Sent by Happyholiday@Godaddy.com, tucked underneath a glittering banner of a snowflake and stamped with the words “GoDaddy Holiday Party,” the Dec. 14 email to hundreds of GoDaddy employees promised some welcome financial relief during an otherwise stressful year.
“Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!” the email read. “To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th.”
The email from GoDaddy was a phishing test, and the company reports 500 employees failed the “test”. Looking at the email, I would have failed it, too. At least from the screenshots that were provided to the Copper Courier, the email appears to have originated from GoDaddy.com’s mail servers, and it mentions an internal company holiday party — this makes it look legit. The “free money, claim it now” parenthetical feels a little fishy but I’d overlook that as some accountant trying to be funny.
Employees who failed the “test” will be required to complete social engineering training. I suspect the training will include obvious examples of phishing emails, like bad misspellings and warnings that the sender is from en external domain — none of the warnings this GoDaddy email contained.
I think the worst part is using the promise of a holiday bonus to test your employees, especially during an extremely difficult year. Why is it wrong to expect a holiday bonus from your employer? Only the absolute shittest employers (ahem, mine, and apparently GoDaddy) wouldn’t give out a holiday bonus to their staff.
Who at GoDaddy thought it would be a good idea to send this email? Maybe the asshole CEO that hunts elephants for entertainment?