Fake Phishing Email Sent by OHSU to Gauge Employee Gullibility Draws Sharp Criticism from Labor Union

The text of the fake phishing email was copied verbatim from a real phishing email received by some OHSU employees in late March.

UP AND AWAY: Aerial tram to Oregon Health and Science University. (Christine Dong)

Oregon Health & Science University sent its employees an email April 12 offering up to $7,500 in aid if they were struggling with their finances due to the pandemic. The email asked recipients to click a link. When clicked, the link routed them to a page that said no financial assistance was being offered.

The email, sent by OHSU administrators, was a fake phishing email that the health care giant used to gauge how gullible its employees were to cybersecurity scams, which have become a serious threat to large employers as ransomware hackers develop more sophisticated techniques for breaking into their information systems.

The hospital workers’ union was not pleased.

The American Federation of State, County and Municipal Employees Local 328, which represents over 7,200 OHSU employees, chastised the university for what it called an exhibition of psychological warfare against its workers. “The decision to send today’s email is a cruel reminder that, ultimately, OHSU does not truly care about its employees and their struggles, particularly their mental health,” the union wrote in a statement that same day.

The union alleged OHSU partakes in a pattern of poor decision-making: “At some point, perhaps someone at OHSU with authority will design a system in which the left hand and the right hand actually coordinate with each other. Until that point, our members are subjected to the whims of OHSU’s worst ideas and behaviors, and this phishing email can now take its place with OHSU’s many other missteps.”

The email in question was brief. It included a brief description of a financial aid program and asked employees to click a link to access more details.

“In response to the current community hardship caused by the COVID-19 pandemic, Oregon Health & Science University has decided to assist all employees in getting through these difficult times,” the opening line read. The last line read: “Supporting our employees, and community is essential during these challenging times.”

The email was signed at the bottom with a real union member’s name. The union says this could have left the employee vulnerable to “hurtful and angry emails.”

OHSU tells WW sending the email was a mistake, and that the language of the fake phishing email was copied verbatim from a real phishing scam email some OHSU employees received in late March.

“First and foremost, we want to sincerely apologize to the OHSU community,” said spokeswoman Sara Hottman in an email. “That was a mistake. The real scam was insensitive and exploitive of OHSU members—and the attempt to educate members felt the same way, causing confusion and concern.”

Hottman said email scams are the “single largest threat to OHSU technology systems and our ability to provide services to Oregonians.”

Willamette Week’s reporting has concrete impacts that change laws, force action from civic leaders, and drive compromised politicians from public office. Support WW's journalism today.