Surprise! Staff don’t like receiving phishing tests from their firms that pose as salary increases

Surprise! Staff don't like receiving phishing tests from their firms that pose as salary increases

UK law firm Knights certainly has an interesting way of keeping its staff happy.

After disappointing its staff in a recent round of pay reviews that either granted zero rises or “tiny percentages on already way-below-market rates”, workers were delighted to receive an email entitled “Important notice: Salary increase.”

Hi <REDACTED>

After assessing the current salary structure as provided under the terms of your employment, it was discovered that you are due for a <DOUBLE DIGIT> annual salary increase beginning in the upcoming fiscal quarter.

The details of your salary increase are enclosed in the attached document.

***Please ensure all details are correct to avoid any problem with this adjustment***

Cordially,
HR Team

Knights

Perhaps predictably, some workers opened the attachment.

The good news is that it hadn’t been sent by cybercriminals.

The bad news was that the email was a lie. The staff weren’t getting a rise to their salary.

Instead, when they opened the attachment workers were informed… that they had failed a phishing test.

You perhaps won’t be surprised to hear that this didn’t go down terribly well with staff.

Who would have guessed that, eh?

Sign up to our free newsletter.
Security news, advice, and tips.

According to law site RollOnFriday, the test “went down like a lead balloon” with some partners responding with incredulity or even threatening to leave.

And yes, the fact that the email arrived from an external email address ([email protected]) should have rung alarm bells.

And yes, recipients should have noticed that the email was prefaced by an actual warning that the message originated from outside the company.

Part of Knights phishing email
Part of phishing test email sent to Knights employees, including warning that email had been sent from outside Knights.

But for any company to piss off its staff in this way is utterly boneheaded and shortsighted.

The phishing test could just have easily been a message saying the company was offering free pizza on Fridays to the first 20 people who responded, rather than choose a topic (salary reviews) that was bound to leave a bad taste in worker’s mouths.

Of course, there’s no reason why fraudsters can’t use this tactic to trick usnuspecting users into clicking on a dangerous link or opening a malicious attachment.

Hey, I’ve received just such a phishing email myself – claiming that my salary was going to be increased. I wasn’t certainly surprised to get the news from my business’s HR department, as I was the only person who worked at the company.

Keep your staff on-side when fighting hackers. Test their cybersecurity awareness in a positive constructive way, rather than give them another reason to resent working for you.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Surprise! Staff don’t like receiving phishing tests from their firms that pose as salary increases”

  1. David Heath

    My employer uses similar trickery, but the messages are easily recognised as they're is structured such that they should almost certainly be quarantined, but they're not.
    So, I click on it, just to annoy them, and when asked to respond, I tell them exactly why their test failed!

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.