• Our booking engine at tickets.railforums.co.uk (powered by TrainSplit) helps support the running of the forum with every ticket purchase! Find out more and ask any questions/give us feedback in this thread!

West Midlands Trains (WMR/LNR) send staff an email about a bonus... as a cybersecurity test

Status
Not open for further replies.

Bletchleyite

Veteran Member
Joined
20 Oct 2014
Messages
97,519
Location
"Marston Vale mafia"
I am awaiting the next E-Pay email to say I have a new weekly timeshare or monthly pay slip. Would be easy to spoof that link and get people to click on it automatically.

One way to reduce the issue with this would be for the company to entirely stop sending emails with links to click on, instead saying "To complete this task, please log into SAP (or whatever they use) in the normal manner".

Then you take the judgement out - it simply becomes "we will never send you an email with a clickable link". It becomes a hard and fast rule, a bit like "never divulge security information to your bank if they phone you, just tell them you will phone back", ensure the call is disconnected* and call them using the number on your card.

* Some of them are known to hold the call open and play a fake dialtone, but that only works on landlines - with mobiles, if either end ends the call it ends, whereas with landlines the call only drops if the person making it hangs up.
 
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R

RailUK Forums

Doctor Fegg

Established Member
Joined
9 Nov 2010
Messages
1,814
I don't think using coronavirus is the main issue. I think its the fact the email apparently originated from an official internal source. If my MD sent an email from his work email address to my work email address with a link to official work resources then I would not constitute that a phishing.

Yes.

If the email was really sent via WMT mail servers (presumably Office 365), to WMT email accounts, from a WMT email account, then that is 100% on the company and not the recipients. Unless, that is, the message that WMT's IT team is trying to get across is "your default assumption should be that we are a bunch of incompetents who can't configure a mail server correctly", which I guess is a valid message.
 

Fawkes Cat

Established Member
Joined
8 May 2017
Messages
2,942
It's perhaps worth noting that anti-phishing training can be too effective: my employer has maybe 50,000 employees so from time to time there are sections who have bright ideas which happen without being run past very top management. Which means that from time to time there are emails asking us to complete online surveys. And from time to time these are followed up with messages on the intranet telling us that the email in question (and the survey with it) are legitimate, and would we please stop forwarding the email to IT Security as potential phishing...
 

WelshBluebird

Established Member
Joined
14 Jan 2010
Messages
4,923
This feels pretty callous to me!
Yes, security training is important and bonuses and the like are topics that phising emails could use to get people to click.
But to specifically target staff in this way after this year is just a bit "eugh" if you get what I mean!
One way to reduce the issue with this would be for the company to entirely stop sending emails with links to click on, instead saying "To complete this task, please log into SAP (or whatever they use) in the normal manner".
My company (in the tech industry so you'd hope we are all clued up on it) recently did a mandatory security training session for us all and one of the things they tried to say was don't trust any luck in any email, regardless of where it came from. And whilst yes, from a security standpoint that would be the safest option. it took a lot for me to bite my tongue and not ask (mainly because I know it just isn't worth getting involved!) about the numerous real internal emails we get where we do have to click links to get through to things. I'm sure if I stopped doing those things I would very quickly end up being asked by my line manager, my team and HR why I wasn't doing any work!

It's perhaps worth noting that anti-phishing training can be too effective: my employer has maybe 50,000 employees so from time to time there are sections who have bright ideas which happen without being run past very top management. Which means that from time to time there are emails asking us to complete online surveys. And from time to time these are followed up with messages on the intranet telling us that the email in question (and the survey with it) are legitimate, and would we please stop forwarding the email to IT Security as potential phishing...
Which is partly what I mean above!
 

Wolfie

Established Member
Joined
17 Aug 2010
Messages
6,046
Up thread it was mentioned thatstaff should be given time during the working day to complete an on line training exercise. I used to work for a large retailer who EXPECTED their staff to complete this type of training in their own time.
That is legally on highly dubious grounds.
 

