Fraud Management & Cybercrime , Fraud Risk Management , Security Awareness Programs & Computer-Based Training

How a Phishing Awareness Test Went Very Wrong

Tribune Publishing Co. Employees Outraged at Phishing Test Teasing a Bonus
How a Phishing Awareness Test Went Very Wrong
The Chicago Tribune sign remains on Tribune Tower, although the newspaper's staff moved in 2018. (Adam Jones via Flickr/CC)

Training employees to learn how they could be tricked by phishing emails is a key educational component to counter one of the most common attack vectors.

See Also: eBook: Secure Remote Access Simplified

But a simulation run earlier this week by Tribune Publishing Co., the publisher of the Chicago Tribune, the Baltimore Sun, the New York Daily News and other newspapers, shows how an improperly calibrated training exercise can turn into unflattering news.

Employees received an email on Wednesday saying the company was giving bonuses of between $5,000 and $10,000 as a result of successful cost-cutting efforts. It appeared to be a much-needed lifeline to those still left standing at a turbulent company during a turbulent time.

The emails were marked "external sender" despite appearing to come from the company's HR email address, which had been spoofed. Those who clicked the link were informed that they'd failed the test and directed to cybersecurity awareness training. The supposed bonus vanished.

The phishing exercise delivered a fresh, demoralizing blow to staffers who have faced layoffs, furloughs and pay cuts at Tribune Publishing. And that's just this year. For more than a decade, the company has had a revolving door of owners, debt crises and layoffs.

Megan Crepeau, president of the Chicago Tribune Guild, tells ISMG that anxiety levels amongst staff have been high.

"In that context, dangling phony bonuses is beyond insulting," she says.

Tribune Employees Outraged

While journalism is facing enormous challenges due to how the internet has irreparably impaired the financial model for news, Twitter at least provides an outlet to vent - and Tribune employees minced no words.

In another tweet, Justin Fenton, a crime and courts reporter for the Baltimore Sun, highlighted the cruel irony of it all: "Wow worst phishing scam ever, Tribune would never give us bonuses. Would've been better off asking me to wire money to Nigeria."

KnowBe4: Match Company Culture

Tribune Publishing Co. used a platform from the cybersecurity training company KnowBe4. The company's CEO, Stu Sjouwerman, writes in a blog post that the Tribune's exercise was a "custom" one that backfired.

"Simulated phishing tests need to be sensitive to the existing corporate culture and circumstances," he writes.

But Sjouwerman makes an important point: Attackers don't care whether they're violating norms or grazing no-go areas to get people to click on something. As far as baiting people, the emails were a perfect lure directed at a vulnerable pool of potential victims - the right combination to bag a click.

He writes that his company has developed 5,000 templates based on real phishing campaigns and sorted them into categories, with one dubbed "controversial" to warn clients that using the template in a test could be sensitive.

Tribune eventually apologized. In a statement given to Washington Post media columnist Erik Wemple, it says: "The company had no intention of offending any of its employees. In retrospect, the topic of the email was misleading and insensitive, and the company apologizes for its use." The statement also noted that phishing attackers use language similar to what was used in the simulation.

Wemple notes in his column that, in another miscalculation, several Tribune employees said they hadn't received an apology directly from the company but, rather, read it in his column first. Later, Tribune apologized directly to employees.

Forrester: Be Sensitive

Analysts with Forrester note Tribune's misstep not only hurt the company but spread collateral damage to KnowBe4.

"Cybersecurity vendors should be wary that the way customers use your products and services can impact you as a provider, no matter how much you might attempt to distance yourself from it," they write in a blog post.

As far as phishing simulations, IT security staff also have a greater obligation to employees, they write.

"The counterpoint supporting the use of controversial simulations is that attackers are not above using the very same tactics in question here - and that's true," the analysts write. "The difference is that attackers also have no obligation to treat the employees in your organization with respect and empathy - your security program does."

Earlier in the year, Forrester addressed whether it was ethical to conduct phishing exercises with COVID-19 as a lure.

The Forrester analysts concluded that there are ways around using campaigns that pivot on fear, especially around topics such as the pandemic. IT security staff don't want to have a campaign that actually undermines their own security awareness programs.

"Preying on this [COVID-19] fear is cruel, and just because cybercriminals are utilizing this tactic doesn't justify security practitioners to also stoop to this level," writes researcher Claire O'Malley.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.