GoDaddy Employees Were Told They Were Getting a Holiday Bonus. It Was Actually a Phishing Test.

An anonymous reader shares a report (alternative source): "2020 has been a record year for GoDaddy, thanks to you!" the email read. Sent by Happyholiday@Godaddy.com, tucked underneath a glittering banner of a snowflake and stamped with the words "GoDaddy Holiday Party," the Dec. 14 email to hundreds of GoDaddy employees promised some welcome financial relief during an otherwise stressful year. "Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!" the email read.

"To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th." But, two days later, the company sent another email. "You're getting this email because you failed our recent phishing test," the company's chief security officer Demetrius Comes wrote. "You will need to retake the Security Awareness Social Engineering training." The follow-up email from Comes said that roughly 500 GoDaddy employees clicked on the holiday bonus email and failed the test. Scottsdale-based GoDaddy, the world's largest domain registrar and web-hosting company, did not respond to repeated requests for comment about the emails. The emails were forwarded to The Copper Courier by three GoDaddy employees.

Sadistic

[BytePusher]

Pretending to give your employees a bonus so you can show them they're stupid? And they wonder why anti-tech anti-corporate sentiment is growing...

Re:Sadistic

[Anachronous Coward]

True, but as others have pointed out, it was an effective test. And likely a lesson that won't be forgotten.

But they shouldn't be surprised if henceforth every email from corporate is reported to security as a phishing attempt. (Something I like to occasionally do when I'm in a bad mood.)

Re:Sadistic

[algaeman]

A lesson learned by people who will be looking to leave the organization at the earliest opportunity. This sort of tone deaf stunt while many people are under serious financial stress sounds a lot like a hostile workplace,

Re: Sadistic

[jcochran]

So, are you claiming that phishing tests shouldn't be realistic? Given the current economic conditions due to COVID-19, it seems to me that actual real phishing attempts are likely to involve financial incentives. And since it's near the end of the year, a bonus certainly sounds realistic.

Yes, having a windfall yanked away feels bad. And it doesn't matter if it was due to a security test masquerading as a phishing attempt, or if it was a real phishing attempt.

Re:

[houstonbofh]

If you fail to consider how people will feel about it, do not be surprised when they leave.

Re:

[dcw3]

I'm claiming that when you get set up by your own company, or even when you didn't, but you saw other friends get set up, it sticks with you. You've learned that you can't trust you own internal email & bosses. This was a stupid move.

Re: Sadistic

[cloudmaster]

Presumably the people who failed this test were employed by Go Daddy at the time, and thus were likely not struggling due to their own unemployment.

Re:

[Pitawg]

Dear Head in Clouds,

Having a GoDaddy salary, large or not, does not mean the five other unemployed adults under your roof are not feeding off that solitary stream of income, generating the stress and hardship that urged them to click on an email from management discussing extra money.

--
With my feet on the ground,
Non-lonely, Non-jerk

Re:

[chispito]

If they are incapable of handling a phishing campaign dispassionately, how are they going to catch the real thing?

Re:Sadistic

[apoc.famine]

We had to do some stupid anti-phishing course at work, and all of a week later HR sent out an email that checked pretty much all of the boxes for a phishing attempt. It was just remarkable. I have no idea if the person didn't take the training, or what. I just can't imagine doing that training and then laying out a dozen red flags in an email. (Urgent request to access a company resource to verify tax info, threats that our paychecks might get delayed if we didn't, link to an unfamiliar subdomain, etc.)

So anyway, even though it was legit we all reported it as a phishing attempt. A day later they sent out a follow-up apologizing for the "tone" in the previous email, but restating what they needed us to do. So we reported that one as well, until they frog-marched the HR rep down to give us the request in person.

Re:

[Lije Baley]

My sympathies. We get phishing tests regularly, along with threats of unspecified disciplinary actions if you fail them. This is harsh, but may be understandable. What's wrong is that our company uses umpteen outsourced services that send us emails that we are supposed accept as legit. I once asked our security department if there was a list of these we could refer to, and their response was pretty much "duh, shrug, no".

Re:

[l0n3s0m3phr34k]

Your sec department is failing at their job of proper vendor vetting. I have a list of all IS vendors we've dealt with in the past two years, and another linked list of specific employees at said vendors. One of my vendor vetting questions is "Do you have any challange/accept, PIN, password, or such to verify when doing technical support?"

