Rail operator branded 'crass' after worker bonus email is 'phishing' test

Max Stephens
·2 min read
West Midlands Railway had sent the email as a 'phishing' exercise to test their employees cyber security proficiency
West Midlands Railway had sent the email as a 'phishing' exercise to test their employees cyber security proficiency

A railway union has branded a train company “crass” after it sent out an email to thousands of its employees promising a pay bonus but was actually a “phishing test” to check its cyber security.

West Midlands Trains emailed 2,500 of its workers with a message offering a one-off payment as a “gift” to “inspire” them to keep up the “good work” during the pandemic

But those who clicked through on the email, sent on behalf of the company’s director Julian Edwards, received a second email informing them it was a “phishing simulation test” designed by the company.

“This was a test designed by our IT team to entice you to click the link and used both the promise of thanks and financial reward,” the email read.

Manuel Cortes, general secretary of the Transport Salaried Staffs’ Association (TSSA) lambasted the exercise as “crass and reprehensible”.

Mr Cortes said: “This was a cynical and shocking stunt by West Midlands Trains, designed to trick employees who have been on the frontline throughout this terrible pandemic – ensuring essential workers were able to travel.

“It’s almost beyond belief that they chose to falsely offer a bonus to workers who have done so much in the fight against this virus.”

“Our members have made real sacrifices these past 12 months and more. Some WMT staff have caught the disease at work, one has tragically died, and others have placed family members at great risk.”

The TSSA has demanded West Midlands “stump up” a real bonus to their employees in recompense for the “needless wrong which has caused so much hurt”.

A spokesman for West Midlands Trains confirmed that their employees had not received a bonus.

He said: “We take cyber security very seriously, providing regular training on the subject and we run exercises to test our resilience.

“Fraud cost the transport industry billions of pounds every year. This important test was deliberately designed with the sort of language used by real cyber criminals but without the damaging consequences.”

In December last year, GoDaddy, the world’s largest domain registrar and web-hosting company, had also duped their employees with an emailed phishing test disguised as a bonus.

The recipients had been promised a $650 one-off payment if they submitted their personal information in response to the email

Days later, those who had responded were emailed by the company’s chief security officer informing them they had “failed” the phishing test and would have to retake the company’s Security Awareness Social Engineering training."