The City of Palm Coast’s IT Department sent an email to employees and at least one council member asking their COVID-19 vaccination status, stating that the information was necessary due to new county requirements.
Beyond the controversial nature of the question in these divided times, there was another issue: It was not true.
According to the city’s Information Technology Director Doug Akins, the email was just a test to see how employees respond to possible internet scams.
Councilman Ed Danko said in a phone interview that it was a poor way to check responses.
“There are a lot of other ways to do a test. This is the worst way possible,” Danko said.
Danko said COVID-19 was a poor choice for any kind of computer test given the political divisions over vaccinations, mask mandates and the coronavirus.
“It’s the wrong time. It’s the wrong place. It’s the wrong state,” Danko said.
Flagler County is largely Republican with many Trump supporters, said Danko, who is vice president of the Flagler Trump Club. He said city workers also reflect that population and could be upset by the city email asking for their vaccination status.
“There are people who have chosen to be vaccinated and that’s fine, that's their choice,” Danko said. “But we don’t need them to tell us what their choice is. That’s a private medical decision between them and their doctor, not them and the City of Palm Coast.”
Flagler County has 40,906 registered Republicans, 27,105 Democrats and 23,374 voters with no-party affiliation. Another 1,504 registered voters are listed as "others."
Danko also said placing the blame on the county, even in a test email, could hurt relations between the two governments.
Palm Coast City spokeswoman Brittany Kershaw said that the city provides an incentive for employees to get vaccinated: three days off or a one-time payment of $250. But it does not track who is vaccinated and who is not.
Kershaw said in a phone interview that the email was part of city’s cyber-security program.
“From time to time, they send out these emails and the idea is that they are on high-interest and attractive topics that are going to prompt the end-user to click on the link,” Kershaw said.
She said a computer program called "KnowBe4" provides a list of topics for questions. She said she did not know who at the city selected the vaccination status as a topic.
She said employees who clicked on the link of this particular email would have been redirected to a site to educate them on internet security.
Kershaw said the email did not collect any vaccination status information.
“They could not put in their vaccination status,” she said.
Kershaw added that a handful of employees called Human Resources to ask if the email was legitimate.
“No one was upset when they called HR,” she said.
The emails were due to be sent to approximately 500 part- and full-time city employees as well as council members.
But there was a technical glitch and the exercise was canceled about 11:30 a.m. Wednesday although the computer system still sent out 200 emails that were already in the queue, she said.
She said the city did not work with the county on the email.
Flagler County Commission Chairman Joe Mullins said he was concerned that the city’s email suggested the county was requiring the information.
“That’s a sensitive subject,” Mullins said in a phone interview. “And it’s one that the states have battled a lot and it’s one that we have been very firm that we do not support any mandatory sharing of medical information. For that to come out as if it was the county, I don’t think that should have occurred. That’s a very hot topic.”
Mullins said he planned to bring up the Palm Coast emails on Monday at the County Commission meeting. Danko also said he planned to bring it up at the next city meeting.
Flagler County does run controlled phishing emails as part of its cyber security awareness and training, said Lacy Martin, Flagler County’s marketing media manager.
“The whole point of them is to train everybody to be aware of questionable things,” she said.
But she said health-related questions would not be used as click-bait.
“We would never send out medical questions as one of the tactics to get our users to click on anything,” Martin said.
How it started
Danko started looking into the issue when he received an email on Wednesday at 12:34 p.m. which appeared to come from the city's Human Resources Department.
“We are learning of new and strict requirements from the county with regards to tracking COVID vaccinations. All employees are required to complete the COVID vaccinations form and return it to HR as soon as possible,” the email stated.
“This is a mandatory requirement to complete the linked form below regarding your vaccination status. Please complete this form by the end of today,” the email stated.
The email ended with “Thanks so much, City of Palm Coast -FL Human Resources Department.”
At 8:11 p.m. Thursday evening, Danko sent an email to City Clerk Virginia Smith in which he wrote, “Is this real or spam?”
Smith forwarded the email to Doug Akins, the city’s director of information technology.
Akins then sent an email to Danko at 9:22 p.m. Thursday, telling him it was spam.
“Mr. Danko — This is spam. Thank you for checking.”
Danko then replied at 10:08 p.m. Thursday to Akins, suggesting employees be warned: “Thank you. Perhaps we should let everyone else know this is spam before they click on the link?”
The next morning at 7:30 a.m. Danko received what he said was a surprising reply from Akins about warning employees.
“Typically we would," Akins wrote in his email. “This specific email however was actually initiated by IT. It’s part of a program that helps us understand how our employees respond to phishing attempts. The goal is to help us understand where we may need to do a better job at training employees on how to recognize when an email may be a phishing or virus attempt."
Phishing is a scam in which someone sends a fake message to trick someone into revealing information or to download malicious software, such as ransomware.
Danko emailed Interim City Manager Denise Bevan at 10:40 a.m. Friday.
“Under the circumstances and present environment, in my opinion this is an unacceptable test on the part of our IT department,” Danko wrote. “Using the county as an excuse makes this even worse. There are a lot better ways to run a phishing test than using COVID vaccination requirements as an excuse. This ill-advised exercise only adds to the lack of trust of government by the public.”
Bevan was not available for comment.
This article originally appeared on The Daytona Beach News-Journal: COVID-19 phishing test email criticized by Palm Coast council member
Source : https://news.yahoo.com/palm-coast-test-email-asking-202200618.html1413