GoDaddy decided that December would be a great time to test whether its employees are staying alert when it comes to cybersecurity threats. At a time when its staff is trying to navigate a holiday season hobbled by a pandemic and an ailing economy, the web hosting giant sent a phishing email with an offer that was too good to be true and now it’s very sorry.
Arizona-based news outlet The Copper Courier first reported that GoDaddy employees received an email on December 14th with the subject line “GoDaddy Holiday Party.” The email informed workers that the company is looking forward to the annual holiday party and will be issuing “a $650 one-time Holiday bonus.” Two links were included in the email and employees were instructed to choose their location and fill in some details on a form to ensure they’d get receive their bonus before the holidays. Unfortunately, the whole offer was just a test to see if employees would fall for such a scam if a bad actor to try to redirect them with a malicious link.
Two days later, around 500 GoDaddy employees were informed that no bonuses were coming and they’d failed a corporate phishing test. GoDaddy’s chief security officer Demetrius Comes wrote in the follow-up email that failing employees “will need to retake the Security Awareness Social Engineering training.”
Many companies perform these kinds of tests and the tell-tale sign tends to be that deceptive email is sent from an email address that appears to be from a corporate account, for example, my boss might try to phish me with an email from an address ending in @gizmondo.com. But GoDaddy runs its own email service and the fake phishing email was sent from an account with the address, firstname.lastname@example.org. It’s easy to see why so many workers failed the test, and it’s easy to understand why GoDaddy would see such a glaring vulnerability in its systems after the company just suffered an embarrassing data breach earlier this year.
What’s not understandable is the cruelty involved in the setup of this test and the lack of follow-through on an employee expectation of a routine bonus in a year when the company reported record growth while participating in the larger corporate trend of laying off workers. Cybersecurity is important for a company like GoDaddy but this same test could’ve been conducted, training mandates could’ve been issued to anyone who failed, and bonuses could’ve still been delivered to everyone.
“GoDaddy takes the security of our platform extremely seriously. We understand some employees were upset by the phishing attempt and felt it was insensitive, for which we have apologized,” a GoDaddy spokesperson told Gizmodo. “While the test mimicked real attempts in play today, we need to do better and be more sensitive to our employees.” The company did not reply when Gizmodo asked if it intends to issue the bonuses.
Data breaches can be a gigantic headache for a web hosting company but if no one wants to work there and no one wants to do business with an organization that treats its employees like dirt at the toughest moment in the toughest year in a generation, there’ll be nothing to keep secure.