Re:

[radarskiy]

I had a similar experience, except the I-can't-belive-it's-not-phishing email was from the non-IT side of Security. And they did the exact same thing again several months later.

We also had a big hoopla made about training people to report phishing incidents, except the required mail client plug-in couldn't be installed since it wasn't in the software catalog and regular users can't install arbitrary programs themselves. Technically everyone failed the phishing tests during that people since no one reported.

Re:Sadistic

[StickyKeys]

Hold up, you fell for the old "HR rep came in person" scam?

Re:

[msauve]

>True, but as others have pointed out, it was an effective test.

Was it? Or did people examine the headers, and determine it originated from within GoDaddy before responding? And, if the email was received on GoDaddy email accounts, but didn't originate from GoDaddy, then "the company's chief security officer Demetrius Comes" is the one who failed.

Re:

[Ichijo]

Or did people examine the headers, and determine it originated from within GoDaddy before responding?

No need, all they had to do was check the "from:" address and see that it was from gocladdy.com, not godaddy.com. The notice at the top of the message that Outlook prevented display of some of the pictures in the email should have been another red flag.

Also, it appears that the employees photoshopped the screenshots to obscure this information before sending it to the news organizations. So they screwed up

Re:

[sjames]

I have done phishing tests for hire. I find that the old click this to validate your webmail account to be sufficiently effective.

Re:

[samwichse]

They should have paid out the bonuses... to everyone that DIDN'T fall for it and put their information in the form.

It's not sadistic, it's a very effective exercise

[DeplorableCodeMonkey]

Most people I've worked with don't really scan emails before acting on links. What this exercise did was just prove to 500+ employees that the offer of a $650 bonus is all it takes to make them jump right in and click some link without even asking why Payroll is making them click on a link rather than just saying it will be added automatically to their next direct deposit.

Companies are having to get more aggressive because criminals are getting savvier and employees often still live in la la land.

Re:

[radarskiy]

My employer passes email through some third-party service that rewrites the URLs in emails, so I can't tell where the link go.

Re:

[bill_mcgonigle]

> The "actual story" appears to have been slashdotted (doesn't respond), and neither the alternate nor the summary mention that. In fact, the summary specifically say it was "Sent by Happyholiday@Godaddy.com."

It's responding now and the screenshot does not show cl it shows d.

Other people are saying the video says 'cl' but I don't see it. Maybe /.'ers are running a test...

I want to know why From: .*GoDaddy.com emails would be allowed into the corporate email system from outside. Don't they know about SP

Re:It's not sadistic, it's a very effective exerci

[apoc.famine]

Mine too. It's infuriating. It's part of their APT scanning, but it's just so irritating. Having to click the link to see where it goes is just asinine, and the opposite of the stupid anti-phishing training they inflict on us.

It's just an extra headache when I want to forward a known safe link to someone outside my organization. I have to click the link in the email I got, pass the APT validation, open the website, copy the URL, head back to email, and finally paste it in.

So they slow our job down, prevent one of the important tools in spotting phishing from working, provide "training" that tells us to look at URLs carefully, and assume that their APT scanning has a list of all of the known bad URLs in it which is why it's safe to click links that we can't see where they go. Then they send phishing emails to try to catch us.

Even more hilariously, they occasionally include links in the email which haven't been mangled by the APT scan, which makes them instantly obvious as fake emails. They want us to be using our detective skills and checking URLs, which only works during the tests and no other time, so nobody even thinks of doing it. It's fucking GENIUS!

Re:Sadistic

[dissy]

From RobMalda@slashclot.org
To: BytePusher@placeholder.value

Hello good sir or madam,

We at slash media would like to show our appreciation of your outstanding comment moderation history, by sending you a one-time 2000LB bag of hot grits as a holiday bonus!

However we are trapped in the datacenter and would very much like to return home for the holidays to send your bonus.
We would be very grateful if you could provide a loan of only 100LB of hot grits. We promise to refund it in full as soon we return to the NOC.

Thank you for your financial assistance in this matter.

Re: Sadistic

[BytePusher]

Oh! Where should I send your hot grits?

Re:

[misnohmer]

Do you really think real scammers don't do exactly that? In order for a test to be effective you have to emulate real phishing emails. What is better, get your feelings hurt but learn a lesson you won't soon forget, or at a later time fall for a real phishing scam, cause a major breach and get fired?

