Bonus promise turns out to be security test

[whole diary]

[grahame]

From https://www.bbc.co.uk/news/uk-england-birmingham-57065311

A train company has been criticised for a "cynical and shocking stunt" after it promised staff a bonus in what was actually a cyber-security test.
West Midlands Trains (WMT) emailed staff to tell them they would get a financial reward for their "hard work" during the Covid pandemic.

But if staff clicked the link for more information they received a second email explaining "this was a test".

A union described it as "crass and reprehensible behaviour".

[snip]

"This important test was deliberately designed with the sort of language used by real cyber criminals but without the damaging consequences," a spokesman added.

I would disagree with the spokesman.  I think it has highly damaging consequences in terms of staff relationships.

[broadgage]

And it also gives a good reason to ignore future company emails on the grounds that "I thought it might be a scam or a test so I deleted it"

[eXPassenger]

Speaking as a retired IT Director where my responsibilities included IT security in Financial Services I can see both sides.

There are an increasing number of IT security failures where the initial access is via a user who opens an inappropriate link or web site.  A third party can then access internal systems using the initial user ID.  They can then explore internal systems and at worst they can extract data and or encrypt it and charge a ransom to decrypt the data or not to publish the data which can include highly confidential data such as strategic plans.  The latest example of this has disabled the pipelines that supply 45% of fuel to the East coast of the US and listed strategic data that will potentially be published.  It has also been used to block data in the NHS.

There are various ways to provide appropriate security, but there is a trade off between security and ease of use and many organizations concentrate on preventing initial access rather than internal security.  Dummy emails are a good way of determining individuals who may need additional security training.

I do not believe that an email about a potential bonus is appropriate for testing but I can see why someone who did not think of the wider picture could have done it.

One of these days a third party will use a well disguised email of this sort and 80% of the recipients may fall for it.

[Bmblbzzz]

Part of the problem is that many companies' genuine emails do contain clickable links. The same goes for text messages. Banks are some of the worst offenders, ironically: phone calls from their staff asking customers to identify themselves by giving date of birth, "memorable question" and similar. I've no idea if emails from West Midlands Trains ever contain genuine clickable links, or did so in the recent past, but it's such a common practice that it's no wonder people fall for fakes.

[eXPassenger]

Part of the problem is that many companies' genuine emails do contain clickable links. The same goes for text messages. Banks are some of the worst offenders, ironically: phone calls from their staff asking customers to identify themselves by giving date of birth, "memorable question" and similar. I've no idea if emails from West Midlands Trains ever contain genuine clickable links, or did so in the recent past, but it's such a common practice that it's no wonder people fall for fakes.

I once received a phone call from 'Barclaycard fraud department' and said I would ring them back.  When I did so (after checking the line was clear) and was transferred to the fraud department they were delighted with my approach.

[Electric train]

If the email was to internal business email addresses then I can see no reason to criticise the company doing this, the business is after all trying to protect its systems.

If the email was sent to staff personal email addresses that I would find questionable, whist I can understand the intent

[PrestburyRoad]

Part of the problem is that many companies' genuine emails do contain clickable links. The same goes for text messages. Banks are some of the worst offenders, ironically: phone calls from their staff asking customers to identify themselves by giving date of birth, "memorable question" and similar. I've no idea if emails from West Midlands Trains ever contain genuine clickable links, or did so in the recent past, but it's such a common practice that it's no wonder people fall for fakes.

I once received a phone call from 'Barclaycard fraud department' and said I would ring them back.  When I did so (after checking the line was clear) and was transferred to the fraud department they were delighted with my approach.

Earlier this year I received a phone call from 'Barclays Bank' about 'the signature on a cheque'.  They began by quoting my full name accurately and then asked me to confirm my date of birth.  My mental scam sensor went off and I told them they were a scam and terminated the call.  In fact the call was probably genuine, because a couple of days later I had a call from the payee of a cheque I had recently written, saying that the bank had refused to pay the cheque.  The amount of the cheque was larger than usual so I can see that the bank might well have wanted to check it over with me.  Next time I'll be more patient and interrogate them on how I'm supposed to know that they are genuine.

A bank calling out of the blue without also using two-way security protocol so that the customer can believe the alleged bank's identity is bad security practice on the part of the bank.  Especially nowadays when we are all urged to be on the lookout for phone scams and phishing emails.

[Marlburian]

A minor coincidence in that yesterday I received a cheque - a rare occurrence - made out to my abbreviated surname. (I have a double-barrelled surname and normally use only the second barrel.) Time was when my bank would accept such cheques without question, but several years ago a cashier warned me that for any sizeable amount it would want my full surname as payee.

I shall try presenting the cheque at my local branch (I still have one, for the time being), but on Monday the sole cashier was a bit miffed when I declined to agree to a phone call to give me an insurance quote for house & contents.

There's a further minor coincidence in that yesterday I dusted off my cheque-book (used about three times a year) to make a donation to the Kennet & Avon Canal Trust; nowhere on its website could I see how to make one electronically.

With apologies for wavering from the original posts and for waffling.

[Bmblbzzz]

I have a double-barrelled surname and normally use only the second barrel.

Does this mean you have a sawn-off surname?

[Bmblbzzz]

Next time I'll be more patient and interrogate them on how I'm supposed to know that they are genuine.

It would be interesting to know how the customer could do this. There ought to be a way, but I don't know what this would be without duplicating the type of procedure already in place.

[stuving]

Next time I'll be more patient and interrogate them on how I'm supposed to know that they are genuine.

It would be interesting to know how the customer could do this. There ought to be a way, but I don't know what this would be without duplicating the type of procedure already in place.

I have, at least once, pointed out to a caller from a bank (not security-related) that as they called me they should be providing me with ID. Not that it did me any good, obviously.

Equally obvious is that we can't all invent our own ID system and get the banks (et al) to register with us. But they might allow for us to define a codeword for them to give - though its use would need to be quite restricted to stop it being easy for someone else to capture.

PrestburyRoad did say this:

A bank calling out of the blue without also using two-way security protocol so that the customer can believe the alleged bank's identity is bad security practice on the part of the bank.

That implies that two-way security protocols are in use somewhere - is that right? Where?

[Witham Bobby]

I have, at least once, pointed out to a caller from a bank (not security-related) that as they called me they should be providing me with ID. Not that it did me any good, obviously.

I had a British Gas engineer here the other day to service our boiler.  He asked if they could quote for a replacement.  I said yes.  An hour later, I got a phone call from British Gas, asking me to answer security questions.  I said "you've called me, and it's not exactly a confidential matter, so if you want to offer me a price for a boiler, go ahead" In the absence of me supplying date of birth and inside leg measurement, the telesales operator declined to speak further.  Their loss

[Surrey 455]

A minor coincidence in that yesterday I received a cheque - a rare occurrence -

I've just dug out my cheque book. The last cheque I wrote was in 2009! and the cheque book was printed in 2000. I have since received two unused cheque books that will probably never be finished.

Prior to 2005 most cheques I wrote were payable to Truprint.

[johnneyw]

I write 2 £3.50 cheques a year to pay ground rent.  Other than that there may be the odd misc cheque or two written for memberships to whatever canal or heritage railway restoration group has currently turned my head.