Executives at Tribune Publishing have apologized to reporters, editors and subordinates working at local newspapers across the country after the company’s information technology department sent an email fraudulently claiming those employees had earned thousands of dollars in bonuses that did not exist.
The email sent on Wednesday was part of a simulated phishing test that was intended to measure the cybersecurity readiness of Tribune Publishing employees.
“We are pleased to inform you that we are providing targeted bonuses between 5,000 and 10,000 dollars this year,” the email said, adding that the company was able to provide the bonuses due to cost-cutting measures.
Employees were then asked to enter their credentials at a website that was linked in the email. Once clicked, employees were re-routed to a webpage absconding them for clicking an unverified link in an email and reminding them of three “rules to stay safe online.”
Naturally, the email did not sit well with reporters, editors and other employees who are survivors of Tribune Publishing’s cost-cutting measures over the years that included the layoffs of veteran journalists, the elimination of certain benefits and a reduction in salaries and bonuses paid.
overworked underpaid journalists living under threat of furlough got this scam email offering bonuses …
… and now it is looking like Tribune Publishing sent it to their own employees just to see who would fall for a phish.
Insulting and cruel. pic.twitter.com/ags9hLzWaK
— Megan Crepeau (@crepeau) September 23, 2020
“After slashing our staff, closing newsrooms, furloughing reporters and cutting pay during a pandemic, [Tribune] thought a neat little way to test our susceptibility to phishing was to send a spoof email announcing large bonuses,” Justin Fenton, a crime reporter for the Tribune-owned Baltimore Sun, wrote in a tweet. “Fire everyone involved.”
No one has been fired, and the move was defended in a pseudo-apology issued by the company on Thursday, though executives noted they could have gauged their cyber readiness differently.
“Based on input provided by the company’s cyber security team and advisors, the content of the test included language regarding employee bonuses. Having fallen victim to attacks of this nature before, the company recognized that bad actors use this type of language regularly, and [so it] decided to use the language to simulate common phishing scams,” a company statement read.
The statement went on to say that the company “had no intention of offending any of its employees.”
“In retrospect, the topic of the email was misleading an insensitive, and the company apologizes for its use,” Tribune said.