Let’s consider the situation:
GoDaddy’s Phishing Message:
When they checked their email on December 14th, GoDaddy’s employees found an email waiting for them in their inboxes, sent from “Happyholiday@Godaddy-dot-com”. Upon opening it, they found the following message, under a large picture of a snowflake emblazoned with the company’s name and “Holiday Party.” Get ready, it’s a doozy:
Happy Holiday GoDaddy!
2020 has been a record year for GoDaddy, thanks to you!
Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus! To ensure that you receive your one-time Bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th.
Any submittals after the cutoff will not be accepted and you will not receive the one-time bonus of $650 (free money, claim it now!)
We look forward to celebrating with you again, in person next year!
However, no bonus reportedly awaited the approximately 500 employees who excitedly clicked through the links. Instead, they received an email from the company’s security chief two days later, informing them that they had failed the phishing test and would therefore need to retake the company’s Security Awareness Social Engineering training.
As you can imagine, this did not sit well for many of these employees… especially considering that the “record year” GoDaddy experienced came only after hundreds of employees were either reassigned or laid off entirely. Combining that with the fact that a data breach ultimately exposed 28,000 of GoDaddy customers’ credentials earlier this year, and the comments seem especially ill-advised.
GoDaddy has since released an apology for their mean-spirited bait-and-switch phishing test, releasing a statement. According to a spokesperson, “GoDaddy takes the security of our platform extremely seriously. We understand some employees were upset by the phishing attempt and felt it was insensitive, for which we have apologized.” While the company felt that the lesson was an important one to impart to their team members, there has been some acknowledgement that this was an insensitive means of doing so.
GoDaddy Isn’t the Only Company to Do This
Other companies and organizations have used similar tactics as they have worked to evaluate their internal phishing preparedness. One example came in September, when Tribune Publishing sent out a company email trying to phish employees with the promise of a targeted bonus ranging somewhere between $5,000 and $10,000. The Tribune’s attempt was also derided by the employees affected by it, one reporter tweeting that the level of cruelty was “stunning.” That company also apologized for its use of a “misleading and insensitive” email.
However, Phishing Can’t Just Be Ignored
While these companies certainly took the wrong approach to educating their users, the point still stands that phishing is a very serious risk for businesses today to contend with.
Instead of taking this approach, there are other ways to help educate your team, through seminars or even other internal evaluations. The primary issue really came from the fact that GoDaddy took advantage of a monetary promise to their employees during a time when many people are already financially strapped, with seemingly no intention of giving them this bonus.
Obviously, this is a situation that nobody wants to find their organization in, just as nobody wants their organization to be phished. However, with Aspire, there are ways to prevent the latter. Give our team a call at (469) 7-ASPIRE to learn more about how we can help you fight back against phishing, without alienating your employees.