
The one I get a lot is about my visiting "adult" web sites and they have video of me "doing things". Uhhhhh, my desktop doesn't have a video camera/microphone and both are physically disabled on my infrequently used laptop. They did do a good job spoofing the email address to make it look like it came from my own account. At least until I look at the raw source.
"I confess that I did wonder about that particular e-mail at the time, but it _really_ did look similar to other e-mails that I had received. "
There have been some TV shows on people buying homes that were scammed after getting a message that they needed to send the final payment to the solicitor's new payment account. The email was faked with the graphics and format of the solicitor's office and looked identical to all of the notices they had been receiving during the whole transaction. I can't recall if they explained how the criminals knew about the transaction, but it was suspected that it was either through things put in the rubbish or some clever social engineering. There are so many people and so much paperwork involved in property purchases and sales, that it can be hard to keep track of who's who.
High value phishing will look very good. It's also getting worse as people abandon every form of communication outside of text and email. I'd want to place a call with the number I have and talk to somebody about a change in arrangements if there were a lot of money involved. Things like that are often spelled out in contracts and can't be changed through email.
What I found out was when your neighbour wants to carry out work on their property which involves "party walls" I got a whole load of surveyors vying for the business, writing (yes: through the post, no less!) to tell me what needed to be done and how they could assist. There must be some company that scours the planning applications at the town hall for submissions that mean money for anyone subscribing to their list.
For house purchases there will be conveyancing search requests made of the council asking questions about planned development work, etc. The flat I once owned had plans submitted for demolishing the houses either side of mine, plus the church at the back, which were a massive red flag to any potential buyer. Presumably these requests for searches are supposedly confidential, but could be picked up by anyone working in that department - and everything required to successfully scam the seller would be in there: solicitor's details, solicitor's reference, property address. Owner name would come from the electoral roll or elsewhere, hardly rocket science.
This is why people like myself and all cyber security professionals roll our eyes when end users out there say that they could never get caught by spear-phishing attacks. They all still think that the attacks have poor grammar and spelling and are glaringly obvious. This is NOT TRUE! Hackers and cyber criminals use semi sophisticated attacks such as these to gain access to sensitive corporate systems.
This is exactly the attack vector that have breached numerous countries governments, health authorities, police networks, companies and yes Pipeline control systems, Colonial Oil in the states.
I use this type of attack on a regular basis and have caught hundreds of people out, just by dangling the right carrot in front of their noses. The head of the union, in this story, who complained that the test was "cynical and shocking stunt." and "totally crass and reprehensible" wants to wake up and smell what it is he's shovelling. This will hopefully educate end users that this is exactly what they can expect and that they need to think before they click!
Stop passing the cyber security buck to other people.... the buck stops with you!
They most often do, and that is a major factor in sorting the wheat from the chaff, but the truth is in the link.
If the link you're asked to click on does not obviously belong to the corporate address the mail is supposed to be from, then good bye, nice try.
But if the link is to a verifiable corporate domain and you come tell me that it was a phishing exercise, I will rip you a new one.
It depends on who the target is. If it's a matter on inveigling someone into sending money to qualify for a payment then, yes, they want to filter out those who'll sus it out and not waste their time on them. But for someone wanting to gain a foothold in a corporate network they have to look corporate themselves. They want someone who'll be fooled by good grammar and spelling.
Yes, if the complainants can prove that IT used an internal domain, then the complaints are more justifiable. I haven't seen that, but I'm doubting that was the case. This sounds like some people got annoyed that they were caught and now want to punish those who caught them.
You'd be all right with us. We get our "internal" invite to security training sent from companyname@penetration-education.co.uk and our regular staff satisfaction census from Pollcat.com. Absolutely no effort to make them look like genuine communications from management, which apparently they are.
Meanwhile, an online retailer's third party hosted customer survey received my impressions of the service, positive until that point, but did not receive my name and address for an alleged chance to win a substantial shopping voucher.
"But if the link is to a verifiable corporate domain and you come tell me that it was a phishing exercise, I will rip you a new one."
The easiest solution is to never send links in an email. I know the domain of my bank and can type it in with nary a breeze. I do not want them to ever send me a link since I will never click on it. I will click on a link once I have logged in and find a message in my messages for the account. Paypal has been doing stupid things like "verifying" me through my computer and simplifying my online experience by making it rare that I'll have to type in my user name and password. To reverse this, the only way to get to the F-off page is to click the link in the email they send... Grrrrrrrr. I call and bitch when this happens, but there is no way to keep them from NOT doing this. They don't get it that I don't EVER want it possible to NOT have to type in my user name and password to access my account. Since eBay is insisting they handle all monies now, I'll be packing up the PayPal account.
