Over the last year, GoDaddy employees have been targeted with sophisticated phishing attacks. Hackers have tricked the employees with social engineering scams, leading to numerous breaches in the company's clients. In November, Liquid and NiceHash — two cryptocurrency platforms — were targeted by hackers after they were able to trick GoDaddy employees into opening malicious sites and gain access to domain names. In March, it was escrow.com. Hence, as GoDaddy tested its employees' phishing awareness, it turned out many didn't learn their lessons.
GoDaddy employees received an email on December 14 saying they were entitled to a "$650 one-time holiday bonus" from an obscure GoDaddy domain "Happyholiday@Godaddy.com". The employees were asked to click on a link to select the location and fill out details to receive the bonus. The link turned out to be a phishing attempt by GoDaddy. The company was testing its employees' phishing awareness and those who clicked on the link received another email two days later.
It read, "You're getting this email because you failed our recent phishing test. You will need to retake the Security Awareness Social Engineering training," GoDaddy's chief security officer Demetrius Comes wrote in the email.
A Cruel Joke
It turned out that roughly 500 employees had clicked on the holiday bonus link and failed the test. But the phishing test didn't sit well among many employees as many of them lashed out at the company for tricking its employees at a time when many had been rendered jobless and had faced pay cuts due to the Coronavirus pandemic. Even GoDaddy, despite business growth, has laid off thousands of employees in the last seven months.
"Millions are suffering right now and GoDaddy thought this would be a cool time to email employees with the promise of a bonus — only to tell the ones who clicked through they failed a phishing test. So gross. If you use GoDaddy you should change that," one user tweeted.
Another user said it was abusive. "This is incredibly f***ed up and abusive. GoDaddy had better actually be giving everyone these bonuses. Absolutely monstrous to do this right before the holidays in any year, but especially THIS year," said one.
GoDaddy later apologized to its employees in a statement saying that it should have been "more sensitive". "GoDaddy takes the security of our platform extremely seriously. We understand some employees were upset by the phishing attempt and felt it was insensitive, for which we have apologized," a GoDaddy spokesperson said in a statement to AFP.
"While the test mimicked real attempts in play today, we need to do better and be more sensitive to our employees," the statement added.
Was GoDaddy Right?
In most of the phishing attacks, the emails would be either full of spelling errors or would contain something so vague that it would look like a scam. But GoDaddy's phishing email test was so perfect that it could trick even experienced cybersecurity researchers.
However, such "almost perfect" phishing attacks are not uncommon. Hackers have been getting better at creating social engineering attacks. Over the last few months, there has been a tremendous rise in the number of Coronavirus aid-related phishing attempts.
Considering that hackers use innovative social engineering phishing attacks, it raises concerns for GoDaddy, the world's largest internet domain management company. As GoDaddy employees have repeatedly failed in recognizing phishing attempts, leading to data breaches at over 28,000 of its customers, they should have been more careful. From that perspective, employees should really take the phishing attacks seriously even if the test was a cruel joke.
GoDaddy Not Alone
GoDaddy although isn't the only company to test its employees with phishing emails and face backlash. In September, Tribune Publishing, a newspaper company, sent such a phishing email to its employees, saying it was giving out $5,000-$10,000 bonuses.
Furious employees took it to Twitter to share their grievances. Earlier Tribune had laid off many of its employees like GoDaddy. "The level of cruelty is actually stunning," a Tribune reporter shared on Twitter.