Canadian healthcare staff decry ‘cruel hoax’ after scam email promises paid day off
I don't think that the cybersecurity team did anything wrong. If they can be exploited that way then it is a measurable risk.
https://www.theguardian.com/world/2026/jun/22/canadian-healthcare-staff-scam-email-paid-day-offOpen linkView original on crazypeople.online
While it is important to protect against Phishing, it was heartless to test the employees offering a false day off. Felt bad for the tired guys being tricked. :(
yeah but that is exactly the kind of thing a threat actor will use to gain access to critical systems and private health data. It was a textbook scam coming from a clearly fake domain name and they clicked it and put in their credentials, credentials that take down hospital systems and kill people when they don't operate.
Sure, but here's the critical thing: the security team isn't a threat actor, they're coworkers. Their job isn't to steal data but to protect it and get coworkers to better protect it.
Doing stuff like this doesn't advance that goal, and actually hinders it. Now a bunch of people think the security team is full of assholes and the lesson taught is "the security team will trick you, get you in trouble and also good things never happen here".
They now know that they could face a breach from an enticing phishing email, which isn't actionable. What do you do with that information that you shouldn't have already been doing?
The cost is that now when someone does something like actually fall for a phishing attempt they have less reason to trust that security is on their side, and more reason to brush it off and try to obscure it to avoid getting in trouble with security.
A better way to train users is to use rewards. Tell them you're running a phishing campaign and properly reporting it gets a chance at a gift card or prize. Then tell them you're going to keep doing it, and that legitimate phishing reports also get a chance.
It costs you $100 a month, no one is mad at security and it's easier for users to see it's an excercise rather than an attack.
I have to disagree with the premise that security testing should be a "feel-good" exercise. In a healthcare setting, the security team operates as an internal auditor. Their job isn't to be liked; it is to protect patient lives from catastrophic ransomware attacks that shut down life-saving systems.
To do that effectively, they have an obligation to run real-world simulations. Actual threat actors don't care about hospital morale or their exploitation under capitalism and they will exploit those exact pressure points to gain credentials. What this test revealed isn't just that the staff are tired, but that a highly enticing lure easily bypasses their current social controls. Because of this test, the security team now knows they must rely heavier on technical controls (like hardware keys or stricter zero-trust policies) to compensate which is actionable. Being mad at the security team for exposing a fatal vulnerability is shooting the messenger.
My entire point is that none of that is actually new information. Every piece of research by anyone has always indicated that the human element is the weakest part of the security system. If you're asking if you can trust a user to reliably do something, you can safely say "no" and make contingencies for when they don't.
If they have technical solutions available, they didn't need to run a drill to know that they should use them.
It's not about being "liked". It's about effectively enforcing a security posture. An adversarial relationship does more to undermine that then providing guidance on how to do it better.
They have no obligation at all to "run scenarios" where they could just implement the fix to the problem.
They exposed a fatal vulnerability in the same way stabbing someone exposed a problem: it's been demonstrated, but it's not new information.
This type of excercise is about producing numbers that look good on a spreadsheet. You do a phishing drill, people fail and then you run a training. A few weeks later you do it again and since people still have the previous drill lingering they remember, and you send a softball phish. Line go up and to the right. Looks good in report.
They had to make it enticing. And they did get the data they were after; that is, for the right incentives, people will disregard their safety training.
I mean, no shit. Turns out people get stupid when they're forced to work hundreds of hours of overtime and get no time off. The same thing would happen if you didn't feed them for two weeks and then sent a phishing email promising pizza. The only thing this demonstrates is that the best cybersecurity measure they could take is giving their employees enough time off.
That's not new information though. All they've done is teach users that their security team is more of an enemy than a friend.
Seriously: what action are they going to take as a result of this that they shouldn't have already been doing? They could just as easily have assumed, entirely correctly, that users will fall for phishing messages. Don't need an excercise, to say nothing of a mean one, to learn that.
Well, exercises like this aren't just about gathering info, they are IT training too. If one of the people who fell for it gets another email promising a day off for clicking a link, they should now think twice. Hopefully they start checking all links before clicking them.
I understand they are overworked and the day off was enticing, but who doesn't view every email with distrust and suspicion these days? Yeah, it sucks, but that's the reality we are in.
Sure, but that's ignoring the cost of "now your users don't trust the security team".
For most things like phishing there's only so much training you can put on a user. Humans are pretty okay at understanding the costs associated with their time in an implicit manner. Users will check well enough to meet their internal cost metric: the cost to them if they get phished isn't high, and the likelihood is low. That's why it's such a problem in workplaces.
The solution isn't to keep beating the user over the head. First, it can undermine other important parts of the relationship between users and security as I mentioned, and it can , if done in the extreme, normalize phishing emails. The real Phish comes in and sits unreported next to the fake ones. Security never gets to run a scan and remove the message from every mailbox, increasing the exposure.
The better approach is to prevent users from being in control of their own vulnerability. Don't let them enter their credentials into the nono box.
They might not trust the security team to be their friend, they have no reason not to trust them as a coworker doing their assigned job.
They may perceive the personal cost as being low, but that is the real issue. If digital security is breached because of their actions, when a small amount of due diligence can easily prevent it, they are responsible. Losing your job because ransomware you let in took out your employer's computer system is a pretty big personal cost. May make it hard to get hired somewhere else too.
Locking down work computers further and further until users can't possibly do anything damaging also makes doing work on those computers slower and more frustrating. It's cost me many many hours, because coworkers can't take 2 seconds to think critically.
Yeah, you're right. Passkeys, sso and password managers make it impossible to get any work done. It's much better to keep doing the same things that haven't been working for decades. Don't forget to make everyone rotate their password every month!
What's your simple due diligence to prevent phishing? You check the links you click, verify the URL you ended up at is what you expect, validate no unexpected unicode swaps in the domain, pop back to the email and check the sender is known and trusted, look at the headers and validate the routing chain, then double check the sender spf and dkim records are on the up and up? Oh, and make sure the actual content that you landed on is from the website and not a hijacked subdomain.
That's the specific area where they don't. We're discussing a specific situation where the security team is taking it upon themselves as their job duty to trick you and get you in trouble. That makes people hesitate to share security concerns because "those guys are pricks and will make this all my fault".
It's a hospital. They're already short on nurses and administration staff. Those people directly provide patient care or manage operations. Security does not. Securities job is to maintain security standards compliance and maybe keep patient data safe. It is not to exacerbate a staffing issue or let the network go down because you thought it was too much hassle to do your job and properly secure a fucking managed laptop. Security is, rightly, going to be blamed when a user gets the network infected. Particularly when your idea of training is to offer them PTO and then call them an idiot when they want it.
The person making the decision on who to blame is a lot more like that poor nurse than they are like security.
Take the time off regardless, clearly our health care sector is struggling and I doubt they’ll be eager to fire their experienced staff.