A rail union has criticised West Midlands Trains for a ‘cynical and shocking stunt’ that involved sending out an email to employees that falsely promised bonuses, in an attempt to test their cyber security awareness.
On 21 April, the train operator sent 2,500 staff an email from ‘Finance and Payroll’ which thanked them for their hard work during the pandemic. It suggested they could expect a financial reward and a message of thanks from managing director Julian Edwards if they clicked on a link.
However, West Midlands Trains later revealed that it was a “phishing simulation test” which was designed by its IT team to test staff awareness of common email scam techniques.
Those who opened the email link later received an email from HR that read: “I am writing to confirm that this was a test designed by our IT team to entice you to click the link and used both the promise of thanks and financial reward to try and convince you to provide your details. This test was purposefully designed to closely mimic the tactics that, sadly, are being used on a daily basis by expert criminal organisations to try to gain access to company data and systems.”
The activity was described by the Transport Salaried Staffs’ Association (TSSA) as “totally crass and reprehensible behaviour”, given that employees had worked hard throughout the pandemic and the fact that one worker at the company has died and many others have fallen ill with Covid-19.
TSSA general secretary Manuel Cortes said: “This was a cynical and shocking stunt by West Midlands Trains, designed to trick employees who have been on the frontline throughout this terrible pandemic.
“They could and should have used any other pretext to test their internet security. It’s almost beyond belief that they chose to falsely offer a bonus to workers who have done so much in the fight against this virus.
“We need to know who sanctioned this email and we need an apology. Moreover, having fraudulently held out the prospect of a payment to staff, WMT must now be as good as their word and stump up a bonus to each and every worker.”
A West Midlands Trains spokesperson said: “We take cyber security very seriously, providing regular training on the subject and we run exercises to test our resilience.
“Fraud cost the transport industry billions of pounds every year. This important test was deliberately designed with the sort of language used by real cyber criminals but without the damaging consequences.”