Protection against cyberattacks is one of the most stressed aspects of running an organisation today. To train employees against tactics employed by cybercriminals, many companies conduct phishing or hacking tests to assess how likely their employees are to fall into such traps. However, this can sometimes result in unintended consequences.
In December 2024, a similar incident happened at a “security-conscious” company. As one of its employees details, the entire staff, including the security team, received “gift certificates” from an unknown email address two weeks before Christmas. It wasn’t a tiny phishing attempt targeting a couple of employees. Instead, the company’s Computer Emergency Response Team (CERT) was hit with over 2,000 emails, all looking like someone was trying to phish the entire staff.
The employees, already trained in spotting phishing emails courtesy of their security teams and internal tests, immediately reported the emails. This led to holidays being cancelled and the security workforce being called back to the office in an all-hands-on-deck situation to determine where the emails came from.

However, no obvious signs of intrusion were found. There was no contact with a control server, no immediate triggers, and perhaps most surprisingly, the gift cards were genuine. The company reached out to other CERTs and even governments to track down any signs of malicious activity, only to find nothing. Speculation about the emails’ source grew to the point where a state actor was suspected to be behind the attack.
That is until the company’s CISO sent out an email telling everyone to drop the search. Senior management at the company wanted to surprise the staff and sent out gift cards to everyone without realising that it might have some unintended consequences. However, the CEO paid for every cancellation and ensured everyone got their cancelled holidays back to his credit.
In the News: Top 5 Free Photoshop Alternatives you should try today