A major media company, like a lot of media employers these days, has been facing difficult economic times and has had furloughs, pay cuts, and buyouts.
So the surviving employees were tickled pink when they received an email saying they were going to receive bonuses of $5,000 to $10,000 because the company's austerity measures had been so successful.
All they needed to do was click on the link and enter their passwords.
OK, that is bad. Allow me to make it worse. This wasn't even a cybercriminal. The employer had chosen this message to use as a test "phishing" email.
You know about those, right? Many employers periodically send out a fake "phishing" email. The link is really safe, so no harm done if a gullible employee clicks on it, and it's a good way for employers to determine how much cybersecurity education their employees need. As the government of the State of Michigan found out a few years ago (scroll down to No. 3).
But it's not very nice to have the fake phishing email mislead employees about sensitive topics, like their flippin' pay. And according to Twitter (so it must be true!), a different company once sent a fake phishing email telling employees they'd been fired.
That's even worse than a fake promise of a bonus!
Anyway, the employer who promised the bonus did publicly apologize, so that was good. And the Founder and CEO of cybersecurity company KnowBe4 wants you to know that his company had nothing to do with the content of this phishing expedition.