"Worker bonus" announcement email was actually company phishing test; no bonus given

Originally published at: "Worker bonus" announcement email was actually company phishing test; no bonus given | Boing Boing


Needlessly alienating all your workers during a stressful time as part of a test: late-stage capitalist business management in action. As with the owners of fast food restaurants, the genius MBAs at this company will likely be very puzzled when they find that responses to their help-wanted ads start falling


I’d like to see what the phishing mail was like.
Had they used a ‘questionable’ URL or used a company one, for instance, or an URL shortened?

Otherwise who had thought this is going to have receive some LART. (in the photo a train engineer with the LART looking under the train) :slight_smile: https://cdn.prod.www.spiegel.de/images/0bef8a60-0001-0004-0000-000000746747_w998_r1_fpx68.47_fpy54.91.jpg


Without the consequences to West Midlands Trains, that is. All their workers who thought they were getting bonuses, well, fuck them.


This is a good idea, incredibly poorly executed.

It’s a common phishing tactic to use people’s goodwill against them - for example, to send an email that says ‘Your required training is due, compliance is important, etc’. For big companies, this is a big tactic. Then you include some good looking template and a few legitimate links and a big fat fake one.

Basically: you send an email that looks banal but important. My company uses this tactic a lot in our screening campaigns; but you also should understand the context of the email you’re sending out. When you send out a phishing test that says ‘You have training to do RIGHT NOW’ and it turns out that you don’t…nobody loses.

When you send one out that says HEY YOU’RE GETTING A BONUS and you don’t, that generates incredibly poor results. This is a good learning opportunity for everyone else in IT.


The design of the email was just the sort of thing a criminal organisation would use

Well, they got that part right.


Management: “you actually thought we were just going to GIVE you money? Not only are we reprimanding you for undermining cybersecurity we are going to have to have a talk about your place at this company and what you’re entitled to. Spoiler: it’s NOTHING”


You can always tell phishing when the email portrays behavior that is completely out of character for the sender.

Like a company promising bonuses, for example.


Seriously, big companies will fuck you over, not offer bonuses. The only places I’ve worked that would offer their workers bonuses when times are tough are places where I’ve at least met the CEO. And even those places would certainly fuck over anyone not in a position to meet the CEO.


The testing we do via Knowbe4.com allows us to dial up or down how phishy an test email is, anywhere from grammar and spelling, to which domains it’s using, to how much it mimics a legit email from something like Netflix or Disney+ (that last one caught more people we expect).

Our testing comes from sketchy, but similar email addresses (@google-mail.com or something like it), the links are always off our network, and super-long and sketchy, and ours do go to a login page to test who puts in information. It’s helped us identify some weaknesses in training with specific staff, and offer extra training. We never use it as punishment, nor embarrass anyone publicly.


Similarly, employees should be encouraged test the resilience of West Midlands Trains executives, and send them similar emails. Suggested subject headlines: “Boss, I just clicked on a dodgy link, and now my computer is acting funny, is that bad?”, “Mr. Strothmire, this is Jen from accounting. Todd and just broke up, and I was wondering if we could meet for drinks…”, “I have the pictures of you and Jen from accounting fucking, and will send them to your wife”. “Tom, I just got pictures you meant to send to “Jen”. After 23 years of marriage, how could you, Tom, how could you?”. Similar emails could also be sent to the spouses, parents and clergy of executives, as social engineering is sometimes how hackers find their way in.


Add to this, did it come from a company address?


Somehow I envision this being used as a tool to pare down worker headcounts.

  1. Get phished (by IT)
  2. Disciplinary write-up
  3. Termination.

Note: There never was an attempt to make this a teachable moment. The worst offender was that the IT helpdesk wasn’t made aware of such an audit, and didn’t inform the users of the risk when a call comes in indicating that the email “looked sketchy” and what to do with it?

When this phishing test is used as a pre- and post- training assessment for vulnerability testing and training of the human element, that is a good thing. When it is used as a “political bludgeon” to weed out undesirables, without improving the underlying vulnerability, that company deserves a shakeup.


I have had a vendor send me unsolicited porn. I said “dafuq is this” and never heard from that vendor again :laughing:

That one’s actually super easy.

  1. “Hey Mr Strothmire, it’s Jen from accounting. I’m using a personal email you’ve never seen before, but y’know, gotta keep it off the servers…” etc etc. And Mr Strothmire gives you his personal email. Because if it’s off the servers it’s discreet, amirite?
  2. You can easily imitate Jen, because you know Jen and know her communication style. And because you know Mr Strothmire and you know he just ain’t that smart.
  3. Wait for dick pics
  4. Anything you want.

I once had to complete extra phishing training because I’d forwarded an obvious fake phishing email from our corporate IT to some co-workers, knowing they’d also know it was fake, because of the supposed sender’s name: “Santos L. Halper.” (Obvious Simpsons reference is obvious.)

I have never completed extra training so begrudgingly in my life.


A friend on an email chain (or was it FB?), a decade or so ago, accidentally sent a tender private PG related love note to “reply all” instead of just to her husband as she intended, and we all said “awwww”. That sort of incorrect address seems much more the exception rather than the rule.




Nothing like incentivizing your employees to throw a monkey wrench into the works, daily. Wish I was there to guide them on along the way, have a back catalog of mutinous doings.


The union rep had to sensationalize this “…a wrong which has needlessly caused so much hurt.”

So… Did people alter their lives b4 clicking the freaking button? Did they???

1 Like

Article neglected to link to its source: https://www.theguardian.com/uk-news/2021/may/10/train-firms-worker-bonus-email-is-actually-cyber-security-test