After working through the pandemic, employees of a UK railway company were excited to see an email in their inboxes indicating gratitude from management. Per CNBC, the message from higher-ups at West Midlands Trains indicated to 2,500 staff members they'd soon be receiving a bonus. "We realize that a huge strain was placed upon a large number of our workforce as a result of COVID-19," the email read, per the Transport Salaried Staffs’ Association, a union representing rail workers. "This has not been easy for any of us and we would like to offer you a one-off payment to say thank you." The email then instructed staff to click on a link to read a message from managing director Julian Edwards. When they clicked on the link, however, employees found it was instead a "cynical and shocking stunt," says TSSA General Secretary Manuel Cortes.
Instead of info about their bonuses, workers found a message informing them they'd been part of a "phishing simulation test," meant to "entice" staff to click on the link and provide personal information. The message then warned staff against clicking on suspicious-looking links and to remain "vigilant." Cortes, who deems the move a "crass and reprehensible" one that's "almost beyond belief," is now demanding not only an apology, but an actual bonus to be paid to staffers, to "begin to right a wrong which has needlessly caused so much hurt," per the Guardian. West Midlands Trains doesn't seem particularly apologetic. "We take cybersecurity very seriously," a rep says. "The design of the email was just the sort of thing a criminal organization would use—and thankfully it was an exercise without the consequences of a real attack." (Read more phishing stories.)