A lot of employees apparently fell for it.
GoDaddy has been taking a lot of heat for a phishing test email it sent to many of its employees right before the holidays.
The email told recipients that they were receiving a $650 holiday bonus and asked them to click a link in order to receive the bonus.
The bonus wasn’t real. It was a test to see if employees would fall for a phishing attack.
I understand why some employees are upset about the test. But I’m more concerned that 500 people reportedly failed the test.
I’m not sure what “failing” means here. Does that just mean they clicked the link? Or did they divulge passwords?
Regardless, that’s a lot of people failing a test in a company of about 7,000. (That assumes everyone received the test email, too.)
I suspect fewer people would have been duped if they were in an office setting rather than working from home. Word would have quickly spread around the call centers, “don’t click that link!”
But it’s clear that GoDaddy needs to continue to educate and test its employees. It holds the keys to valuable assets and people are trying to steal them or trick GoDaddy employees into making critical changes.
Former GoDaddy employee Tony Perez, who sold his company Securi to GoDaddy, opined:
Employee’s being mad about “tone-deaf” phishing tests by a company, and the media’s hunger to amplify that message, highlights the uphill battle CISO’s and security teams are faced with. Bad actors don’t care about your feelings.
— Tony Perez (@perezbox) December 29, 2020
Hurt feelings aside, I hope GoDaddy continues to run these tests until it’s unable to dupe any of its employees.
How many employees of many companies including executives have a double personality as spies in large companies and brands.
Happy New Year.
Can’t stomach this anymore. You are a hack to a nauseating degree, and so beyond deceptive, people really need to tune out from DNW. GoDaddy puts out back to back messages to us of no bonuses, then follows that out in what looks like a legitimate message – because it was put out by them – and you are there with your GoDaddy flag instantly. Dude just get a grip. You are a taint on the industry and it is far past tiring having to choke on your transparent bias. We get it. You are a damage control muppet. Everyone here knows it. Meanwhile in the face of great hardships, our shareholders are earning record highs and cashing out through WS at gains not seen since KKR ripped the company and its service platforms apart to make billions. At the cost of service levels to YOU. You are not the good guy here. You are the hack running interference for their seizure of names, impact on freedom, monopoly-based abuse, targeting of others, for their lies, deceptions, name thefts, security risks, hacks, service failures and more. Find your higher self please, before you lose what is left of your base. This isn’t woke. This is corruption sticking up for malfeasance. Nice job.
OK, first things first: I know that you’re not a GoDaddy employee. Quit astroturfing.
Second, anyone who thinks this story here is a positive story about GoDaddy needs to get their head checked.
Perhaps bonuses were a sore spot but it was effective. Take something everyone wants/expects and see how many will click a dubious link. Phishing testing is done all over the corporate and public work environments and needs to be done even more because people are falling for it way too much. I never click a link in an email without verifying where it is going first. It would seem to be an easy thing to do but apparently people are too click happy and don’t think.
Is somebody actually trying to defend 500 people, so called experienced experts, clicking the bogus link? Then we have a bigger problem. This is a black eye to Godaddy given the assets they control for their customers.
Make no mistake about it I am worried sick about it based on past experience with stolen names at Godaddy.
Oh for the days when I was up late managing domains and Monte Chan emails me at 3AM making sure that was me transfering a domain name out (sold) of Moniker.
Rob also built Epik this way.
This is why consolidation is not in our interest.
ICANN has needlessly made the cost of running a registrar far more expensive than it needs to be, thus the loss of owner operators. The best service I ever received was when the registrar owner was the one answering the call. One might argue this is why the larger registrars have been so supportive of these changes.
True accountability is when your renewal fee goes directly into the pocket of the person your are talking to on the phone, so they can pay their mortgage and food bill … That makes these mistakes go away, or puts the owner on the hook to actually help you and fix the problem. They simply can’t survive bad experiances with them.
Of course RegFly is an exception, but we knew what was going on before they shut down, too many refused to listen to the warnings.
All it takes is one person in your operation to click on a misaddressed email or phishing attempt. ONE PERSON!
Oh my! Those poor butt-hurt employees at Godaddy.
A kid with one domain has the power to stop a multi-million dollar firm in its tracks.
Domain names. Man, I love this gig.
https://www.youtube.com/watch?v=dCzjCLcia8U
That video suggests that the email was sent from within GoDaddy. Was it? Did he look at the headers? I haven’t seen the actual email, but I know that typically when a company runs a test like this, they simulate a phishing attack so that the email is spoofed.
The email was sent by GoDaddy, header does not matter at this point.
Fear and cynicism breeds contempt.
Care is all about allowing self to be vulnerable.
Thought experiment:
If you are in tech support, and someone calls with an unusual problem, are you likely to help them or, assume its your employer (or proxy) trying to entrap you and so you refuse to help them?
Teaching your employees to distrust you will not end well.
“Never cause a brother to stumble.”
I think the header matters a lot. A lot of phishing emails appear to be from the sender but actually aren’t. So if you look at the headers and it’s from a different sender, then it’s a great example of how phishing attacks are carried out.
Now, I totally understand why GoDaddy employees are upset about this. But as a customer, I’m also worried about how many people purportedly fell for it.
>I think the header matters a lot.
You are missing my point. 🙂
They admit to entrapping their employees, there will now be unintended consequences.
https://www.merriam-webster.com/dictionary/entrap
1 : to catch in or as if in a trap
2 : to lure into a compromising statement or act
“Never cause a brother [employee] to stumble.”
GoDaddy admitted to pitting their own teams against each other.
My understanding is that this is not the first time GoDaddy has done these tests. I think many companies do this.
BTW, open invitation to anyone at GoDaddy who received this email to send the headers et al to me.
Give employees repeated security awareness training, get them to care about the company, reward them well for good work and reporting potential security violations, stop encouraging side hustles.
Even then, a company can only do so much as its employees will always be a vulnerable entry point for intruders.
+1
Folks – this is not the first or last we have heard of this kind of employee disrespect while running simulations. This is because COTS applications put the power in the hands of inexperienced Admins who don’t know any better. Often, these admins have an unhealthy disrespect for the organizations employee’s because of their perceived ignorance to IT Security….and this is a bad combination.
I run a managed service for phishing awareness simulations and have been for over 10 years now. Because of my experience I know what is and what is not crossing the line in using simulations. It is a skill that can only be learned with experience. But if you are tasked with running simulations you MUST respect the employees.
Done properly you can avoid emotional triggers and still get the same results. For example, a simulation with the subject ‘Changes to Sick Day Policy’ will get the exact same click rate as ‘Changes to Vacation and Sick Day Policy’…. but the latter crosses the line.
This makes sense. Thanks for your insight.
Also – to be clear regarding the term ‘entrapment’. Without using legal mumbo jumbo the legal definition requires that an employee is duped into an illegal or embarrassing act – for example, a simulation that requests employees to ‘click here’ to see under age pornography would be entrapment ( in the legal sense ). The Webster’s dictionary definition is not a legal definition and there will be no consequences from a legal standpoint. If that was the case then there would be class action lawsuits for firedrills!!
Agreed.
If I have to pull legality into a employee relationship then something failed in that relationship some time ago.
This is about morals (chosen by the individual) and ethics (chosen by the group). As always, when morals and ethics align, people are happy. As they become significantly misaligned, there WILL be problems in the future.
The author seems like a shill trying to do damage control for the company.
The real and obvious story is that GoDaddy has created and perpetuated a toxic work environment and company culture. From the tonal lack of respect, use of bonuses (that they arguably SHOULD be giving their employees this year), and bungled HR responses, these are classic indicators that they utterly fail to treat their employees as valuable assets. I’m only surprised more didn’t fail, given the turnover I assume that they have.
Frankly, it makes me glad that we are pivoting away from them and switching over our non-profit’s domain and web services.
This type of exercise (simulations) struggled with the issue of ethics years ago when they were first introduced. However, these are skills that employees need in today’s online world to protect themselves at home in their personal lives just as much as they are needed to protect the organizations network and data…..and they must be not only be conveyed in that vain to employees, they must be coordinated by someone that understands this mentality fully. There is a huge difference between a ‘Heavy Hand’ and a ‘Helping Hand’ when running these exercises – COTS solutions are blind to this and are dangerous in that regard.
I am one who clicked the link. Having thoroughly vetted the email (checked headers, made sure it was internal email and not spoofing etc) like they teach us to do. They did not send a fake phishing email, it was totally legit. The link goes to a fake url which is what tipped me off and I immediately notified my managers. I’m not upset that they tested us or that they offered the bonus. What is upsetting is they claim they told us there would be no Christmas bonus (they did not) and even though they had record growth, are not throwing the huge Xmas party, are not having to pay subsidized lunches/coffee etc. and all the utilities associated with running the offices, they claim they can’t afford to give a bonus. Hey I am not used to working at companies who give bonuses so no biggie, but to put that in a fully legit email, then blame us for falling for a fully legit email and then sayin “just kidding” is pretty bull crap.
That’s understandable. Do you mind forwarding the email with headers to me? andrew at domainnamewire .com
I think these 500 peoples are going to lose their good positions. What you think.
I also buy my domain from GoDaddy. I was told it is a good and reliable company.
By the way, love your site. I’m new here and I found useful information and news here. I will be your new regular visitor.
#Happynewyear
from Chuck “They did not send a fake phishing email, it was totally legit. ”
end of the story.
Again, I’d love to see it to understand how it was sent.