At first glimpse, the email seemed like good news: all employees with Tacoma Public Schools are eligible for 20-50 percent discounts and free shipping with Amazon for the months of November and December.
"To show our appreciation for all your efforts this year, Tacoma Public Schools is partnering in a holiday discount program with Amazon," said the email, sent Friday from what appeared to be district Human Resources.
It wasn't true.
The email was a fake, the district confirmed with The News Tribune on Monday. It was sent by the district to its staff as part of an effort to educate its workforce on phishing scams that can put the district's security at risk.
"We have had an ongoing internal program of educating our workforce about cybersecurity, password protection, and the risks of clicking on links in phishing emails," district spokesperson Dan Voelpel said in an email on Monday. "Part of that program involves sending periodic fake phishing emails and tracking who clicks on them so that we can follow up with reminders and explain how REAL phishing emails work and may look like they're coming from legitimate sources."
The email upset some school employees, who say the it was harsh to send during the holiday season when many people might be feeling financial stress.
Tina Taylor, a teacher at Bryant Montessouri School in Tacoma, said she saw the email circulating on social media before opening it in her inbox, so she knew it was fake and didn't click on it. But the subject of the email — promising a major discount during the holidays and a pandemic — was in poor taste by the district, she said.
"There are lots of people who are working second and third jobs to make ends meet and that could have made a difference," she said.
Ed Grassia, chief information officer for Tacoma Public Schools, sent a letter to TPS employees on Tuesday explaining that during the holiday season, TPS sees an increase in cyber attacks on its system.
"Please know that our intent is always to use these cyber security efforts as a way to help educate you in a safe manner," Grassia said. "Personally, I know how frustrating these can be and I want to work with you to learn to protect yourselves and the District. After sending this phishing test, it became clear to me that the subject matter and timing frustrated many within the District. Please know that the intent of this phishing test and any of our cybersecurity efforts is not to anger or upset anyone."
Tacoma Public Schools has a contract with KnowBe4, a company that provides security awareness training to help people identify phishing emails. The company has a portfolio of phishing email templates to select and customize for TPS.
Phishing scams can help criminals not only steal identities and hack bank accounts but also take over an organization's network. Phishing scams soared since the start of the COVID-19 pandemic as many people worked from home.
KnowBe4 states on its website that "Cybercrime is moving at light speed" and that "organization of every size and type are at risk."
Voelpel said that 18.6 percent of recipients clicked on the link in the fake email sent by Tacoma Public Schools last week. TPS employs more than 4,000 people. Clicking the link didn't harm anyone's computer, but a message popped reminding users of the red flags of phishing emails. Similarly, if users reported the email as a phishing attempt, they were congratulated.
"KnowBe4 helps employees confront the fact that bad guys are trying to trick them," according to KnowBe4's website. "Once they confront that, they become aware and able to detect these scam emails and can take appropriate action like deleting the email or not clicking a link."
Some Tacoma Public School employees felt tricked.
Linda Snyder, a nurse at Tacoma Public Schools, said it's the "lowest thing" she's seen Tacoma Public Schools share during a holiday season.
From nurses to paraeducators to nutrition services, the district has been understaffed, and employees have been working extra hard to keep up.
"It is so rude," she said.
Companies across the country partake in the fake phishing emails in an effort to teach their staff not to click on them. They haven't always been received well by the people getting them, as was the case in September 2020, when an email to Tribune Publishing Company staff appearing to give them a major holiday bonus turned out to be fake.
Grassia wrote in a recent internal story about the strategies scammers use to trick people.
"...cybercriminals don't care whether or not something is appropriate or how a user will feel or react when they get their email. They are counting on hooking you with a relevant and timely subject so you don't even question it, you just open and click," Grassia wrote.
Tacoma Public Schools has faced its own phishing scams costing thousands of dollars. In 2018, a spreadsheet was opened in a phishing email that spread to 1,800 computers and cost $100,000 to fix.
The district hopes the program educates people about the potential signs of email signs: non-district email addresses, a sense of urgency in the email and any grammar or spelling errors.
For some, like Taylor, the email wasn't right.
"They're freaking tone deaf," she said.
