SACRAMENTO, Calif.–In an attempt to test workers’ vulnerabilities to email phishing scams, a California state department sent an email to employees that included a manipulated version of the logo of The Golden 1 Credit Union.
The email included a signature of Golden 1 President Donna Bland, which had not been authorized by the credit union, nor had the CU been informed of the phishing test ahead of time, according to the Sacramento Bee.
The email was sent to take advantage of employees’ anticipation of a $2,500 contract bonus that many are receiving.
According to the Bee, the phishing email asked employees in the Department of Housing and Community Development to click a link that would “validate their employment status.” Then, the message said, workers would immediately receive their bonuses through a direct deposit.
The message was effective enough that Golden 1 received a call about it, and the State Controller’s Office sent an email to thousands of state workers warning them not to click on it, according to the Sacramento Bee.
The Bee further reported that the email was intended to be a cybersecurity test for the department, according to an email that employees received about 90 minutes after the phishing message was sent.
The Golden 1 told the Sacramento Bee that it was not informed that the test would be taking place. Similarly, the department also did not inform state government’s largest union, Service Employees International Union Local 1000, that it had created a fake phishing scam using the bonuses its members are receiving as bait.
The Sacramento Bee said the original message blended the logos of Golden 1 and SEIU 1000 to announce a partnership between the credit union and state government. It included an image of SEIU 1000 President Yvonne Walker with the text “We have a contract!”
According to the Bee, The Golden 1 first learned about the phishing test when one of its members called to report a phishing scam. The credit union read the message and believed it was a malicious phishing attempt. The credit union reported it to the State Controller’s Office, which then broadcast its warning, the Sacramento Bee reported.
The Bee said that at 12:15 p.m., employees at Housing and Community Development received another email that said their own information technology team created the phishing message.
“SEIU and Golden 1 were not involved in this internal test and there is no need to contact SEIU or Golden 1,” the unsigned message said.