Simulated Phishing Attack Goes Embarrassingly Wrong

27

A recent simulated phishing attack organised by a California state department had some embarrassing repercussions:

The department emailed a fake phishing scam to its employees that manipulated the logo of Golden 1 Credit Union and played on anticipation for $2,500 contract bonuses that many state workers are receiving this week. 

The phishing email asked workers to click a link that would “validate their employment status.” Then, the message said, workers would immediately receive their bonuses through a direct deposit. 

The message to employees in the Department of Housing and Community Development was effective enough that Golden 1 received a call about it, and the State Controller’s Office sent an email to thousands of state workers warning them not to click on it. 

It was intended to be a cybersecurity test for the housing department, according to an email that employees received about 90 minutes after the phishing message was sent. The department did not notify Golden 1 that it planned to distribute the test, according to the credit union. 

The department also did not inform state government’s largest union, Service Employees International Union Local 1000, that it had created a fake phishing scam using the bonuses its members are receiving as bait. The $2,500 bonuses were a feature of the 42-month contract SEIU negotiated in December after calling off an announced one-day strike. 

The original message blended the logos of Golden 1 and SEIU 1000 to announce a partnership between the credit union and state government. It included an image of SEIU 1000 President Yvonne Walker with the text “We have a contract!”While we appreciate the importance of cybersecurity, in the future we’d ask for better coordination by the state,” said SEIU 1000 spokesman Jerry Jimenez. “The state used President Walker’s image in their test without giving us advance notice, and using bonus checks as click-bait on the week state workers actually received their long-awaited checks caused unnecessary confusion.” 

In addition to Walker’s image, the email included a signature of Golden 1 President Donna Bland.

 The credit union first learned about it when one of its members called to report a phishing scam. The credit union read the message and believed it was a malicious phishing attempt. The credit union reported it to the State Controller’s Office, which then broadcast its warning. 

“The safety and security of our members, and the community, are top priorities for Golden 1. We appreciate the quick action by the State Controller’s Office to notify employees about this scam,” said Golden 1 Vice President for Account Services Kathy Flynn.

 The warning from the State Controller’s Office stressed that the message was fake.  

“There is no such partnership or online portal,” the warning says. “SEIU members should be advised not to click any links and immediately delete the email.” 

At 12:15 p.m., employees at Housing and Community Development received another email that said their own information technology team created the phishing message.