 

Security Compromised, Domain Transfer Successful

[Anonymous Coward]

"Please select your location and fill in the details."

Why does the employer need that, they already know where I live and work.

THAT should have been the first reaction. Those that responded shouldn't be working for godaddy. As a godaddy customer, the security of the products I use are subject to minimum wage idiot greed/avarice and this puts my business in an untenable security position.

Re:

[Anonymous Coward]

You're right, we should hire better people. Your prices will double starting 1/1/21. Thank you for your input, as always your suggestions are deeply appreciated. Sincerely, -The GoDaddy Team.

Re:Security Compromised, Domain Transfer Successfu

[houstonbofh]

You're right, we should hire better people. Your prices will double starting 1/1/21. Thank you for your input, as always your suggestions are deeply appreciated. Sincerely, -The GoDaddy Team.

That is actually what I did. i am with SafeNames, and while slightly more expensive, they are totally worth it.

Re: Security Compromised, Domain Transfer Successf

[fightinfilipino]

if you've ever worked at a larger company like GoDaddy, it's actually pretty common for corporate to not know where you are located. Covid-19 and WFH arrangements have made things doubly difficult. to be blunt, this wasn't just insensitive, it's a kick in the teeth to employees who have no doubt had a difficult year. it also speaks to poor training from management. whatever idiot in their IT management chain who approved this should be docked $650 and then fired.

Re:

[Ogive17]

It's a dick move, for sure.. but phishing emails do the same thing.

The article does not state if employees typically receive a bonus and if they had any furloughs during work-from-home orders.

If it happened to me, I might be initially pissed off but I'd soon understand the logic. There are plenty of fraudsters out there that use the holidays as an "in" to fool people.

Re:

[spudnic]

This is just stupid. How are employers supposed to send benefits cards and information to employees? Trust me, I know.

Geez. Come on. Think.

Re: Security Compromised, Domain Transfer Successf

[Dynedain]

Guess you don't work at a large company. At mine various teams ask for physical addresses all the time. IT just had to get mine this past weekend so they could ship me a new laptop.

1. Only payroll dept has the addresses, no-one else has them in bulk.
2. With offices closed many people are living with family or elsewhere, not their home address on file.

Re: Security Compromised, Domain Transfer Success

[cloudmaster]

How did your company manage to get "large" without implementing a system to track their employees' shipping address? All of the places I've worked at, from fortune 50 enterprises down to the startups have had a solution for people's locations.

The email should look like "here's where we're going to ship your laptop; please confirm that it's correct," not "please give me your address." That's indicative of a complete Mickey Mouse operation.

Suggest paying for Namely. You'll probably get promoted to director of

Re: Security Compromised, Domain Transfer Success

[houstonbofh]

How did your company manage to get "large" without implementing a system to track their employees' shipping address? All of the places I've worked at, from fortune 50 enterprises down to the startups have had a solution for people's locations.

Many did it by not giving every idiot access to the full employee database. Security means least privilege.

Re:

[The New Guy 2.0]

GoDaddy already knew the name/address of their staff... so responding to this phishing test indicated they didn't think to call HR.

Re: Security Compromised, Domain Transfer Succes

[Dynedain]

Because the local field tech in charge of provisioning my laptop doesn't have access to the system of record payroll uses for my checks and tax forms.

Did you even read my post?

Re:

[l0n3s0m3phr34k]

And he can't request this information via a secure, non-email system? Like, I stress HEAVILY...if you think it's suspicious...PICK UP THE DAMN PHONE AND JUST CALL THEM. "Hey Mr. Bob, did you actually just send me an email requesting XYZ?" "Dynedain, this is IT. Please call the helpdesk back and verify your address if you want your laptop, and reference ticket 141758." Trust but verify. It might take some actual effort, but if people would have just called their HR department, or even their direct superior

Re:

[radarskiy]

"Why does the employer need that, they already know where I live and work."

A) The information is in system A.
B) The information needs to be in system B.
C) The entry only needs to happen once.

For example, my division was acquired by another company in November, 2019. They needed to move the office out of the old parent company's building within one year.They need to enter photos for the card access system at the new building. They're no good way to dump the old photos out of the old system, and the old paren

Re:

[l0n3s0m3phr34k]

That, however, should be pretty rare. It's quite an outlier when a division gets acquired by another company, and I would be suprised if the "old parent company" didn't "cooperate", since they are getting paid to sell your division off. Most likely there are various contracts, divesteture / onboarding processes and such that would be worked out by senior management far ahead of time. It's not like a corp just posts on Craigslist in C2C (corp-to-corp) "Selling division, send XYZ$ to paypal@oldcorp and it's

Re:Sadistic

[GameboyRMH]

They generally don't have families as we know them. A CXO's wife is more like a chamberlain-with-benefits and his children are raised more by professional nannies than said wife.

But moreso, most of them have no idea of the money troubles working stiffs face. They think about money the way a middle class person might think about tap water, sure they know it costs something, but for all but the most extraordinary uses they don't really need to think about it, they just turn on the tap and it's there. $650 to them is less than couch cushion change.

Re: Sadistic

[ArmoredDragon]

Considering 500 employees out of the 7,000 fell for it, it seems like most of them saw it for the hoax that it really was, so I doubt it's going to have a major impact on morale. Basically they demonstrated a practical tactic that a real phishing campaign might actually use.

Those who didn't fall for it did a good job, and those who did represent an unacceptable risk to the company that must be addressed. The training requirement is fully appropriate, as was the content of the phish. Really, nothing at all can be considered unacceptable in a test phishing campaign; if you can dream up a really dirty tactic, so can a scammer. I've seen plenty of case studies where everything from confidential patient data to financial records leaked because some idiot was being careless. If anything, these guys should be happy they're merely getting off with a warning and a requirement to train, rather than having their whole careers tossed (nevermind their jobs) because they fell for a scam.

Re:

[sjames]

Even for the 6500 who didn't fall for it, it just serves to underscore that they didn't get a Christmas bonus.

Re:

[JaredOfEuropa]

Those who saw through the hoax may well be pissed off too, still thinking for a moment that they were getting a nice bonus. Only to learn it was a fire drill from HR

The difference between good guys and bad guys

[raymorris]

Background - I'm career security professional. I'm devising a phishing reminder (a fake phish) like this for my company as one of my current Todo list projects.

> Those who didn't fall for it did a good job, and those who did represent an unacceptable risk to the company that must be addressed

This is true. In fact a fake phish from the security department is a very effective reminder.

> Really, nothing at all can be considered unacceptable in a test phishing campaign; if you can dream up a really dirty

Re:

[l0n3s0m3phr34k]

Whaling with a fishing phishing email. Brilliant!

Re:

[raymorris]

Now what I need to do is find an actual invitation from a real vendor to model my fishing phish after. I checked his email - he hasn't received any in the last 60 days.

Any vendor sales and marketing people here who can advise on what that email should look like?

Re:

[VAElynx]

Most employees' reaction: "This gotta be a scam, no way those fucking penny-pinchers would give me a bonus, let alone $500."

Re:

[houstonbofh]

You left out the same thing they did. How will this look? How will it look to those who fell for it thinking they were getting $650? How will it look to those that did not, and saw you using a Christmas bonus as a test? How will it look to the public if it hits the press?

Re:

[l0n3s0m3phr34k]

Yeah, that's less than 10%. So, really, the staff is decently trained. Of course, it's always the upper management that fights taking training, or waits until the last minute...I'd be more surprised if it was 0%, like "you must have missed some people".

Re: Sadistic

[slazzy]

What would you expect from a company that brags about killing endangered elephants for fun?

Re:

[e432776]

I'd mod you up if I had points. Narrowly, this was a good test- employees were motivated to click/whatever. BUT, sociopathic management can't take a slightly wider view to see what the test cost them in terms of their team's morale or employee perception of the company.

Glad I don't work for godaddy, anyway.

YOUR FIRED!

[Que_Ball]

In a follow up fax you get:

YOUR FIRED!

Dick move

[johannesg]

It seems incredibly ill-advised:

- Bad for morale, telling your people they get a bonus and then screwing them over like this.

- Bad advertisement, as apparently email security at godaddy is so bad that mails that come from outside their own network, but with a godaddy domain, are forwarded without so much as a warning (our corporate email system does that).

I'm even wondering if it's legal. If your employer tells you to click on something, not clicking on that something could be seen as "refusal to work", which at least in my country is a firing offense. And of course, this also means that all subsequent emails from management can safely be ignored. "Oh, I thought it was the phishing thing again and deleted it. Better safe than sorry, right!"

