GoDaddy decided that December would be a good time to test whether its employees remain alert when it comes to cyber threats. At a time when staff are trying to navigate a holiday spell hampered by a pandemic and ailing economy, the web hosting giant sent out a phishing email with an offer that was too good to be true and now it’s a shame .
News center in Arizona, The Copper Courier first reported that GoDaddy employees received an email on December 14 with the subject line “GoDaddy Holiday Party”. The email informed employees that the company is looking forward to the annual holiday celebration and will issue “a one-time holiday bonus of $ 650.” There were two links included in the email and the employees were instructed to choose their location and fill in some details on a form to ensure they would receive their bonus before the holiday. Unfortunately, the whole offering was just a test to see if employees would fall for such a scam if a bad actor tried to reroute them with a malicious link.
Two days later, about 500 GoDaddy employees were told no bonuses would come and they had failed a corporate phishing test. GoDaddy’s chief security officer Demetrius arrives wrote in the follow-up email that failing employees “should retake Security Awareness Social Engineering training”.
Many companies run these types of tests and the telltale sign is that deceptive email is sent from an email address that appears to be from a business account, for example my boss may try to phish me with an email from an address ending at @ gizmondo.com. But GoDaddy has its own email service, and the fake phishing email was sent from an account with the address [email protected]. It’s easy to see why so many employees failed the test, and it’s easy to see why GoDaddy would see such a blatant vulnerability in its systems after the company just made an embarrassing data breach earlier this year.
What’s not understandable is the cruelty involved in setting up this test and the lack of follow-up to an employee’s expectation of a routine bonus in a year the company reported record growth while participating in the larger business trend of impose workers. Cybersecurity is important to a company like GoDaddy, but the same test could have been done, training mandates could have been issued to anyone who failed, and bonuses could still have been delivered to anyone.
G / O Media can receive a commission
“GoDaddy takes the security of our platform very seriously. We understand that some employees were upset by the phishing attempt and felt it was insensitive, for which we apologized, ”a GoDaddy spokesperson told Gizmodo. “While the test mimics real attempts in today’s game, we need to do better and be more sensitive to our employees.” The company did not respond when Gizmodo asked if it intended to issue the bonuses.
Data breaches can be a massive headache for a web hosting company, but if no one wants to work there and no one wants to do business with an organization that treats its employees like dirt at the most difficult time of the most difficult year in a generation, there’s nothing to secure.