LancasterRed

Member
Joined
21 May 2018
Messages
291
Until we know the exact contents of the email, including the 'email' it was sent from, we won't know what legal grounds this stands on. I'm inclined to back WMT here suspecting a subtle giveaway to the email's fraudulence. If this is the case, then tough on the employees but scam email detection is a core life skill nowadays.

However if evidence shows that the email was fully legitimate then WMT have legally bound themselves to giving their employees a bonus which they will have to pay out.

Should WMT have sent out this kind of email? No. But were they right in sending out a phishing email in the first place to keep employees on their toes? For sure.
 

Wolfie

Established Member
Joined
17 Aug 2010
Messages
6,046
Depends on their contract.
Agreed except a lot of retail jobs are minimum wage. Other industries (e.g. care) have come a serious cropper in ETs/Courts by demanding that some activities are undertaken unpaid and therefore breaching minimum wage levels.
 

Bletchleyite

Veteran Member
Joined
20 Oct 2014
Messages
97,519
Location
"Marston Vale mafia"
Agreed except a lot of retail jobs are minimum wage. Other industries (e.g. care) have come a serious cropper in ETs/Courts by demanding that some activities are undertaken unpaid and therefore breaching minimum wage levels.

Yes, true, if the person is on or close to minimum wage it can be a potential issue, and at least require very careful tracking of the time spent.
 

kristiang85

Established Member
Joined
23 Jan 2018
Messages
2,650
I have sympathies with both sides to be honest.

Yes, it's pretty crass on the outside, and in an industy where people have had a tough year and might well be uncertain of their jobs in the long run given the drop in rail travel, it is a tad insensitive.

Yet scammers are not ethical and this is exactly the kind of message they would use; we get these tests all the time too (as many have commented). It's proven that the prospect of money clouds sensible judgement more than anything else, so that is what is exploited most (hence why bookmakers are booming businesses).
 

AlterEgo

Veteran Member
Joined
30 Dec 2008
Messages
20,025
Location
No longer here
Agree with many previous posters. Poor choice of example, especially if there is no actual bonus at the end of it for staff. For some people it’s been a tough year.
 
Joined
9 Dec 2012
Messages
577
The thing that sticks out for me is the use of the MDs name, as this is official someone must have surely asked him if that was ok as it's his name that will be dragged through the dirt. I certainly wouldn't have sanctioned it if i was him. Obvious he has agreed which in itself shows shocking judgement.
 

peri

Member
Joined
23 Dec 2016
Messages
152
All of the staff should be e-mailing the MD asking when the bonus will be paid, for the next six months at least.
 
Joined
9 Dec 2012
Messages
577
Is it obvious, though? It's a touch of realism that a genuine phisher would include if they knew it, so it's not unreasonable that it might be used in testing without express permission.
Of course it's obvious it's company generated after all, but who on earth would want their name attached to this (it didn't say our MD Dennis The Menace did it) given the subject content knowing it could leak to the press. If he genuinely didn't know then I would hope he is livid, it's not the IT workers name out there but his.
 
Last edited:

XAM2175

Established Member
Joined
8 Jun 2016
Messages
3,469
Location
Glasgow
Of course it's obvious it's company generated after all, but who on earth would want their name attached to this given the subject content knowing it could leak to the press. If he genuinely didn't know then I would hope he is livid, it's not the IT workers name out there but his.
Yeah it's obvious that it was generated by the company, but you were saying it was obvious that the MD had given consent for his name to be used. That is what I dispute.
 