Re:Dick move

[Nicholas Schumacher]

One little problem, if you look at the actual story the email did not come in from godaddy.com - is came from Gocladdy.com. If was a well crafted fishing email - the type that companies fall for all the time.

They had already had official statements sent around the company that the company was not getting bonuses.

The email did not come in from the godaddy domain - so your email security statement is off base (in fact outlook also gave a message that it was not loading part of the message because it came from outside the organization as well)

This is why companies have official channels for things to be sent to employees - so they have some way to know if they should read it or not.

Re:

[johannesg]

if you look at the actual story

Never! This... is... SLASHDOT!!!

Also, the fine summary does in fact state it came from godaddy.com. And where I work, every email from outside our own domain, gets a huge red banner at the top, so if godaddy doesn't have that they're asking for trouble.

Re:

[Chelloveck]

And where I work, every email from outside our own domain, gets a huge red banner at the top, so if godaddy doesn't have that they're asking for trouble.

Mine too. Except for the phishing tests, the IT department has specifically excluded them from getting the big red "THIS CAME FROM OUTSIDE" banner. Not sure why, since the test mails always purport to be from well-known companies that aren't ours. (Citibank, Amazon, etc.)

On the other hand, the phishing tests all have an X-PHISHTEST: header. Anyone with e

Guess what - the summary is WRONG

[Nicholas Schumacher]

If you go to the story, there is a video that includes the actual email in question - and it comes from Gocladdy.com - and if your company puts big banners on top of any mail coming from outside your domain then you must not deal with people outside your domain much.

In companies that deal with a lot of messages from outside domains (like godaddy) putting a warning like that on every outside domain would be detrimental - because people would just get used to ignoring that banner (if you are seeing that alarm

Re:

[msauve]

>came from Gocladdy.com

The "actual story" appears to have been slashdotted (doesn't respond), and neither the alternate nor the summary mention that. In fact, the summary specifically say it was "Sent by Happyholiday@Godaddy.com."

Re:

[Entrope]

If text is in the body of an email, you can trust it 100%.

Signed, President Abraham Lincoln

Re:

[chispito]

Just because it was registered through GoDaddy and uses their domain privacy service does not mean GoDaddy owns it.

And Stupid

[Kludge]

I'm surprised that it isn't obvious by now that training and depending on people not to click on links in emails is REALLY BAD SECURITY.
If you want good security, then do not have a system that is easily compromised by employees clicking on links in emails.
What system is good? I'm not sure. But I am certain that one is stupid.

Not mad

[colonslash]

That's actually a clever test.

Re:

[misnohmer]

In the current social climate the test email should have said "This is a phishing test, click here to get mandatory refresh on social engineering security and a ding on your performance evaluation", including a large red flashing banner with skulls and crossbones warning signs. Then the company should have lobbied the government to make a law requiring all phishing emails must have such a banner - you'd probably find a politician (start with California) to introduce this "Mandatory phishing warnings to prot

Same where I work

[jmccue]

Same thing were I work, but the email text was something like:

Happy Holidays, please go here for you $25 Bonus Christmas Gift Card

We never get holiday bonuses where I worked, so most people knew it was a phishing test (which it was)

Re:

[Ksevio]

Something similar was sent out at my company, but then it turned out to be legit. A manager had to send a follow up message because too many people reported it

Smart!

[Joe2020]

Damn, that was smart. Liking it. I wonder how many snowflakes are going to complain about it, but this was a cool test. GoDaddy is handing out coal for Christmas like true Santa.

I am of course assuming the employees don't suffer negative repercussions from this and it is only meant to raise awareness. Anything else would suck.

Re:Smart!

[GameboyRMH]

Yes, handing out coal to people who are likely struggling in a pandemic while the company is likely making higher profits than usual. Real cool.

Re:

[Mark of the North]

Would a phisher come up with this scheme, then discard the idea as being too low? Nope. Therefore the test was justified. I tip my cap to GoDaddy for this (and only this).

If an email promise of a Christmas bonus doesn't get your spider-senses tingling enough to carefully check the From: header for a suspicious address. Then you absolutely need to retake the security course. Read the message, it is crazily suspicious.

Re:

[GameboyRMH]

I could agree if they'd actually given the employees a bonus. The ones who passed the test, at the very least. But this was a massive dick move wrapped in a technically good security test.

