That phishing test…

News and information from the Advent IM team.

You cannot fail to have noticed the coverage of a recent security awareness training event that has polarised opinions. (If you want to read about it in full, I will post a link at the end)

Briefly, West Midlands trains, in a bid to very responsibly increase the security awareness of its employees,  tested their resistance to phishing, with an email. The email invited them to click a link in order to secure a thank you bonus. This, the email stated, was to thank them for their hard work during Covid. There was no bonus, it was a test to see who would click the link. It was a training exercise as part of a security awareness program. It has been widely condemned by unions and workers alike.

If you work in security then you will be painfully aware that this is exactly the kind of email that a cynical and hardened criminal would send. They are commonly run by organised crime gangs and have no regard whatsoever for people. They are happy to pull every lever and press every button to get what they want. An immediate response is key to the success of all phishing campaigns; the top priority is to stop the brain/mouse interface from working and get the recipient to click without thinking. Email is a very successful and effective delivery system for malware, so you can understand the need for West Midlands Trains to get some control of how their employees behave with it. From a security perspective, the content is about the level we could expect; criminals have embraced Covid and all the opportunities it has afforded them.

But the problem here is that this was a training exercise, carried out on people who had indeed worked very hard through some incredibly trying circumstances.  They are real people who may have dealt with death and sickness alongside the fear of infection every day of the pandemic. Choosing a Covid bonus as the subject for this exercise feels at best, tone-deaf. Security awareness training needs to be embraced and adopted by all organisations. The negative coverage this has gained is really counterproductive.

Playing Devil’s Advocate I would suggest the intent was good. Very good, in fact, because this is precisely the kind of trick that users need to understand. But we must always consider the welfare of the people we are trying to support. This is not the way to win the hearts and minds of users and employees, which is what all organisations need to do with their security awareness programs.

Read about this incident.


Share this Post