Surprise! Staff don’t like receiving phishing tests from their firms that pose as salary increases

UK
law
firm
Knights
certainly
has
an
interesting
way
of
keeping
its
staff
happy.

After
disappointing
its
staff
in
a
recent
round
of
pay
reviews
that
either
granted
zero
rises
or
“tiny
percentages
on
already
way-below-market
rates”,
workers
were
delighted
to
receive
an
email
entitled
“Important
notice:
Salary
increase.”

Hi
<REDACTED>

After
assessing
the
current
salary
structure
as
provided
under
the
terms
of
your
employment,
it
was
discovered
that
you
are
due
for
a
<DOUBLE
DIGIT>
annual
salary
increase
beginning
in
the
upcoming
fiscal
quarter.

The
details
of
your
salary
increase
are
enclosed
in
the
attached
document.

***Please
ensure
all
details
are
correct
to
avoid
any
problem
with
this
adjustment***

Cordially,
HR
Team

Knights

Perhaps
predictably,
some
workers
opened
the
attachment.

The
good
news
is
that
it
hadn’t
been
sent
by
cybercriminals.

The
bad
news
was
that
the
email
was
a
lie.
The
staff
weren’t
getting
a
rise
to
their
salary.

Instead,
when
they
opened
the
attachment
workers
were
informed…
that
they
had
failed
a
phishing
test.

You
perhaps
won’t
be
surprised
to
hear
that
this
didn’t
go
down
terribly
well
with
staff.

Who
would
have
guessed
that,
eh?

According
to

law
site

RollOnFriday,
the
test
“went
down
like
a
lead
balloon”
with
some
partners
responding
with
incredulity
or
even
threatening
to
leave.

And
yes,
the
fact
that
the
email
arrived
from
an
external
email
address
([email protected])
should
have
rung
alarm
bells.

And
yes,
recipients
should
have
noticed
that
the
email
was
prefaced
by

an
actual
warning
that
the
message
originated
from
outside
the
company.

But
for
any
company
to
piss
off
its
staff
in
this
way
is
utterly
boneheaded
and
shortsighted.

The
phishing
test
could
just
have
easily
been
a
message
saying
the
company
was
offering
free
pizza
on
Fridays
to
the
first
20
people
who
responded,
rather
than
choose
a
topic
(salary
reviews)
that
was
bound
to
leave
a
bad
taste
in
worker’s
mouths.

Of
course,
there’s
no
reason
why
fraudsters

can’t
use
this
tactic
to
trick
usnuspecting
users
into
clicking
on
a
dangerous
link
or
opening
a
malicious
attachment.

Hey,
I’ve

received
just
such
a
phishing
email
myself
–
claiming
that
my
salary
was
going
to
be
increased.
I
wasn’t
certainly
surprised
to
get
the
news
from
my
business’s
HR
department,
as
I
was
the
only
person
who
worked
at
the
company.

Keep
your
staff
on-side
when
fighting
hackers.
Test
their
cybersecurity
awareness
in
a
positive
constructive
way,
rather
than
give
them
another
reason
to
resent
working
for
you.

Found
this
article
interesting?

Follow
Graham
Cluley
on
Twitter
or

Mastodon
to
read
more
of
the
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts