Skip to content
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Washington Post)   The Chicago Tribune, which has laid off countless employees, denied raises and promotions, and cut benefits, learns that using a "Click This Link To Learn About Your $10,000 Bonus" email to test staff awareness of online scams isn't the best idea   (washingtonpost.com) divider line
    More: Dumbass, The Washington Post, Personal computer, Fraud, English-language films, Confidence trick, Wednesday evening, Tribune's effort, entire charade  
•       •       •

2861 clicks; posted to Main » and Fandom » on 24 Sep 2020 at 3:05 PM (4 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook



65 Comments     (+0 »)
 
View Voting Results: Smartest and Funniest


Oldest | « | 1 | 2 | » | Newest | Show all

 
2020-09-24 2:53:45 PM  
Why is the word cruel in quotation marks, ya dick?
 
2020-09-24 3:12:10 PM  
rollingstone.comView Full Size

"Chicago..."
 
2020-09-24 3:13:26 PM  
They shoulda put it behind a paywall.
 
2020-09-24 3:14:23 PM  
The Chicago Tribune:  You're the Inspiration

... for my Falling Down cosplay.
 
2020-09-24 3:15:22 PM  
That should be illegal. They should be bound to pay any bonus they've expressly promised to employees.
 
2020-09-24 3:15:55 PM  
I'm biased by virtue of being on the other side of these emails (IT, not a Nigerian scammer), but aren't they fairly common?
 
2020-09-24 3:18:33 PM  
They should just go ahead and give every employee $10,000 anyways to make up for it.  A quick search says they have about 500 employees, so $5,000,000 -- a drop in the bucket for their millions in revenue.
 
2020-09-24 3:20:11 PM  
What we have here is a whole office that's setting themselves up for a class action settlement.
 
2020-09-24 3:21:10 PM  
FTFA:

There were spelling errors in the email that were meant to serve as tipoffs of its inauthenticity, including the salutation, "Congradulations Executives!!"
...
"Now @tribpub wants to test me by trying 2 lure me into clicking on a link after promising a bonus. This is NO way to treat employees."


I can now see how the poor grammar wasn't a tipoff
 
2020-09-24 3:22:57 PM  

GregInIndy: That should be illegal. They should be bound to pay any bonus they've expressly promised to employees.


Lol.

You're joking right?
 
2020-09-24 3:25:10 PM  
Any employee complaining about this needs to grow up.

Scammers aren't going to play by the rules. In fact, the better the email sounds, the more likely it's a scam.
 
2020-09-24 3:26:57 PM  
We keep getting these, they just schedule mandatory training for you if you click a link in an email.  I have a ruleset to filter these out.
 
2020-09-24 3:27:20 PM  
My employer 'tests' us with a fake phishing email every couple of month to see if we'll take the bait or report to security and delete. They have never admitted they are testing us. They are hilariously obvious.
 
2020-09-24 3:27:28 PM  
Remember when the Trib owned the Cubs? Good times.

/not really
//it was terrible
 
2020-09-24 3:27:35 PM  
Well, if the goal was to weed out the idiots on the payroll, sounds like they did a good job of it.
 
2020-09-24 3:28:35 PM  

halifaxdatageek: I'm biased by virtue of being on the other side of these emails (IT, not a Nigerian scammer), but aren't they fairly common?


Yes and no.  I get security competency check every few months from IT, but they're typically along the lines of "hey man, it's Todd from the helpdesk.  We're doing some server maintenance after COB, can you send me your password in case the database gets wiped?"

Nothing along the lines of a bonus or raise.
 
2020-09-24 3:29:30 PM  

Opacity: What we have here is a whole office that's setting themselves up for a class action settlement.


I would like to see the email.

If they sent it from CEO.Name@chicagotrbune com then there may be something to it. But usually these company internal phishing tests are blatantly obvious with the return sender address.

"Pam! Have you ever heard of 'totally legit HR dot com?' Do we outsource to them?...
Nevermind..."
 
2020-09-24 3:31:14 PM  

halifaxdatageek: I'm biased by virtue of being on the other side of these emails (IT, not a Nigerian scammer), but aren't they fairly common?


If you mean companies sending test phishing email to staff as part of cyber security awareness, then yes. But if that email was configured to look like a genuine internal email with the envelope address being the only give away that it is a phishing attack then a lot of people would be caught out. This one was really badly thought out and should never have been used.
 
2020-09-24 3:31:22 PM  

halifaxdatageek: I'm biased by virtue of being on the other side of these emails (IT, not a Nigerian scammer), but aren't they fairly common?


I work in automation & controls so I get to spend quite a bit of time with the IT overlords. We had a discussion about this same thing about a year back and I was told there are 2 things that are strictly off-limits. Anything to do with employee compensation/benefits and anything with health/safety. They were told by the corporate lawyers it opens way too many doors for lawsuits if someone takes the info as fact.
 
2020-09-24 3:32:47 PM  
Actually it is a good test. I mean it's unbelievable.
 
2020-09-24 3:32:50 PM  

Cajnik: FTFA:

There were spelling errors in the email that were meant to serve as tipoffs of its inauthenticity, including the salutation, "Congradulations Executives!!"
...
"Now @tribpub wants to test me by trying 2 lure me into clicking on a link after promising a bonus. This is NO way to treat employees."

I can now see how the poor grammar wasn't a tipoff


Sounds like emails that come from certain people in City Hall here...
 
2020-09-24 3:34:17 PM  

S10Calade: We had a discussion about this same thing about a year back and I was told there are 2 things that are strictly off-limits. Anything to do with employee compensation/benefits and anything with health/safety


img.etimg.comView Full Size

Go on...
 
2020-09-24 3:39:00 PM  

freakdiablo: Nothing along the lines of a bonus or raise.


I'm no expert but...: If you mean companies sending test phishing email to staff as part of cyber security awareness, then yes. But if that email was configured to look like a genuine internal email with the envelope address being the only give away that it is a phishing attack then a lot of people would be caught out. This one was really badly thought out and should never have been used.


S10Calade: I work in automation & controls so I get to spend quite a bit of time with the IT overlords. We had a discussion about this same thing about a year back and I was told there are 2 things that are strictly off-limits. Anything to do with employee compensation/benefits and anything with health/safety. They were told by the corporate lawyers it opens way too many doors for lawsuits if someone takes the info as fact.


All fair points. And a hat tip to "I'm not expert but..." for an excellent handle.

My buddies always roll these tests in as part of security training, so if you get caught out, you got caught out in the middle of learning about (among other things) how to spot scam emails.

"You tricked me!"
"We literally told you two days ago how to verify an email really came from us."


Bonus fact: The CIA has gone on record as saying they will never put agents undercover as journalists or religious figures, because they don't want to put those folks under any more foreign scrutiny than they already are. Of course, they would say that, wouldn't they...
 
2020-09-24 3:44:08 PM  

Erebus1954: My employer 'tests' us with a fake phishing email every couple of month to see if we'll take the bait or report to security and delete. They have never admitted they are testing us. They are hilariously obvious.


Mine does too, but they give you an atta girl/boy if you catch it. And yeah, they are pretty obvious.
 
2020-09-24 3:44:13 PM  

I'm no expert but...: halifaxdatageek: I'm biased by virtue of being on the other side of these emails (IT, not a Nigerian scammer), but aren't they fairly common?

If you mean companies sending test phishing email to staff as part of cyber security awareness, then yes. But if that email was configured to look like a genuine internal email with the envelope address being the only give away that it is a phishing attack then a lot of people would be caught out. This one was really badly thought out and should never have been used.


The most amusing help desk ticket I got in response to a phishing awareness campaign was someone who said she was careful not to click on the link, but instead copy/pasted it into her web browser to be safe. Felt kinda bad when I told her that was basically no different than if she'd clicked on the link.
 
2020-09-24 3:49:35 PM  

halifaxdatageek: I'm biased by virtue of being on the other side of these emails (IT, not a Nigerian scammer), but aren't they fairly common?


Yes.

Some of them can be quite sophisticated, and will appear to have actually come from HR or whoever.  It wouldn't surprise me if there's a real phishing email out there written in perfect English promising a $10k bonus.

You can't expect everyone to know what they're looking at in an email header, let alone how to find it despite how simple it isn and these tests have a habit of waking users up.  For a week or two, anyhow.

People saying lawsuit...bwahahha someone can file one but they'll never win.
 
2020-09-24 3:51:20 PM  

GregInIndy: That should be illegal. They should be bound to pay any bonus they've expressly promised to employees.


And that would ALSO stop the phish scams as well.
Imagine those dopes having to cough up on their bait.
The world would be better.
It would likely reduce emissions because of the reduced email
 
2020-09-24 3:53:00 PM  

Mouser: Well, if the goal was to weed out the idiots on the payroll, sounds like they did a good job of it.


Keep living up to how I have listed
 
2020-09-24 4:03:30 PM  
Wonder how many credentials have now been collected with "Apology from Tribune management.  Here's $500 to make up for our mistake."
 
2020-09-24 4:13:31 PM  
Last year my employer sent out an email from Wombat Security with a link to open to test our knowledge on cyber security.  Apparently a lot of people, myself included, thought it was a phishing attempt and flagged it as such. Turned out it was legit, and they sent out a follow up email stating it was legit. What made me suspicious was the name Wombat Security.  I mean, come on.
 
2020-09-24 4:14:23 PM  
There were spelling errors in the email that were meant to serve as tipoffs of its inauthenticity, including the salutation, "Congradulations Executives!!"

Upon reading numerous articles in Tribune publications this would not be a tip off.
 
2020-09-24 4:14:25 PM  
My former employer sent random test emails.  I understand why companies do this.  But when people are scared about their own financial well-being and future employment, this was a seriously dick move by this company.
 
2020-09-24 4:29:25 PM  

radiovox: My former employer sent random test emails.  I understand why companies do this.  But when people are scared about their own financial well-being and future employment, this was a seriously dick move by this company.


All 'good lies' are something the sucker wants. Duh. Should be a tell to an adult.

In the real world, no manager would send word of a big bonus by email. Sr Management delivers good news personally, bad news comes from hatchet people.

The people that fell for this need an eight hour unpaid Saturday cyber security class. Give them a 'Certificate suitable for framing'.
 
2020-09-24 4:31:56 PM  
I always do the "hover over the link and see what it looks like" test, and I'm almost never surprised when the address is some weird random link from overseas.
 
2020-09-24 4:44:29 PM  

The knight who says EkiEkiPoontang: radiovox: My former employer sent random test emails.  I understand why companies do this.  But when people are scared about their own financial well-being and future employment, this was a seriously dick move by this company.

All 'good lies' are something the sucker wants. Duh. Should be a tell to an adult.

In the real world, no manager would send word of a big bonus by email. Sr Management delivers good news personally, bad news comes from hatchet people.

The people that fell for this need an eight hour unpaid Saturday cyber security class. Give them a 'Certificate suitable for framing'.


Ummm... AT&T used to send Bonus emails. Granted, that was 24 years ago.

I used to work for a company that routinely sent out fake scammer emails as "tests" of a level so advanced that I would actually call their work exceptional. That was, when I wasn't busy cursing their asses out for making my life a living hell; I supported @ 200 stupid users, and *every damned time* they sent an email I knew that all work had to cease for the day so I could go coddle half the gorram office because they were such complete morons who *always* clicked the links, and then go answer the usual other 50% who insisted on calling, texting, forwarding the email to me and all asking at the exact same time "IS THIS LEGITIMATE EMAIL I IS BUSY" yeah well so was I you dumbasses, so was I.
 
2020-09-24 4:45:26 PM  
It's a shame nobody got a screenshot of the email.
 
2020-09-24 4:46:18 PM  

GregInIndy: That should be illegal. They should be bound to pay any bonus they've expressly promised to employees.


Why?  It's their email system, they can run whatever tests on it they please to see how their employees react in a test.  Company secrets do exist, and sometimes you need to make sure they won't get leaked.
 
2020-09-24 4:48:06 PM  

S10Calade: halifaxdatageek: I'm biased by virtue of being on the other side of these emails (IT, not a Nigerian scammer), but aren't they fairly common?

I work in automation & controls so I get to spend quite a bit of time with the IT overlords. We had a discussion about this same thing about a year back and I was told there are 2 things that are strictly off-limits. Anything to do with employee compensation/benefits and anything with health/safety. They were told by the corporate lawyers it opens way too many doors for lawsuits if someone takes the info as fact.


I think there should be no boundaries for the test. If it was a real phish attack they were collectively farked.
 
2020-09-24 4:50:05 PM  

gar1013: Any employee complaining about this needs to grow up.

Scammers aren't going to play by the rules. In fact, the better the email sounds, the more likely it's a scam.


When I was employed by the Army, we were semi-regularly tested for whether we'd fall for such scams. I was never (and I emphasize NEVER) sent a test email stating that I'd been awarded a huge bonus and I needed to go to this page to see how much money I was getting in my bonus. I'm positive every single person in my chain of command recognized that that kind of a test would crush morale.
 
2020-09-24 4:50:17 PM  

thespindrifter: Ummm... AT&T used to send Bonus emails. Granted, that was 24 years ago.


Routine bonus emails or unexpected ones?

Makes all the difference. One is just routine HR paperwork, the other is legit good news.
 
2020-09-24 4:55:31 PM  

freakdiablo: halifaxdatageek: I'm biased by virtue of being on the other side of these emails (IT, not a Nigerian scammer), but aren't they fairly common?

Yes and no.  I get security competency check every few months from IT, but they're typically along the lines of "hey man, it's Todd from the helpdesk.  We're doing some server maintenance after COB, can you send me your password in case the database gets wiped?"

Nothing along the lines of a bonus or raise.


Weak sauce.

The best are the tests that suggest there are going to be shortened holiday hours, or an office pool to bet on the Super Bowl.
 
2020-09-24 4:56:09 PM  

NotThatGuyAgain: halifaxdatageek: I'm biased by virtue of being on the other side of these emails (IT, not a Nigerian scammer), but aren't they fairly common?

Yes.

Some of them can be quite sophisticated, and will appear to have actually come from HR or whoever.  It wouldn't surprise me if there's a real phishing email out there written in perfect English promising a $10k bonus.

You can't expect everyone to know what they're looking at in an email header, let alone how to find it despite how simple it isn and these tests have a habit of waking users up.  For a week or two, anyhow.

People saying lawsuit...bwahahha someone can file one but they'll never win.


My understanding is that a lot of these scams use poor grammar and the like on purpose, to filter out more sophisticated users who would likely be quicker to catch on that this is a scam.
 
2020-09-24 5:09:50 PM  

stringbad: S10Calade: halifaxdatageek: I'm biased by virtue of being on the other side of these emails (IT, not a Nigerian scammer), but aren't they fairly common?

I work in automation & controls so I get to spend quite a bit of time with the IT overlords. We had a discussion about this same thing about a year back and I was told there are 2 things that are strictly off-limits. Anything to do with employee compensation/benefits and anything with health/safety. They were told by the corporate lawyers it opens way too many doors for lawsuits if someone takes the info as fact.

I think there should be no boundaries for the test. If it was a real phish attack they were collectively farked.


Haha, that would be maximally effective, but in real life the legal department normally gets a say.

For instance, am I allowed to storm the data centre with a gun and take hostages? A criminal might :P
 
2020-09-24 5:26:25 PM  

HeartBurnKid: NotThatGuyAgain: halifaxdatageek: I'm biased by virtue of being on the other side of these emails (IT, not a Nigerian scammer), but aren't they fairly common?

Yes.

Some of them can be quite sophisticated, and will appear to have actually come from HR or whoever.  It wouldn't surprise me if there's a real phishing email out there written in perfect English promising a $10k bonus.

You can't expect everyone to know what they're looking at in an email header, let alone how to find it despite how simple it isn and these tests have a habit of waking users up.  For a week or two, anyhow.

People saying lawsuit...bwahahha someone can file one but they'll never win.

My understanding is that a lot of these scams use poor grammar and the like on purpose, to filter out more sophisticated users who would likely be quicker to catch on that this is a scam.


This

If you saw through it easily, you're not the target.
 
2020-09-24 5:33:21 PM  

halifaxdatageek: freakdiablo: Nothing along the lines of a bonus or raise.

I'm no expert but...: If you mean companies sending test phishing email to staff as part of cyber security awareness, then yes. But if that email was configured to look like a genuine internal email with the envelope address being the only give away that it is a phishing attack then a lot of people would be caught out. This one was really badly thought out and should never have been used.

S10Calade: I work in automation & controls so I get to spend quite a bit of time with the IT overlords. We had a discussion about this same thing about a year back and I was told there are 2 things that are strictly off-limits. Anything to do with employee compensation/benefits and anything with health/safety. They were told by the corporate lawyers it opens way too many doors for lawsuits if someone takes the info as fact.

All fair points. And a hat tip to "I'm not expert but..." for an excellent handle.

My buddies always roll these tests in as part of security training, so if you get caught out, you got caught out in the middle of learning about (among other things) how to spot scam emails.

"You tricked me!"
"We literally told you two days ago how to verify an email really came from us."

Bonus fact: The CIA has gone on record as saying they will never put agents undercover as journalists or religious figures, because they don't want to put those folks under any more foreign scrutiny than they already are. Of course, they would say that, wouldn't they...


The CIA faked vaccines in order to get to Bin Laden, leading to enormous distrust of doctors and vaccines. There's nothing remotely ethical about the CIA.
 
2020-09-24 5:36:04 PM  

Scorpitron is reduced to a thin red paste: The CIA faked vaccines in order to get to Bin Laden, leading to enormous distrust of doctors and vaccines. There's nothing remotely ethical about the CIA.


They said journalists and religious figures, not doctors :P

But yes, I agree, the CIA is 31 flavours of farked up.
 
2020-09-24 5:38:13 PM  
I get the concept of "red-team" tests, but this one was spectacularly badly done.

First, it came out from an internal source and went to everyone. That's not how an external attack shows up. If they already have access to your internal admin's computer they don't need more.
Second, the purported subject was bound to upset people when they find out it's not true. This isn't a test of IT security, it's a test of whether the employees trust their company.
 
2020-09-24 5:51:48 PM  
It occurs to me that if you're really pissed at your employer, and you have a typical office job, you can take it out on them by clicking every phishing link you get in your e-mail. I think in general people rarely get actually disciplined for failing these tests.
 
2020-09-24 5:57:29 PM  
Fark user imageView Full Size
 
2020-09-24 6:07:24 PM  
Man it sucks when something like that happens.  You click the link, expecting, to be rewarded, and...bang, you get hit with

i.imgur.comView Full Size
 
Displayed 50 of 65 comments


Oldest | « | 1 | 2 | » | Newest | Show all


View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking





On Twitter



  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.