Re:

[Joe2020]

I could agree if they'd actually given the employees a bonus. The ones who passed the test, at the very least. But this was a massive dick move wrapped in a technically good security test.

*lol* Talk about bad ...

Guys, this was a test and GoDaddy is an Internet provider. Of course every customers of theirs expects them to be at the top of their game. And phishing is nasty, it's a real problem. Was this an evil test? Absolutely. Did anybody get hurt? No. Perhaps some got upset, but they'll live. The point is to raise awareness and the result was shockingly bad, because of how many of GoDaddy's employees actually failed. So if you want to talk about the bad stuff here, then you need to talk abo

Re:

[GameboyRMH]

This has however got nothing to do if GoDaddy actually decided to payout a bonus or not. There never was a bonus. Only really dumb suckers would still go on about it after the test how they didn't get a bonus. That's so dumb that it could be used in a Dumb & Dumber or Borat movie actually. Like when everbody gets that this was just a test, and then there is this one guy who doesn't get it and goes on about the money and what he could have done with it, and so on. There is no money!

I could agree with this if they had offered something ridiculous in the test like a million dollar prize, rather than a reasonable holiday bonus, like this was. If you don't get it, you're probably just too wealthy and/or too coldly sociopathic to understand, and you'll have to try to intellectually wrap your head around how this could hurt someone since you have no feel for their money situation and/or emotions.

Even the top infosec badasses in the company probably thought for a second, "Hey, nice, a reason

Re:

[Joe2020]

I could agree with this if they had offered something ridiculous in the test like a million dollar prize, rather than a reasonable holiday bonus, like this was. If you don't get it, you're probably just too wealthy and/or too coldly sociopathic to understand, and you'll have to try to intellectually wrap your head around how this could hurt someone since you have no feel for their money situation and/or emotions.

Even the top infosec badasses in the company probably thought for a second, "Hey, nice, a reasonable Christmas bonus!" until they ran across the first red flag.

You cannot think like this. You really need to match the real world conditions if you truly want to train your people and to recognise phishing. There is no second place. A million dollar prize as Christmas bonus would be obviously ridiculous that nobody would believe it even if the boss came into their office and told them the news to their face: "Hey, guess what? Everyone gets a million dollar!" ... Don't tell me you would actually believe a word and would not assume it's a silly joke, but you would want

Re:

[GameboyRMH]

You still don't get how this would be hurtful to people, I'm guessing because you're too wealthy, from the way you talk about money, as if freeing up money is a simple lifestyle choice.

Re: Smart!

[jcochran]

And you definitely don't get it.

A good test IS REALISTIC. $650 Christmas bonus is reasonable enough to be believable, while a million dollars is not.

Re:

[Joe2020]

You still don't get how this would be hurtful to people

Of course I get it. I already said it was evil, but I also said that this is how phising works. Bad people do not play nice. It is why they are bad.

Now do you understand how one employee, who falls for an actual phising attempt could damage the entire company and can affect the jobs of all the employees? This is the actual and very real threat, which GoDaddy is trying to prevent. This can cost several employees their job, possibly even damage GoDaddy for a long time and mean the loss of many customers, not

Not The First

[Thelasko]

My company sent out an email about a pizza party. Those that clicked the link and filled out the form had to take security training.

Re: Not The First

[jcochran]

Was pizza served during the security training?

Re:

[Known Nutter]

Asking the real questions.

Re: Not The First

[dsgrntlxmply]

Pizza or not, there will be Kool-Aid.

Summary is wrong.

[Nicholas Schumacher]

If you go look at the video, the emails did not come in from Godaddy.com - they came from Gocladdy.com.

In other words, the employees should have caught it as a phishing email.

I'd leave

[cygnusvis]

I would start looking for other employment in the new year.

If you think about it, that's fraud

[Ken_g6]

This email was actually sent by the company. They promised a bonus. Then they reneged. They ought to be sued. But it's probably not worth it to any of the employees.

This shouldn't tie a company's hands too much. They can still do a phishing test like this. They just have to actually pay the bonus to everyone. And make employees who respond re-take training.

Re:

[geek]

This email was actually sent by the company. They promised a bonus. Then they reneged. They ought to be sued.

Found the professional victim. Fuck off with your crying you little bitch

Sue Them

[albeit unknown]

If I didn't care about getting fired, I'd sue them in small claims court.
The email was sent by the company stating they would get a bonus with no caveats or disclosures. That's a financial commitment. It does not matter one iota that it was sent from a different domain. Emails for company-related business, such as third-party benefits providers, come from alternate domains all the time.

