Source: grahamcluley.com – Author: Graham Cluley
UK law firm Knights certainly has an interesting way of keeping its staff happy.
After disappointing its staff in a recent round of pay reviews that either granted zero rises or “tiny percentages on already way-below-market rates”, workers were delighted to receive an email entitled “Important notice: Salary increase.”
Hi
After assessing the current salary structure as provided under the terms of your employment, it was discovered that you are due for a
annual salary increase beginning in the upcoming fiscal quarter. The details of your salary increase are enclosed in the attached document.
***Please ensure all details are correct to avoid any problem with this adjustment***
Cordially,
HR TeamKnights
Perhaps predictably, some workers opened the attachment.
The good news is that it hadn’t been sent by cybercriminals.
The bad news was that the email was a lie. The staff weren’t getting a rise to their salary.
Instead, when they opened the attachment workers were informed… that they had failed a phishing test.
You perhaps won’t be surprised to hear that this didn’t go down terribly well with staff.
Who would have guessed that, eh?
According to law site RollOnFriday, the test “went down like a lead balloon” with some partners responding with incredulity or even threatening to leave.
And yes, the fact that the email arrived from an external email address ([email protected]) should have rung alarm bells.
And yes, recipients should have noticed that the email was prefaced by an actual warning that the message originated from outside the company.
But for any company to piss off its staff in this way is utterly boneheaded and shortsighted.
The phishing test could just have easily been a message saying the company was offering free pizza on Fridays to the first 20 people who responded, rather than choose a topic (salary reviews) that was bound to leave a bad taste in worker’s mouths.
Of course, there’s no reason why fraudsters can’t use this tactic to trick usnuspecting users into clicking on a dangerous link or opening a malicious attachment.
Hey, I’ve received just such a phishing email myself – claiming that my salary was going to be increased. I wasn’t certainly surprised to get the news from my business’s HR department, as I was the only person who worked at the company.
Keep your staff on-side when fighting hackers. Test their cybersecurity awareness in a positive constructive way, rather than give them another reason to resent working for you.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy.
Follow him on Twitter, Mastodon, Bluesky, or drop him an email.
Original Post URL: https://grahamcluley.com/staff-salary-phishing-test-backfire/
Category & Tags: Phishing,phishing – Phishing,phishing
