‘They risk damaging confidence’: A Canadian health board outraged staff with phishing tests offering paid leave – experts say it shows why you need to be careful with cyber awareness campaigns

Security experts have urged organizations to take a more considerate approach to cyber awareness training after a Canadian health board sent emails to staff offering paid leave as part of a phishing test.

Ron Johnson, interim chief executive at Newfoundland and Labrador Health Services, apologized for the phishing test last week, admitting the emails were sent in poor taste.

“We acknowledge the approach taken in this particular exercise was not appropriate, and we sincerely apologize to employees, physicians, and union representatives,” he wrote.

The phishing simulation prompted backlash after being circulated to hundreds of employees, and has since prompted a review of future activities, Johnson added.

Latest Videos From

Watch full video here:

“We value the feedback and are reviewing how future awareness exercises are developed and communication,” he said.

“It is important they reflect employee and physician perspectives, as well as our organizational values to foster a respectful and supportive workplace culture.”

This isn’t the first time an organization has been forced into a U-turn after a controversial phishing test campaign.

As ITPro reported in late 2024, the University of California Santa Cruz (UCSC) was heavily criticized for a “tone deaf” campaign which used a fake Ebola virus track and trace alert.

The campaign caused a panic on campus and was highly convincing, even employing links to a fake webpage set up to support those affected by the “outbreak”.

Phishing tests are a vital part of cyber hygiene

While this particular incident sparked ire among employees, phishing tests are a common practice by cybersecurity professionals to ensure staff remain vigilant to potential security threats.

Phishing attacks, in particular, are a leading cause of breaches at organizations across a range of industries – and the healthcare sector specifically is a prime target for cyber criminals.

Add AI into the equation, and the threat landscape faced by enterprises today is becoming increasingly perilous, with threat actors using the technology to refine techniques and curate highly convincing emails.

Rob Anderson, head of reactive consulting services at Reliance Cyber, told ITPro that the “best phishing exercises are realistic” – after all, they are intended to emulate the tactics used by cyber criminals.

"They should use the same sneaky tactics that threat actors may use, hopefully triggering the trained, instinctive suspicion we want staff to develop when handling unexpected emails,” he said.

“However, there is a fine line. Nobody likes to be made a fool of, especially at sensitive times.”

Anderson pointed to a phishing exercise by one UK police force’s Information Protection Unit, which circulated emails targeting staff in a typical fashion. Those who fell foul were met with a message stating: “whoops, you’ve failed this training”.

In this instance, Anderson said the Information Protection Unit had “failed to read the room”.

“A week earlier, the force had announced a restructure, with likely compulsory redundancies and transfers,” he said. “Police officers can be a vocal and cynical bunch, and they made their feelings known.”

A delicate balancing act

It’s here that phishing tests often become a delicate balancing act, according to Simon McNalley, identity and access management (IAM) technical director at Thales.

Ultimately, cybersecurity professionals need to ensure that simulations are “realistic enough to reflect the tactics attackers use” without “exploiting goodwill”.

“Scenarios involving pay, bonuses, annual leave, personal hardship, or other highly sensitive employment matters should be approached with caution, as they risk damaging confidence in legitimate internal communications,” he told ITPro.

Anderson echoed McNally’s comments, adding that human resources (HR), communications, and senior leadership should be consulted before campaigns go live.

Ultimately, McNally said the NL Health Services incident should serve as an example to other organizations hoping to keep staff on their guard in light of rising threats.

“There is a place for phishing simulations as part of building cyber awareness, especially as attackers routinely use such techniques. However, it’s vital that these exercises do not come at the expense of trust between employer and employee. Trust is a critical component of security culture,” he said.

“If awareness programs leave employees feeling misled, embarrassed or manipulated, organizations risk undermining the very behaviors they are trying to encourage.”

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.