I was working for a large multinational, who should have REALLY known better.
An email circular arrived, completely unannounced, from an outside company.
The email was poorly written and stated that said company was looking after licence information for anyone driving a car on company business. We were asked to complete a form (downloaded from a URL that didn't seem to be applicable to either my employer nor this outside company) and send send a scan of my licence to a URL that was again apparently nothing to do with my employer nor this outside company's.
In short, ALL the hallmarks of a phishing scam.
I flagged the issue with HR, asking if the email was genuine - it was - and pointing out the glaring issues.
A year came and went and it was time for another round of driver verification.
EXACTLY the same happened.
They never learn, yet this was a billion pound international company.
"The email was poorly written and stated that said company was looking after licence information for anyone driving a car on company business."
I would respond with "none of your business". I wouldn't send anybody a copy of my DL or other documents just for the asking. If I were working for a company that provided vehicles for my use, I'd be ok with giving them a copy, but only on receipt of a privacy statement I approved of. Approval being based mainly on the information not being "shared" or made public or used for anything outside of verification of driving privileges/insurance. A third party agreement would be beyond the pale. I see it as just more useless outsourcing for some vague indemnification.
I created a spurious email account that had the real company name in it then sent a random selection of staff an email saying we were upgrading their computer to make it faster and asked them to send me their passwords.
25% did. One even admitted they thought it was a scam, but still sent it.
These were generally highly educated, well paid individuals, but obviously idiots.
On another occasion I went round and inserted key loggers into some machines to see what rubbish passwords they were using and to test their eyesight - some were left in plain sight. No one noticed, many were using stupid passwords.
I recall at least one very long day back on the helldesk twenty years ago wasting several hours trying to explain to a customer's CEO that no, I could not get the money he'd sent over to the Nigerian Prince two weeks earlier back. All while trying desperately not to use the term 'your own stupid fault'.
Often, more highly educated people are more vulnerable, since they're more likely to be in position where they get used to receiving legitimate emails asking for them to send money around. This idiot thought it was a genuine business opportunity because he got real business emails every day which weren't particularly different from this - emails sent from blackberries with awful spelling asking him to transfer 20 grand over.
There was a case here in the US where the scammers hooked the dean of a university and played him for multiple payments.
Yes, a Nigerian Prince kind of scheme and he kept paying hoping it would come true.
And one of my reports IT Manager, sold some cheap furniture on Craigs List here in Tennessee. He told me someone in California had bought it, accidentally send a cashiers check for acouple thousand - and he was just supposed to send back the extra cas after shipping.
He didn't think it odd that someone would buy cheap, used furniture, and pay more than it was worth to ship it. And he was convinced that a Cashier's check was guaranteed to be good.
"And one of my reports IT Manager, sold some cheap furniture on Craigs List here in Tennessee"
I get that scam attempt all of the time when I post things on Craigslist worth a few bob. Even when I list that I'll accept cash only and won't ship. The reason I post things on CL is they are too heavy, fragile or awkward to ship and it would be easier to meet up with somebody face to face and exchange goods for cash.
I mostly see "Nigerian Prince" e-mails where my contribution is to be used to bribe people to divert money our way - in other words, to commit a crime myself apparently. I suspect this is to discourage me from going public when I realise I was the sucker.
Of course when you've been warned or you have seen more than a couple of these messages where you are the one person from a million that they chose to invite, then you don't fall for it anyway.
"No one noticed, many were using stupid passwords."
Good passwords are more of a chore to remember so when companies make it mandatory to change passwords every month or so, you get stupid, easy to remember passwords. People will also write them down on Post-It notes and stick them to their monitor.
Is there any chance of seeing the original phishing e-mail? How many clues does it contain to suggest it is not genuine? The parts quoted in the article would seem to be reasonable English, grammatically correct etc. Were any of the 'clues' that the e-mail was not genuine detailed in any recent anti-phishing training provided to the staff?
Legally, if it was sent by 'an officer of the company' then it might just be legally binding on the employer to honour the offer of a bonus - what do el Reg's lawyers think?
It would be 'interesting' to hear whether the company does indeed think their staff have worked hard during the Covid crisis and deserve thanks. If they don't think that, their public explanation is going to be one hum-dinger of a PR exercise.
A children's book series that I enjoyed was adventures of Agaton Sax, a Swedish genius who often assisted British police. One story ultimately involved luring criminals to steal a large consignment of cash, which actually was fake banknotes but printed by the Bank of England so that the criminals would not know they were fakes. When the criminsls were foiled, Agaton Sax claimed that it was a narrow escape after all, because notes from the Bank of England would actually be genuine money. It's possible that he was joking,
This time it's not very funny.
