Train firm slammed over 'bonus' phishing test

A train operated by the West Midlands Trainline parked in a station

Bosses at West Midlands Trainline are facing a backlash after they used the promise of a company-wide bonus as a lure in a phishing simulation test.

Julian Edwards, the managing director of the train operator, emailed the company's 2,500 employees with a message saying it wanted to thank them for their hard work during the pandemic, according to the Guardian.

The email promised a one-off payment, but those who clicked the link for the bonus received a message telling them it was a "phishing simulation test" designed by the firm's IT team to entice employees.

The leader of the Transport Salaried Staffs Association, Manuel Cortes, called the email "crass and reprehensible", according to the Guardian, especially considering many of the people who work for West Midlands Trainline have had to do so on the front line throughout the pandemic.

However, while the initiative isn't ideal in the current climate, there's often a balance between upsetting the business vs what a malicious attacker would consider, according to Scott Nicholson, the co-CEO of cyber security firm Bridewell Consulting

"In reality, malicious phishing campaigns will devise the content that is most likely to achieve success," Nicholson told IT Pro. "However, on the other hand, there are many other topics that can be used and techniques to improve user behaviour and phishing defence, detection and response.


Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security


"In this instance, employees will understandably feel frustrated and I wonder whether key business stakeholders were aware of the content and topic beforehand. Often, when developing internal phishing awareness campaigns, it is useful to have a small group of key stakeholders agree on phishing content so that an organisation can reduce the risk of phishing attacks but without demotivating or upsetting the workforce."

Nicholson added that phishing simulations are an essential awareness tool but he also warned that they should not be solely relied upon. The content of the attack requires careful consideration, he said, as businesses can achieve the same outcomes without upsetting their employees.

Bobby Hellard

Bobby Hellard is ITPro's Reviews Editor and has worked on CloudPro and ChannelPro since 2018. In his time at ITPro, Bobby has covered stories for all the major technology companies, such as Apple, Microsoft, Amazon and Facebook, and regularly attends industry-leading events such as AWS Re:Invent and Google Cloud Next.

Bobby mainly covers hardware reviews, but you will also recognize him as the face of many of our video reviews of laptops and smartphones.