Joined
9 Dec 2012
Messages
577
Yeah it's obvious that it was generated by the company, but you were saying it was obvious that the MD had given consent for his name to be used. That is what I dispute.
Well if he didn't then someone's getting or should be getting a P45. If i owned company all use of my name on a mass email under these circumstances would need clearance from me personally.
 

birchesgreen

Established Member
Joined
16 Jun 2020
Messages
5,040
Location
Birmingham
He probably did give his consent but the reason why they wanted it as either given to him rather sketchily or did wasn't paying much attention.
 

bb21

Emeritus Moderator
Joined
4 Feb 2010
Messages
24,151
My TOC paid a bonus recently. It came from an unannounced external source which required you to click a link to a random website to claim. It was paid in vouchers, not into the bank.
I think more companies are doing it these days. There is a more beneficial tax implication for everyone and it keeps the money in the economy.
 

Fawkes Cat

Established Member
Joined
8 May 2017
Messages
2,942
I think more companies are doing it these days. There is a more beneficial tax implication for everyone and it keeps the money in the economy.
It could be nothing to do with tax: I strongly suspect that if you (an employer) buy enough gift vouchers then you'll get a discount, as the voucher company will (a) expect a fraction of them never to be redeemed and (b) have the money upfront now but not need to pay out until redemption, and so will be able to make a profit even with a discount.
 

Typhoon

Established Member
Joined
2 Nov 2017
Messages
3,486
Location
Kent
It could be nothing to do with tax: I strongly suspect that if you (an employer) buy enough gift vouchers then you'll get a discount, as the voucher company will (a) expect a fraction of them never to be redeemed and (b) have the money upfront now but not need to pay out until redemption, and so will be able to make a profit even with a discount.
I've been trying to find up-to-date figures - £300 million in the UK in 2014 is the best I can come up with. It will be higher now. Employers will definitely get them at a discount. Even if they are redeemed, it is difficult to redeem them for the exact amount on the card so either a fraction will be left unspent or the employee will have to put their hand in their pocket.
Hopefully, employers will not have been giving out Debenhams, Top Shop, Burtons, Jessops or Paperchase gift vouchers.
 

peters

On Moderation
Joined
28 Jul 2020
Messages
916
Location
Cheshire
Unbelievable isn't it? On no level does it make any sense, even on an IT level.

My former employer sent out fake phishing emails to check whether employees were adequately trained on spotting which emails weren't genuine and potentially preventing people downloading viruses and malware on to work computers.

It would be interesting to see what the text was. If it says "Click here to claim your bonus" or whatever, then it just shows people are not thinking before they're clicking. Who has ever had to click a link for a bonus: normally you get told about it and it appears in your bank account - you don't have to claim it.

Indeed. Your employer has your bank account details so if you were getting a cash bonus you'd likely get an email from HR or your line manager saying the bonus will appear on your next payslip. If the bonus was a gift voucher and you could choose which retailer then if it was via a form it would just need your work email and choice of retailer, as HR would have your other personal details already.

Also be interesting to know if there were any red flags with the emails that should have had recipients questioning it before they got excited e.g. a reference to London Midland or Govia in the text.

That said the fake phishing email could be have been better thought out.

It could be nothing to do with tax: I strongly suspect that if you (an employer) buy enough gift vouchers then you'll get a discount, as the voucher company will (a) expect a fraction of them never to be redeemed and (b) have the money upfront now but not need to pay out until redemption, and so will be able to make a profit even with a discount.

A lot of big companies sign up to schemes like Reward Gateway which allow employees to buy vouchers for retailers at a discount. Reward Gateway say there's no cost to the employer for these vouchers. So if the bonus is a £100 voucher and the selected retailers are offering 5% discount and you have 250 employees then that's a £1250 saving for the business over a cash bonus.

That is legally on highly dubious grounds.

Depends on their contract.

When the government announced the furlough scheme they said furloughed employees may continue to take part in training while on furlough but they must receive at least minimum wage for any hours training. So someone earning £15/hour could get the government funded payment paying 80% of their normal wages and undertake training while on furlough but someone on minimum wage needed the furlough payment topped up by the employer to be able to undertake training. The reason behind it being those on furlough generally aren't working so don't need to earn at least the minimum wage for the number of hours they would work but those undertaking training are working.
 
Last edited:
Status
Not open for further replies.

Top