GoDaddy Goes Phishing...with stinky bait
Domain registrar and web hosting company GoDaddy recently raised eyebrows and the collective ire of Reddit over an email phishing test they conducted on their employees. The company sent an email to employees promising a cash bonus, in the spirit of Christmas, and to ease the economic burdens they face due to the Covid-19 pandemic. The email included a link to a registration form that collected employee information under the guise of confirming employee status and “ensuring everyone gets the bonus”. Employees who completed of the form didn’t receive a cash bonus but a notice of required security refresher training.
News of the test sent the technology reporter pool into a tissy and brought the collective ire of self-righteous Internet forum warriors. Some of the criticism was pointed and legitimate. Poor topic? Yes. Poor timing? Yes. Entrapment? Maybe. GoDaddy should have recognized the sensitive content and poor timing of its delivery. The betrayal felt by employees is understandable.
Ok, but you still clicked the link. You could have compromised the entire network and therefore the integrity of the company! GoDaddy played dirty pool but so do the bad guys. Do you think a Russian crime group dedicated to compromising the computer network of your company ever has moments of self-reflection where they say “Wow, this is just going too far. We need to let this pass”. Do you think they have an open-door policy or a corporate ethics officer? Hell no they don’t. They are criminals. Betraying your emotions and stealing your candy is their job and they will stop and absolutely nothing to ensure success.
Those involved in the debate fall into two camps….security and non-security.
If you are not responsible for the security of the company then you probably feel that GoDaddy did the functional equivalent of giving their employees a subscription to the Jelly of the Month Club rather a yearly cash bonus. They prayed on the human emotions of their employees knowing people were already highly stressed due to the giant gut-punch we know as 2020. Phishing simulation emails that warn of a change to employee vacation benefits or new building evacuation plans are understandable, but promising a bonus, at Christmas no-less, well that just crosses the line, Frank Shirley!
The person who gets the pager-call when the security software goes berserk because a foreign IP address just started downloading 106 GB of data or when Ann from accounting enters a service ticket reporting that all of the financial files can’t be opened and end with a .ryuk extension, surely sees this completely different. The fact that you feel tricked and betrayed by your own company to enforce an internal company policy is irrelevant. YOU CLICKED THE LINK! You made a poor decision that put the future of the company at risk.
I agree that what GoDaddy did was a poorly timed dirty trick. I would not have done it. But you know who would have? Every single group listed on the MITRE ATT@CK advanced persistent threat list.
I strongly advocate running a zero-fault shop. We don’t name and shame those that fall victim to legitimate security incidents. Likewise, phishing simulations are used as teaching experiences not a campaign of terror and embarrassment. If you humiliate and threaten the job security of those who fail the tests, then no one will ever come forward and self-report when they made a poor choice in real situations. Response time is everything is cyber incidents, and you need employees to report suspicious activity as soon as possible, even if they are responsible for it.
On the other hand, the security of the company is the responsibility of every member of the organization from the Chief Executive Officer to Chief Toilet Paper Roll Changer. If you have access to the network and make poor choices that will compromise the business, then you need corrective training. These employees are identified through testing. The GoDaddy security team ran a legitimate phishing simulation campaign and filled the nets with employees who need more training.
And taught everyone a valuable lesson in doing it.
Consider subscribing to my Newsletter. My take on the latest cyber-financial crime news and financial industry threat intelligence delivered to your inbox each Monday.