Then management could theoretically argue their point of view.
However, if it was from the official email server of the company then, if I were the union shop steward, I would be recommending to members that they should not open any email whatsoever from their company, as it could also be a scam. There is no way to segregate what is genuine from what is fake so, therefore blanket ban everything until management come to their senses.
Without the details of the message it's impossible to say whether it should or shouldn't have been spotted.
Doing (as I have to do on occasion) phishing training/testing for companies is a very fine line. You need to make the message as realistic as possible but not so realistic it genuinely cannot be spotted. You also need to consider the target audience - for example a message I'd send to a bunch of trained IT support people would likely only have one, hard to identify, indicator as I'd expect them to have a much higher level of awareness and skills than most. A message going out to a group of office workers/managers would have more and easier to identify indicators in it.
There is a lot of truth in the maxim 'Train hard, fight easy'
Begin \SARCASM ALERT
Maybe the solution is to refer all emails purporting to emanate from your employer's official email address to the company's official 'phishing reporting' team. And wait to see what response they make*.
End \SARCASM ALERT
*
Ohh, hang on, the company's phishing reporting team will have an official company email address. But then, no one would fake that would they?
"a message I'd send to a bunch of trained IT support people would likely only have one, hard to identify, indicator as I'd expect them to have a much higher level of awareness and skills than most. A message going out to a group of office workers/managers would have more and easier to identify indicators in it."
I'm not sure of the logic of this. You seem to think that genuine phishing emails to IT support would only have one hard to find identifier whilst those to managers or office workers would have several. I'd have thought that genuine phishing emails to anyone would have been made as hard to identify as possible irrespective of the target.
Later on Monday, the Twitter account of their London Northwestern Railway brand tweeted
Hello. West Midlands Trains does care about its employees mental health, yes. We have delegated colleagues inside (and recommended people outside) the business that we can speak to. We also receive encouraging emails reminding us how we can improve our mental health. 1/2
Those encouraging emails can now go in the bin along with the lies about bonuses that have done so much for their mental health.
I work in IT and have been for 25 years. We routinely (monthly) send out phishing email tests and our biggest fails are always HR related phishing emails. Our first ever test for a baseline was one to update your employee information for payroll purposes it was a dismal 48% failure rate. It contained all the hallmarks for a typical phishing email, misspelled words, dodgy email spoofed to look internal, bizarre link to a .io domain...
Needless to say after training users we are now hitting 6-10% failures when we send them out but HR related tests always bump the percentage up. My favorite is sending out emails with lists of employee's slated for termination that look like it is meant for directors. It has a bogus spreadsheet attached and when it is opened it throws a fake BSOD... Don't get many calls from that one from users though and it's usually a call that starts with you got me.
We do get far more reports of suspicious emails even if they are not, but it is worth it to me. Also what we use automatically put failed user in a high risk users and generates training requirements for them to complete.
All that being said I bet the headline would be far different and more critical of IT practices if it read West Midlands Trains operator crippled by Ransomware attack due to Lax IT training....
"My favorite is sending out emails with lists of employee's slated for termination* that look like it is meant for directors."
I worked for an IT Security consultancy (long since taken over by a major IT/engineering company). Anyway, we provided consultancy in things like Information Security ISO27001**, how to secure your network including installation of the latest firewalls and ISO27001, and Business Continuity and Disaster Recovery Planning and ISO 27001 (did I mention we also did ISO27001?) Oh and were certified to ISO 27001 :o)
So I was somewhat surprised that the WHOLE COMPANY got sent a spreadsheet to check that our holiday and sick leave was recorded correctly as the spreadsheet included listed not only EVERYONE'S sick leave but also the medical reasons provided (I did mention we provided ISO27001 consultancy, didn't I). Did I and everyone else really need to know that the senior company gasbag had taken 3 weeks off with stress?
*I'm hoping that the poster means 'termination of employment', but then it has the USAfolk spelling of "favorite", so I'm not sure, we've all seen 'Goodfellas' after all ...
**ISO27001 Standard for Information Security Management Systems, including data protection which includes protection of personal and sensitive personal data, like, e.g. medical data of identifiable individuals...
(Am I overdoing the ellipsis?)
We once got an email from <senior manager> with an attachment that was swiftly recalled.
This was followed by an email from on high saying to delete any copies, including ones in the deleted folder... followed by the office manager coming round to check everybody's PCs to confirm.
Turns out the idiot had managed to email a copy of his remuneration to a large chunk of the company at some ungodly hour (so most of us never got to see it, shame!)
