The Grinch who stole Christmas has been found alive and well, and living in the Yarra City Council IT department.
Jim Carrey in a scene from the 2000 movie The Grinch.
Council workers at the famously progressive council centred around Collingwood and Richmond thought they were getting an early Christmas present after receiving an email promising a bonus gift card this week. But the link instead sent them to a training course about online scams.
The emails were sent to staff on Monday afternoon with the subject line: “Bonus eGift Card from Yarra City Council!”
The email from Yarra City Council
Yarra City Council appreciates your hard work and contributions throughout the year. As a token of our gratitude, we are pleased to announce a one-time Christmas bonus for you this year.
Attached is an eGift card as part of your bonus.
Wishing you a Merry Christmas!
Yours Sincerely,
Yarra City Council
But it was anything other than merry for staff who clicked on the link and were told: “Thank you for participating in a phishing campaign. You were recently assigned training courses because you fell prey to a phishing message, which was part of an internal phishing campaign.”
Even the new mayor, socialist independent Stephen Jolly, was not immune from the council Grinch.
“I got sent one too. I found it very strange,” he told CBD.
“The best way to educate people about scamming is open education rather than tricks.”
Jolly apologised and said that he preferred to treat people like adults. “I’m really sorry. People feel stupid if they open it by mistake.”
Council workers were appalled and felt humiliated, Australian Services Union deputy secretary Zoe Edwards told CBD.
Collingwood Town Hall, part of the City of Yarra.Credit: Justin McManus
“Workers at Yarra City Council are struggling with cost of living; this was a very cruel attempt to exploit that desire for a Christmas gift voucher for low-paid workers,” she said.
“They genuinely thought council was offering what would have been a cost-of-living measure.
“It would be honourable for Yarra Council to honour what they have floated.”
Staff would have needed to look pretty closely to observe that the email used a fake address purportedly from the “internal.coms” unit at “YarraCity-vic.com” instead of the “yarracity.vic.gov.au” address.
The reply email stated: “This is an email for training(s) assigned by your security team. You have training course(s) to complete that should take 7 min(s).”
Staff were given until January 3 to complete the ransomware training course – the first day back from holidays for many people.
When contacted by CBD, the council did not apologise.
“The intent of the email was to closely mimic the increasingly sophisticated emails sent by scammers that cost organisations and individuals in Australia more than $35 million a year,” a spokesman said.
“The City of Yarra and its employees are not immune to these scams, and the email was part of the regular education and training we provide our staff to ensure they remain alert and aware.”
Get the day’s breaking news, entertainment ideas and a long read to enjoy. Sign up to receive our Evening Edition newsletter here.