GoDaddy apologized for insensitive phishing email sent to its employees offering a fake bonus

GoDaddy made the headlines for an initiative that is dividing cybersecurity community, it sent phishing messages offering bonuses to its employees.

GoDaddy sent an email to its employee that promised a Christmas bonus to help them to face economic problems caused by the ongoing COVID-19 pandemic. The web provider apologized Thursday for the cyber security test aimed at verifying the response of its personnel to a phishing campaign.

“GoDaddy takes the security of our platform extremely seriously. We understand some employees were upset by the phishing attempt and felt it was insensitive, for which we have apologized,” a spokesman for GoDaddy told AFP in a statement.

“While the test mimicked real attempts in play today, we need to do better and be more sensitive to our employees,”

The approach was criticized by part of the cyber security community due to the bait used in the test and the period chosen for the simulation. On the other side, the company opted for this test because it mimics a real attack that could happen at any time and that could take advantage of the pandemic.

The test took place in December, the message deceived around 500 employees who clicked on it. The email stated that GoDaddy was offering a Christmas bonus of $650 and asked them to fill out a form with their personal details.

“Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!” the email reads. “To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th.”

Two days later, the employees were informed by email of the ongoing security test, the message received by the ones that opened the email states:

“You’re getting this email because you failed our recent phishing test,” the company’s chief security officer Demetrius Comeswrote. “You will need to retake the Security Awareness Social Engineering training.”

Those who failed the test are invited to retake the Security Awareness Social Engineering training.  

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

[adrotate banner=”5″]

[adrotate banner=”13″]