"Worker bonus" announcement email was actually company phishing test; no bonus given

I’ve been looking to do simulated phishing at work, what to do and best practices. One thing EVERYONE agreed on, was not to do this shit.


Well, they might have had a milisecond or so where they thought they were actually appreciated as human beings before having their status as alienated worker drones reinforced and their noses pressed firmly back to the grindstone.


Tell me, how would you like it if your boss pulled you into his office, promised you a raise and a promotion, and then said SIKE and started laughing hysterically?


According to Webroot their website warrants a caution: “This site may contain content that could affect your online security.”

So, not that seriously.


I’m partially responsible for running phishing simulations like these at my company. I have mixed feeling about them. On the one hand, they do reduce response rates if you run them repeatedly and track the change, so presumably they’re doing some real good. On the other, you’re basically spending employee goodwill to do it, and you should be using 2FA anyway.

Regardless, I can’t imagine who thought that this particular theme was a good idea.


I think the employee goodwill part really depends on your company culture. At least at mine, management and leadership all take security pretty seriously and this sort of thing is part of your job. As long as they’re not doing anything particularly shitty (for example: see article :stuck_out_tongue: ) this shouldn’t really be a real goodwill issue.


I’m sure he’s referring to the fallout from the bad press, potential impact on executive bonus, etc. Not that a train operator has to worry much about PR. You can’t likely take “the other train” . Their operating contract will be up some time, though, there’s that


@pesco Got any hyperlinks for the sources in this story?

Also, they may find that some pissed off worker who in planning on leaving the company posts passwords etc… in a public forum, then quits.

We regularly get phishing tested (and they’re very very stupid) at my company, and I can’t imagine it being so shitty as to be related to a non-existent bonus.

1 Like

Damn straight. This company needs a little visit from the Bastard Operator from Hell -.-’ .


Providing another data point for the proposition that there is always an xkcd, this reminded me of the end of the title text on this comic, specifically how the practice “isn’t just lying–it’s like an example you’d make up if you had to illustrate for a child why lying is wrong.”


I guess my auto response to any emails from corporate (that escaped my spam filters) would be to look at the subject line, and delete them immediately.

If someone wants to give me a bonus, they would either contact me via immediate management, or have a meeting established which someone would put on my calendar.

Why are you asking this? It was an email.

I think you’d make a good union rep.

Did you neglect to mark your post /s?

There’s always a “/s” element to everything I say, but in fact negative PR potentially impacts everyone in a company. I think the fact that this story got the coverage it did demonstrates this was widely perceived in a negative way. I know nothing about the nature of the contracts to operate rail systems in the UK, perhaps there is no chance negative perception will affect the profitability or future of West Midlands. If so that in itself is troubling

1 Like

I got this same email where I work, but with a preface instructing me to forward it as an attachment to our abuse email. Which kind of ruins it as a test, if they tell you IN THE EMAIL what you’re supposed to do. I thought it was weird.

That wasn’t the test. The test will arrive in a few days.

Since the company did actually send these out, and they were only fake phishing attempts, the company should be forced to honor the bonuses that were promised. They made a promise, and they should have to live up to it.

This topic was automatically closed after 5 days. New replies are no longer allowed.