Re:

[supremebob]

I think that the employees took the correct approach, and forwarded the e-mail of this to the local news station. With the amount of negative PR they're getting from this (I sure as hell wouldn't want to work for GoDaddy after reading this story!), I'd imagine that they'll probably rethink pulling a stunt like this again.

Play stupid games with your employees, and prepare to win stupid prizes.

Re:

[Nicholas Schumacher]

And when they stop testing because of complainers like you and some actual scammer uses the exact same method to compromise their systems I'm sure people like you will be sitting there complaining that they didn't train their employees well enough.

This was a test using the EXACT methods that scammers use to penetrate systems everyday and are exactly the type of things that IT security needs to make sure that employees are on their guard against.

Re:

[LeeLynx]

I think you need to sue whoever you got your law degree from, I think that might have just been a homeless guy in a suit.

This is quite a common procedure

[LordHighExecutioner]

I work for a Fortune-500 company, and this kind of test is routinely performed at least twice a year. Never failed it, quite easy to smell the trap (amazon gift card, a iPhone offered by the HR dept., etc.), but since they repeat the test since a few years, I guess that many coworkers do not pass it.

Even when the mail came from gocladdy.com...

[demon driver]

... and those who were cought also deserved to be cought, this was still a bad thing, before the Holidays, after a year like this. The problem is that in this world the ones responsible don't need to behave towards their underlings. And that they don't need to fear a thing, like those 500 underlings coming up to their office to give them a thorough beating. Which they should.

That I'm in the process of moving most of the domains I'm responsible for away from HostEurope, which has been part of GoDaddy since 2

phishing tests

[awwshit]

I conduct these kinds of phishing tests with my staff. But this is going too far, there must be more to the story.

Report EVERYTHING as SPAM

[redelm]

Report most everything as SPAM unless you recognize the sender, subject and content as appropriate. Maybe even then. Especially corporate bulk email--how would you know otherwise?

HTML email is an abomination. Treat it as such.

Taking advantage of desperation and the holidays?

[EmoryM]

Does the test reflect the sickness of modern world? Absolutely. Does that make it effective? Probably. Is GoDaddy managed by psychopaths? Apparently. I imagine their version of a hearing test would be sneaking into your bedroom at night and playing a recording of your children screaming "Fire! It burns! Mommy, Daddy, help me, I'm dying!"

Probable followup

[sonamchauhan]

Demetrius Comes wrote. "You will need to retake the Security Awareness Social Engineering training."

HR to Demetrius: "You will need to take Emotional and Social Awareness Training."

Sent by Happyholiday@Godaddy.com,

COO to Demetrius: "Stop undermining our DMARC, SPF and DKIM secure email messaging infrastructure".

GoDaddy=SLIMY...

[LVSlushdat]

Just another datapoint on the slimyness of GoDaddy...

This has become quite common for IT to do...

[bferrell]

Usually right after a mandatory training on security... Fail and you get to take it over again.

They compare the fail rate against the training pass rate to determine how effective the "training partner" is.

Gawd, how I HATE those "partners"!

They should get a bonus, but this is a good test

[scourfish]

I get emails to my work account that pretend to be benefits and bonus payment all the time. Every single one I forward to IT and ask if it is legit.

Dodging the real question

[dsgrntlxmply]

The name of the company makes me vomit. Why would anyone buy anything from them, and why would anyone choose to work there?

Money is the only reason anyone works

[uncoveror]

This phishing test was a dirty trick that proves the boss class view all off the working class added up as having a value of zero. None of us go to work each day for our health or because we like it, but to acquire the one thing that makes it possible to survive in this society. Promising more of it, then saying "gotcha sucker" is an obscenity. They easily could have posed as UPS or Fedex saying you need to digitally sign for a package.

Re:

[Nicholas Schumacher]

Except that with companies using cloud services, you can often have links in an email that go to different domains than the email domain.

(also in this case, both the email domain and the embedded links could have both gone to Gocladdy.com, and it would not have triggered a problem according to your rules)

Re:

[bferrell]

All of the above is true... Except in enterprise email (O365/Outlook and Gmail for businesses).

Not to mention most people don't even know what to look for in the headers

sigh