Marketing Company Dangles Vaccine to Test Employees on Phishing

Decades ago, those who worked in travel, booked flight reservations in large, nondescript offices. Customers called, asked about flight schedules, prices, availability, etc. It was a different time, well before passengers were able to book flights themselves.

A computer measured how long it took employees to book flights, the revenue generated and the length of lunch, bathroom and coffee breaks. In addition, managers monitored calls, listening in to see how staff handled customers. Periodically, managers would go over recordings of calls, and other employee data.

Initially, it was probably disconcerting to know a machine tracked workers' every move and, at times, a manager, unannounced, was listening to calls.

Eventually, though, employees accepted the monitoring as part of the work environment. If you did your job well, then you had no concerns.

A Reminder

A story this week in Adweek’s publication AgencySpy is reminiscent of those days of big brother. It told of a D.C.-based marketing firm ICF Next whose staff received an email from management beginning with the phrase “Good news!” It continued, saying that because of its work with CVS Pharmacy, ICF Next employees were eligible to receive the COVID-19 vaccine.

“We have procured enough doses for the entire U.S.-based staff, but it won’t all be available at once.” Your place in line, the email said, depends on “a work-related need to return to the office or other in-person work locations.”

Employees were offered a link.  In addition, employees with questions could contact contact human resources.

However, the AgencySpy story says the email was bogus. ICF Next was testing employees to see if they’d bite. Apparently, 30 percent did.

A Non-Apology Apology

An anonymous source detailed the test to AgencySpy, along with a copy of the email.

Hours after the story ran, ICF Next issued a statement to the publication.

In it, ICF Next said it understands offering COVD-19 vaccine as ‘phishing bait’ resulted in an emotional reaction in some staff. The vaccine, the statement says, is a “sensitive” topic..."we will certainly keep this in mind moving forward….”

Still, ICF Next says its actions are just.

“This email was part of a routine program we run to keep our people and networks safe from attacks. Phishing and malware attackers are now using sensitive topics more and more to draw people in,” the statement to AgencySpy says.

Indeed, vaccine scams are very successful, sources say.

ICF Next also notes it contracted a third party to administer the program.

In its story, AgencySpy says “employees were, predictably, upset by the approach to cyber security.”

It offers no other details about employee reactions.

Responding to Staff

At some point, management sent a second memo to staff, AgencySpy reports in an update to its original story. Once again, a source, perhaps the same one who alerted AgencySpy initially, sent a copy of the second memo to the publication. Again, there was no apology.

“While the topic may be perceived as insensitive, that was not the intent,” the second memo says. “I understand why it might have been especially disheartening, given the significant impact and stress the pandemic has had on so many of our lives. However, during this time, it is important that we stay vigilant in order to protect ourselves from the bad actors who often take advantage of situations like this.”

AgencySpy doesn't identify the speaker in the second memo.

The staff memo mentions the third party that administered the test and says it will review its contract with the vendor.

In addition, it notes, as we say above, that 30 percent of ICF Next’s 430 employees clicked the link.

“This indicates that we can do more to educate ourselves. I’m sharing a few additional articles below that will hopefully help you and your teams understand why this is important.” The memo offered links to several articles.

“Please feel free to reach out with any questions,” the memo concludes.

PR Pros Weigh In

Veteran communicator Andrew Gilman, CEO and founder, CommCore Consulting Group, is aware of the importance of cyber crime. "In the crisis field," Gilman says, "cyber attacks, breaches, hacks and ransomware are the number one concern of almost every organization," he says. Indeed, arguably the two largest cyber hacks ever occurred in the past four months.

Hence, Gilman has a measured reaction. "If it was the first cyber security exercise of [ICF Next's] staff, using the vaccine [as a lure] probably should be considered bad form," he says, noting anxiety around the pandemic and vaccines.

On the other hand, if staff was alerted that management sporadically will test for cyber crime, then most cyber security people will say the company was justified. "It's a valid way of [educating and reminding staff] that you have to look at every email carefully that comes in," Gilman says. "The bad guys are very clever," he adds. And one of the ways bad actors breach systems, Gilman says, is via email.

Details Needed

Gilman acknowledges the AgencySpy story lacks details about whether or not ICF Next's staff was educated about cyber crime.

PRNEWS asked ICF Next for details. The company has yet to respond.

Of course, this sort of test is not new. Recall GoDaddy's holiday bonus that also was a test.

PR veteran and communication measurement guru Katie Paine agrees with Gilman's view. "There are dozens of security companies that run tests like this all the time. It’s essentially good experimental research," she says.

"It’s one thing to ask your employees if they would recognize a phishing scheme, train them, and ask the same question again after training," Paine adds. "All that kind of survey does is test their confidence level."

Tests like the one ICF Next's contractor conducted, Paine argues, "measure actual behavior, which is, of course, far more important when it comes to communicating risk."

Does this bolster employee trust in management? "It should," Paine says, "increase trust in security and [the company's] ability to protect [employees] from phishing."

What about transparency and authenticity? Communicators, start your engines.

Seth Arenstein is editor of PRNEWS and Crisis Insider. Follow him: @skarenstein