GoDaddy decided that December would be a great time to test whether its employees are alert when it comes to cyber security threats. At a time when his team is trying to navigate a holiday season plagued by a pandemic and a crisis economy, the web hosting giant sent a phishing email with an offer that was too good to be true and now is very sad.
The Copper Courier, based in Arizona, first reported that GoDaddy employees received an email on December 14 with the subject “GoDaddy Holiday Party”. The email informed workers that the company is looking forward to the annual holiday party and will issue “a unique $ 650 holiday bonus”. Two links were included in the email and employees were instructed to choose the location and fill in some data on a form to ensure receipt of the bonus before the holiday. Unfortunately, the entire offer was just a test to see if employees would fall into such a scheme if a bad actor tried to redirect them with a malicious link.
Two days later, about 500 GoDaddy employees were told that no bonuses were coming and they failed a corporate phishing test. Demetrius Comes, head of security at GoDaddy wrote in the follow-up email that employees who fail “will need to retake the Safety Awareness training in Social Engineering”.
Many companies perform these types of tests and the telltale sign tends to be that a misleading email is sent from an email address that appears to be from a corporate account, for example, my boss can try to trick me with an mail from an address ending at @ gizmondo.com. But GoDaddy operates its own e-mail service and the fake phishing e-mail was sent from an account at [email protected]. It’s easy to see why so many workers failed the test and it’s easy to understand why GoDaddy would see such a glaring vulnerability in its systems after the company just suffered an embarrassment data breach earlier this year.
What is not understandable is the cruelty involved in setting up this test and the failure to monitor an employee’s expectation of a routine bonus in one year when the company reported record growth while participating in the larger corporate trend of firing workers. Cybersecurity is important for a company like GoDaddy, but that same test could have been carried out, training orders could have been issued to anyone who failed and bonuses could still be delivered to everyone.
“GoDaddy takes the security of our platform extremely seriously. We understand that some employees were upset by the phishing attempt and considered it insensitive, so we apologize, ”a GoDaddy spokesman told Gizmodo. “Although the test mimics real attempts at stake today, we need to do better and be more responsive to our employees.” The company did not respond when Gizmodo asked if it plans to issue the bonds.
Data breaches can be a huge headache for a web hosting company, but if nobody wants to work there and nobody wants to do business with an organization that treats its employees like junk at the hardest time of the hardest year in a generation, there ‘There will be nothing to keep safe.