When my colleagues Claire O'Malley and Brian Kime wrote their blog post "Point/Counterpoint: The Ethics Of COVID-19 Phishing"[1] in March, it turns out they were inadvertently predicting an event that took place last week: An employee took to social media[2] to speak out about a highly insensitive phishing simulation.
Tribune Publishing Company, publisher of newspapers like the Chicago Tribune and The Baltimore Sun, conducted an ill-timed phishing simulation. The email was offering targeted bonuses of $5,000 to $10,000 to the remaining staff that had survived an ongoing wave of pandemic-spurred firings and pay cuts[3]. Users were prompted to log in to view their promised bonuses, and, in doing so, they were met with an alert of how they had just failed a phishing simulation test.
A Thoughtless Campaign Phishes Away Brand And Goodwill
This presumably inadvertent misstep resulted in a negative experience for all involved:
- Already struggling employees got an extra slap in the face with a phish. The pandemic has introduced a significant amount of stress around reentry to work, burnout, financial instability, health concerns, and anxiety about job loss. Loss of jobs and wages exacerbates the stress on employees. In this instance, the reception of employees receiving this phishing simulation that claims to pay a bonus to those who've already lost so much could not have been direr.
- The organization's brand took a hit. How you treat your employees defines your brand and values as an organization. Customers, business partners, and future hires are watching how and if your firm places an emphasis on employee experience (EX), as they make decisions about their relationship with you. Tribune Publishing Company's employees took to social media to register their outrage; others joined in amplifying the outrage[4], putting the organization's