A British trade union is demanding an apology from the West Midlands Trains rail company for running a phishing readiness test disguised as a bonus payment reward for staff that worked through the Covid-19 pandemic.
The Transport Salaried Staffs' Association (TSSA) published the text of the phishing email, which was made to look like it was sent from West Midlands Trains' (WMT's) "Finance and Payroll department."
Staff were told they would be offered a one-off payment "to say thank you for all of your hard work over the past 12 months or so" and encouraged to click on an Microsoft Office 365 link that would lead to a personal message from WMT managing director Julian Edwards.
Instead, the link went to a Sharepoint website which contained a simulated phishing exercise set up by Microsoft for WMT.
Employees who clicked on the link in the phishing message then received an email from WMT human resources telling them to be aware of communications that asked staff for login credentials.
A furious general secretary of the TSSA, Manuel Cortes, issued a strongly worded statement, accusing West Midlands Trains of "deliberately tricking their employees" using the pandemic, to test IT security.
Slamming the test as totally crass and reprehensible behaviour, Cortes pointed out that one railway worker has died of Covid-19, with many others falling ill.
Cortes called on WMT to apologise for the test, and make good on the promise in the phishing email and "stump up a bonus to each and every worker".
Simulated phishing attacks are meant to raise IT security awareness with staff.
They are controversial, and have backfired on numerous occasions, like in December last year when domain name seller GoDaddy sent out an email promising a US$650 holiday bonus for staff.
The phishing test exercise sparked a social media backlash against GoDaddy, and drew attention to the company's data breaches in recent times.