A company told about 2,500 employees they were getting a bonus during COVID-19 – but it was just a phishing test

cybersecurity
A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration in Paris April 15, 2014.

  • UK train operator West Midlands Trains sent an email to about 2,500 employees offering a bonus.
  • The email was actually a phishing test that “used both the promise of thanks and financial reward.”
  • WMT has since been slammed by the Transport Salaried Staffs’ Association for its “cynical and shocking stunt.”
  • See more stories on Insider’s business page.

UK train operator West Midlands Trains is facing backlash for sending its employees a “crass and reprehensible” cybersecurity test disguised as a bonus announcement for working through COVID-19.

On April 12, about 2,500 West Midlands Trains employees received an email from the company thanking them for their work through the “huge strain placed upon a large number of our workforce as a result of COVID-19,” according to the email posted by Transport Salaried Staffs’ Association, a travel and transportation union that represents some of WMT’s staff.

“This has not been easy for any of us and we would like to offer you a one-off payment to say thank you for all of your hard work over the past 12 months or so,” the email said.

Recipients were instructed to click on a link that had a note from Julian Edwards, the WMT’s managing director, and information about the bonus. But after clicking through, employees received a follow-up email from the company notifying them that they had fallen for a phishing test that “used both the promise of thanks and financial reward,” according to a copy of the follow-up note posted by the TSSA.

“This important test was deliberately designed with the sort of language used by real cybercriminals but without the damaging consequences,” a West Midlands Trains spokesperson told Insider in an email. WMT has “regular” trainings and exercises on cybersecurity, the spokesperson continued, noting that “fraud costs the transport industry billions of pounds every year.”

Read more: Investors sunk billions into these 14 cybersecurity startups as the pandemic and massive hacks like SolarWinds made the industry more vital than ever

However, TSSA has since slammed the train operating company and its “crass and reprehensible” phishing test for being a “cynical and shocking stunt.”

“It’s almost beyond belief that they chose to falsely offer a bonus to workers who have done so much in the fight against this virus,” Manuel Cortes, TSSA’s general secretary, said in a press release. “Our members have made real sacrifices these past twelve months and more. Some WMT staff have caught the disease at work, one has tragically died, and others have placed family members at great risk.”

West Midlands Trains isn’t the only company that has received backlash for sending its employees a phishing email disguised as a bonus. In December 2020, GoDaddy also sent its employees a similar phishing test pretending to offer a $650 holiday bonus. Employees who fell for the scam then had to retake the company’s “Security Awareness Social Engineering training.”

Read the original article on Business Insider