A company told about 2,500 employees they were getting a bonus during COVID-19 – but it was just a phishing test

cybersecurity
A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration in Paris April 15, 2014.

  • UK train operator West Midlands Trains sent an email to about 2,500 employees offering a bonus.
  • The email was actually a phishing test that “used both the promise of thanks and financial reward.”
  • WMT has since been slammed by the Transport Salaried Staffs’ Association for its “cynical and shocking stunt.”
  • See more stories on Insider’s business page.

UK train operator West Midlands Trains is facing backlash for sending its employees a “crass and reprehensible” cybersecurity test disguised as a bonus announcement for working through COVID-19.

On April 12, about 2,500 West Midlands Trains employees received an email from the company thanking them for their work through the “huge strain placed upon a large number of our workforce as a result of COVID-19,” according to the email posted by Transport Salaried Staffs’ Association, a travel and transportation union that represents some of WMT’s staff.

“This has not been easy for any of us and we would like to offer you a one-off payment to say thank you for all of your hard work over the past 12 months or so,” the email said.

Recipients were instructed to click on a link that had a note from Julian Edwards, the WMT’s managing director, and information about the bonus. But after clicking through, employees received a follow-up email from the company notifying them that they had fallen for a phishing test that “used both the promise of thanks and financial reward,” according to a copy of the follow-up note posted by the TSSA.

“This important test was deliberately designed with the sort of language used by real cybercriminals but without the damaging consequences,” a West Midlands Trains spokesperson told Insider in an email. WMT has “regular” trainings and exercises on cybersecurity, the spokesperson continued, noting that “fraud costs the transport industry billions of pounds every year.”

Read more: Investors sunk billions into these 14 cybersecurity startups as the pandemic and massive hacks like SolarWinds made the industry more vital than ever

However, TSSA has since slammed the train operating company and its “crass and reprehensible” phishing test for being a “cynical and shocking stunt.”

“It’s almost beyond belief that they chose to falsely offer a bonus to workers who have done so much in the fight against this virus,” Manuel Cortes, TSSA’s general secretary, said in a press release. “Our members have made real sacrifices these past twelve months and more. Some WMT staff have caught the disease at work, one has tragically died, and others have placed family members at great risk.”

West Midlands Trains isn’t the only company that has received backlash for sending its employees a phishing email disguised as a bonus. In December 2020, GoDaddy also sent its employees a similar phishing test pretending to offer a $650 holiday bonus. Employees who fell for the scam then had to retake the company’s “Security Awareness Social Engineering training.”

Read the original article on Business Insider

What is cybersecurity? A guide to the methods used to protect computer systems and data

cyber security
Cybersecurity is the protection of computer systems from cyberattacks and is a rapidly growing industry.

  • Cybersecurity is the practice that protects computer technology and data systems from attack.
  • It’s a huge, multi-billion dollar industry and consists of many kinds of security practices.
  • The threat landscape is always evolving, but current threats to cybersecurity include malware, phishing, and denial-of-service attacks.
  • Visit Insider’s Tech Reference library for more stories.

Cybersecurity is the practice of protecting all forms of computer technology from malicious attacks. It includes the preservation of computers, servers, mobile devices, networks, applications, and data in the event of damage, destruction, and unauthorized access. As an industry, cybersecurity is enormous and growing to help protect everyone from new and evolving threats.

What is malware? Everything you need to know about malicious software and viruses, and how to protect your computerWhat is a computer virus? Here’s how to spot signs of viruses and avoid themWhat is phishing? Here’s what you should know about the virtual scamming technique and how to protect yourself from data theftRansomware can encrypt your files and force you to pay money – here’s how to avoid ransomware, or deal with an infection

Read the original article on Business Insider

Sequoia Capital, one of Silicon Valley’s most notable VC firms, told investors it was hacked

Sequoia Capital
Sequoia Capital offices on Sand Hill Road in Menlo Park, Calif.

One of Silicon Valley’s oldest and most venerable VC firms was hacked.

Sequoia Capital told its investors on Friday that some personal and financial information may have been accessed by a third party after one of its employees fell victim to a successful phishing attack, according to a report in Axios Friday. 

Sequoia told investors that it has not yet seen any indication that compromised information is being traded or otherwise exploited on the dark web, Axios reported.

A Sequoia spokesperson confirmed to Insider Saturday that it had “recently experienced a cybersecurity incident” that its security team was investigating. It had also notified law enforcement and was working with outside cybersecurity experts, the firm said.

“We regret that this incident has occurred and have notified affected individuals,” A Sequoia spokesperson told Insider. “We have made considerable investments in security and will continue to do so as we work to address constantly evolving cyber threats.”

Sequoia’s investors are called limited partners, and typically include large financial institutions such as university endowments, private family wealth offices, or sovereign wealth funds, but rarely do firms share information about their investors publicly.

Sequoia Capital is one of Silicon Valley’s oldest and most successful venture capital firms with more than $38 billion in assets under management, according to Pitchbook data. The 49-year-old venture capital firm has invested in companies such as Airbnb, DoorDash, and 23andMe. It has also invested in cybersecurity companies like FireEye and Carbon Black, according to its website. 

It does not appear that the hack was connected to the Solarwinds attacks, which included a larger breach of FireEye and has impacted government agencies and large technology companies like Microsoft.

Read the original article on Business Insider

GoDaddy sent an email to employees announcing a surprise holiday bonus. It was really a phishing email test, and those who failed were invited to get more security training

FILE PHOTO: The company logo and ticker for GoDaddy Inc. is displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York, U.S., March 4, 2019. REUTERS/Brendan McDermid
The company logo and ticker for GoDaddy Inc. is displayed on a screen on the floor of the NYSE in New York

  • GoDaddy is under fire for sending employees an email announcing $650 holiday bonuses.
  • The email was actually phishing test.
  • “To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th,” the email read.
  • Employees who failed the phishing email test were invited to retake the company’s security training instead.
  • Visit Business Insider’s homepage for more stories.

The world’s largest domain registrar and web hosting company, GoDaddy, is facing backlash for duping employees with a phishing test disguised as a holiday bonus announcement.

On December 14, GoDaddy employees received an email from the sender happyholiday@Godaddy.com, titled “GoDaddy Holiday Party,” according to The Copper Courier.

“2020 has been a record year for GoDaddy, thanks to you!” the email continued, “though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!”

Recipients were asked to submit personal information by December 18. Phishing emails typically prompt unwitting people to reveal personal or financial information which could then be used with malicious intent.

GoDaddy Email
A Dec. 14 email sent to hundreds of GoDaddy employees with a holiday bonus to employees, which was actually a phishing test.

GoDaddy Phishing test email
A Dec. 14 email sent to hundreds of GoDaddy employees with a holiday bonus to employees, which was actually a phishing test.

 

Multiple GoDaddy employees shared the email with The Copper Courier; the email included a snowflake banner in the theme of a holiday party invite.

Two days after the announcement was sent, at least 500 employees received an email from the company’s chief security officer, according to The Copper Courier. 

“You’re getting this email because you failed our recent phishing test,” the company’s chief security officer Demetrius Comes wrote in the email. “You will need to retake the Security Awareness Social Engineering training.”

Companies regularly use methods to teach employees about computer safety. Security breaches can have a disruptive effect on businesses and expose people to identity theft.

GoDaddy did not immediately respond to a request for comment.

In 2020, GoDaddy reported “record customer growth” and said  it had surpassed 20 million customers, but the company has not escaped hardship. The company has to lay off or reassign hundreds of employees throughout the pandemic.

Read the original article on Business Insider