An email that arrived last week in the staff inbox of FGU Vestegnen, an educational institution in Denmark, wrote and was pleasantly surprised. Version 2.
The sugar-rich AP Møller and his wife Chastine Mc-Kinney Møller General Purpose Fund, a large charitable foundation and the country’s largest private fund, rated them as recipients worth NOK 25 million.
Each employee should receive 8,500 NOK from the kind gift. The only requirement before paying was that they had to fill out a form with personal information. There was only one problem.
The salary bonus turned out to be fake bait in a penetration test, ordered by management to test the company’s ability to withstand cyber threats.
The expectation of having more to do before Christmas has been replaced by a bad mood among employees feeling completely cheated by the phishing scam. The administration’s initiative is described as “the height of arrogance”, according to Danish version 2.
credible and attractive
FGU is responsible for Basic Preparatory Education, which in Denmark is a preparatory education offer of study for young people under the age of 25, who do not have academic qualifications.
Hanne Fischer is the Director of FGU Vestegnen, as one of the largest school agency areas. She is the one who approved the controversial phishing email. This was intended to act realistically and attractively, as part of enhancing internal efficiency in light of the EU Privacy Regulation (GDPR) and the need for increased cybersecurity.
The lure of extra pay, as a thank you for important work, is ethically questionable or about to be tolerated, says Jacob Herbst, technical director at security firm Dubux.
Radio Dansk interviewed him on the issue in an article on Tuesday of this week, where he discusses the ethical guidelines, which were developed by several Danish players in the industry in collaboration.
There are some items in the email, which are a bit on the edge. In two areas in particular, it goes far. The fact that you are entering into a conflict that you may have in the workplace, which relates to wages and working conditions by promising some money to the employees. The second is the reference to an external box. According to ethical guidelines, this should be avoided, Herbst tells public radio programme P1 tomorrow.
happened before
This isn’t the first time a company has lured a Christmas bounty into a phishing scam. American online hotel giant Godaddy did exactly the same in December 2020.
Deceiving his employees with false promises of rewards, even just before the Christmas holidays, in the midst of a pandemic that has claimed many lives, has been described in a number of US media as severely deaf. The Verge tech newspaper at the time called the episode the worst joke of the year.
Flau . Digitization Manager
It is not uncommon for employees to send fake scam messages to teach them to avoid real scams from online threats.
On the contrary, many have experience with such controlled stunts, which are often performed by a professional computer security company on behalf of the business owner.
Digi.no previously wrote about the municipality of Kristiansand, which a year ago sent a phishing scam to 9,500 employees, and then a message to fill in a username and password.
More than 1,330 employees fell into the trap. It also included the director of digitization in the municipality who I thought it was embarrassing, but she had to mention that she’s gone five times.
“Web specialist. Lifelong zombie maven. Coffee ninja. Hipster-friendly analyst.”