All of which provides context for the email that Tribune Publishing employees received on Wednesday. “Congradulations Executives!!” started the email — and yes, the typo is in the original. It explained that the company is “pleased to inform you that we are providing targeted bonuses between 5,000 and 10,000 dollars this year. Tribune Publishing is able to provide this bonus as a direct result of the success created by the ongoing efforts to cut our costs!”
The email then instructs employees to “login” to “view your end of year bonuses.”
Orlando Sentinel reporter Annie Martin, co-chair of the newspaper’s guild unit, told the Erik Wemple Blog that a colleague clicked on the link and received a notification of enrollment in a computer security training program. Meaning that the email was just an exercise, or what’s known in the computer security industry as a simulated phishing attack — a test email that mimics the appeals of bad actors who send emails laced with links that assist them in penetrating corporate computer systems. Such simulated phishing exercises may use a wide range of appeals to test the sophistication of employees in sussing out the scam.
Examples include password reset come-ons, notifications for holiday shipping as well as all manner of phony requests from HR regarding tax forms and benefits — not to mention “here’s that file you asked for.” A constructive phishing simulation needn’t demoralize a workforce already fed up with corporate cutbacks.
“It just seemed rather disrespectful for the company to use this as a lure, like the promise of a bonus as a lure to get people to fall for something that was fake to identify people who they thought needed cybersecurity training — especially having to take pay cuts and the way things are going in our industry,” says Martin, who had moved into an expensive area of Orlando because of its proximity to a newsroom that Tribune recently closed. “It kind of felt like a slap in the face and tone-deaf.”
The Sentinel’s guild sent out this statement:
Max Reinsdorf, a spokesman for Tribune Publishing, says the company regrets the ploy:
Today the company conducted a regular, internal test to assess and reduce its current phishing and malware risk level. Based on input provided by the company’s cybersecurity team and advisers, the content of that test included language regarding employee bonuses. Having fallen victim to attacks of this nature before, the company recognized that bad actors use this type of language regularly, and decided to use the language to simulate common phishing scams.The company had no intention of offending any of its employees. In retrospect, the topic of the email was misleading and insensitive, and the company apologizes for its use.
When the Erik Wemple Blog posted that statement on Twitter on Wednesday afternoon, several Tribune Publishing journalists noted that they hadn’t yet received the apology:
By early evening, the apology arrived in employees’ inboxes.
Tribune Publishing used the platform of computer-security awareness outfit KnowBe4 for its phishing simulation. Stu Sjouwerman, CEO of KnowBe4, told this blog via email: “It’s up to the customer to decide which campaigns they want to run, and if they want to use system templates that are known to work, or create their own,” he noted. “The latter happened here. They took a community-submitted template and significantly modified it. That backfired. We talked to the Trib and we understand they have sent an apology to their staff.”
Watch the latest Opinions video: