A lot of employees apparently fell for it.
GoDaddy has been taking a lot of heat for a phishing test email it sent to many of its employees right before the holidays.
The email told recipients that they were receiving a $650 holiday bonus and asked them to click a link in order to receive the bonus.
The bonus wasn’t real. It was a test to see if employees would fall for a phishing attack.
I understand why some employees are upset about the test. But I’m more concerned that 500 people reportedly failed the test.
I’m not sure what “failing” means here. Does that just mean they clicked the link? Or did they divulge passwords?
Regardless, that’s a lot of people failing a test in a company of about 7,000. (That assumes everyone received the test email, too.)
I suspect fewer people would have been duped if they were in an office setting rather than working from home. Word would have quickly spread around the call centers, “don’t click that link!”
But it’s clear that GoDaddy needs to continue to educate and test its employees. It holds the keys to valuable assets and people are trying to steal them or trick GoDaddy employees into making critical changes.
Former GoDaddy employee Tony Perez, who sold his company Securi to GoDaddy, opined:
Employee’s being mad about “tone-deaf” phishing tests by a company, and the media’s hunger to amplify that message, highlights the uphill battle CISO’s and security teams are faced with. Bad actors don’t care about your feelings.
— Tony Perez (@perezbox) December 29, 2020
Hurt feelings aside, I hope GoDaddy continues to run these tests until it’s unable to dupe any of its employees.