(for some reason he swiftly moved on to pastures new...)
The last company I worked for - an SME with R&D and manufacturing in the UK and big sales in the US:
1) Signed all employees up to PerkBox ( a ligitimate enterprise) but the invite emails came from Perkbox before the briefing from the company ......
2) Signed all UK employees up to an online training portal but the invite emails came out before the company briefing....
3) Changed the financial institution supplying the UK pension scheme but again failed to brief employees, not only before the invite emails came out but also before the switch had actually been made
4) On at least 3 occasions the CFO (US based) sent out warnings to the whole company of fake invoice emails ... by forwarding the fake invoice emails with the live link .....
5) We had to go through a mass password reset after the CEO (US based) fell for a phising email (possibly off the LinkedIn leak) and gave away her domain login credentials ....
"1) Signed all employees up to PerkBox ( a ligitimate enterprise) but the invite emails came from Perkbox before the briefing from the company ......"
I worked for a large UK comms company (guess which!) which did the same thing with Amex. I'd already cut up the obviously fake Amex card before the briefing came round.
We routinely (monthly) send out phishing email tests
If it's that routine surely they're easily spotted - "Last Friday of the month. The Phishing test should be along shortly."
It contained all the hallmarks for a typical phishing email, misspelled words
Depending on the quality of your HR staff this might be a strong indicator that it was genuine.
Having worked in parts of the railway with over reliance on shared computers AND shared log-ins, I have seen:
Peoples utility bills,
Peoples Internet banking usernames,
Peoples logins to social media,
Peoples Netflix Accounts
..... and a credit agreement PDF for the purchase of an air rifle.
So the fact that WMT managed to pull this off does not surprise me.
We as a company went through a spate of receiving emails once\twice a month regarding our pay rise, nobody was to my recall taken in by it.
The classic was the female who gave away her credentials to view a invoice, after she had queried it with the phisher & told it was safe to proceed.
The invoice said "Thank You" at this point she stated back to the phisher that she was suspicious that it was a (successful) attempt to gain her credentials (Penny still hadn't dropped).
Three weeks later, she doesn't receive any emails for about 36 hours, receives phone calls & heads around office doors querying e-mails shes "sent out" & decides after shes gone home for the weekend to log a ticket regarding the non receipt of e-mails. Eventually when pressed she finally confesses that she "may have" given away her credentials into a One Drive portal.
That's insensitive, but efficient. But insensitive. A good manager has to take into account he/she's dealing with human beings, and has to take care of their feelings.
If that company had a little clever management, it would have given the bonus afterwards to everybody, explaining the people that registering to get one is not a standard policy, and educating on phishing. Giving a extra-bonus for the ones who didn't fell in the trap could be a good idea, but i guess the ones who missed the test would have protested anyway.
This is an interesting one. We have ran exercises with deliberate "signatures" of phishing mails to see what proportions a) just deleted it, b) reported it, or c) clicked on the link. But the lure was not quite so "tasty" as one promising a COVID thankyou bonus; a not implausible lure I have to say.
It raises the question whether "important" corporate messages be sent by email at all?
At one point we were considering a USB dead drop exercise of a similar nature; to see who is daft enough to plug in any random stick they find in the car park in... Though this was kyboshed by precisely the sort of concerns flagged here.
The needs of the businesses have evolved beyond the technologies and ideas of 1980's email; it is surely time for a more suitable replacement to be developed?
If I were working in IT for West Midlands Trains and I was pissed off that management hadn't given us a bonus, but I didn't want to stick my neck out, what else might I do?
I mean I could do something like this. I might hope that other people would have a strop on my behalf and the press would have a field day. As we can see people couldn't really blame me for a successful security check. Not and have it stick.
The only missing step would be to persuade someone else in IT to actually send the emails. To be bofh level there should be no verifiable trail.
"The only missing step would be to persuade someone else in IT to actually send the emails."
Not in IT. In HR (two birds, one stone). You send them a phishing email as from the CEO telling them to do it. Being a BOFH it would, of course, genuinely be from the CEO's email account.
This does not seem classy behavior.
What would really be funny would be if someone took them to court & the beak applied the logic that, since it was indeed sent by the organisation or their agents, it was actually a legally enforceable contract. The thing is, you can only take the "just a joke" get-out-of-contract card so far.... Sure you can claim later that you didn't mean it, it was just a test, just a joke or a mistake - but clearly at some point that becomes unreasonable & they clearly already have a contractual relationship of some sort with their staff. Of course life doesn't work like that, but it's a happy little thought on a Friday.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
