-
Ever wanted an RSS feed of all your favorite gaming news sites? Go check out our new Gaming Headlines feed! Read more about it here.
GoDaddy sends a holiday bonus email to their employees...only it was a test and the bonuses don't exist.
- Thread starter mreddie
- Start date
Um this is incredibly fucked up, too.
While cyber security training is incredibly important, it shouldn't make people think they are being terminated.
No joke. You'd only be able to do this if you were actually giving out bonuses.
This is even worse. Holy shit. We have Michael Scott running these tests.
With all of this 2020 bullshit, I wonder when the millennials will stand up and force a revolution. We really need it. I'm a GenX'er and perhaps already lost.
Yeeeeeah it's pretty shitty to fuck with employees over pay.
My company does a bunch of these phishing emails but it's usually shit that's very easy to spot unless you're over 60 and open everything without thinking.
My company does a bunch of these phishing emails but it's usually shit that's very easy to spot unless you're over 60 and open everything without thinking.
Like this:
Something that pretends to be an internal email offering Christmas bonuses, during a pandemic and economic crisis, is on a level of callousness I can't even imagine.
I remember last year when one of my co-workers was talking about not having the money to buy their kids Christmas presents. Imagine being that person, the high of getting this email and realizing you could get your kids a Christmas gift, and then the crushing blow of finding out it was BS.
The CEO is a known piece of shit.
CEO's Elephant Slaughter Video Sparks Outrage (GRAPHIC)
CEO's Elephant Slaughter Video Sparks Outrage (GRAPHIC)
Whoever was in charge of that decision should be publicly humiliated. I'd almost go as far to say they should have the fucking shit kicked out of them.
Phishing emails work because people click on it.
While the timing is poor, given (per OP) the company's recent announcement that there would be no bonuses, I imagine sophisticated operators know exactly which buttons to push to get people to click.
I always thought phising email was going to be some sketchy email asking me to click here to open a file for an invoice Something easy enough for me to suss out and ignore, but in truth, it's the ones that go through your defenses that you have to worry about the most.. Earlier last year, our company's IT sent out several waves of test phising emails and I failed 1 ouf the 3 times, not bad, but hackers only need to get in once. The one time I failed was the one that seemed routine, innocent and had something in it for me. Nothing as sinsiter as the one in the OP but it's clear to me, emails promising financial rewards or a chance to win something work really well.
I have to say that while I don't approve of the timing of the email, it's entirely likely the 'click here and enter details for a bonus' is exactly the kind of phising emails people click on that sinks a company.
While the timing is poor, given (per OP) the company's recent announcement that there would be no bonuses, I imagine sophisticated operators know exactly which buttons to push to get people to click.
I always thought phising email was going to be some sketchy email asking me to click here to open a file for an invoice Something easy enough for me to suss out and ignore, but in truth, it's the ones that go through your defenses that you have to worry about the most.. Earlier last year, our company's IT sent out several waves of test phising emails and I failed 1 ouf the 3 times, not bad, but hackers only need to get in once. The one time I failed was the one that seemed routine, innocent and had something in it for me. Nothing as sinsiter as the one in the OP but it's clear to me, emails promising financial rewards or a chance to win something work really well.
I have to say that while I don't approve of the timing of the email, it's entirely likely the 'click here and enter details for a bonus' is exactly the kind of phising emails people click on that sinks a company.
Last edited:
I work for a large company and they do the testing for phishing scams, but its not anything close to this BS. Its more like "OneDrive is set to expire please yadda yadda" we had a class on OneDrive and it never expires or "please fill out this survey from 'company I've never heard of before''" Godaddy is just plain mean and 100x worse in a pandemic....
My company also regularly sends out fake phishing mails. But they're of the "Your mailbox has been compromised. Click here to restore access." type.
Those are all too obvious of course. I always report such emails and then the system congratulates me.
While this fake bonus mail may seem shitty, I can understand it from an IT security perspective. This one is very enticing. A lot of people will fall for it. Actual scammers could easily have done the same thing and harvested data.
Those are all too obvious of course. I always report such emails and then the system congratulates me.
While this fake bonus mail may seem shitty, I can understand it from an IT security perspective. This one is very enticing. A lot of people will fall for it. Actual scammers could easily have done the same thing and harvested data.
As someone that does cyber security incident reaponse, and manages our phishing reporting solution, I'm torn.
I don't manage the phishing exercises, but I do see the data for them, and I do manage actual phishing clickers, and have for years at a few very big companies.
I mean, I'm not sure *I* could stoop this low for good security.
But the attackers sure as hell do. Covid-related and stimulus related phishing was huge this year, I've personally seen "you're in trouble with HR" type phishing, and bonus / performance review / other HR related phishing is a real thing.
I think the reason I wouldn't bother with something this crummy to employees
(but probably of some usefulness) is because I don't think the phishing exercises help that much, although I admittedly don't manage the fake phishing stuff in my current role.
I've always felt it is something that is necessary, I get it, but I've kinda felt thay it does little to get people to change their habits unless you are willing to start firing people for clicking things.
Required Social Media Disclaimer: I work for GM, and these opinions are my own and not the opinion of the company or anyone at the company but myself.
I don't manage the phishing exercises, but I do see the data for them, and I do manage actual phishing clickers, and have for years at a few very big companies.
I mean, I'm not sure *I* could stoop this low for good security.
But the attackers sure as hell do. Covid-related and stimulus related phishing was huge this year, I've personally seen "you're in trouble with HR" type phishing, and bonus / performance review / other HR related phishing is a real thing.
I think the reason I wouldn't bother with something this crummy to employees
(but probably of some usefulness) is because I don't think the phishing exercises help that much, although I admittedly don't manage the fake phishing stuff in my current role.
I've always felt it is something that is necessary, I get it, but I've kinda felt thay it does little to get people to change their habits unless you are willing to start firing people for clicking things.
Required Social Media Disclaimer: I work for GM, and these opinions are my own and not the opinion of the company or anyone at the company but myself.
This is tricky and I actually think we are going to see more of this, the tests get harder every year. I've had phishing email tests like this as well, but for smaller amounts, and on years where I did or didn't get a bonus. If your phishing tests are so obvious nobody falls for it then it's not a real test anymore.
Real phishing is only going to get more sophisticated and employees getting baited during the holidays is a real possibility, all the hackers aren't taking a break to go on vacation after all. From that example, you could see the sender was "gocladdy" instead of "godaddy" right off the bat, before even getting disappointed about reading the bonus. Keep in mind these employees no doubt have gone through yearly cybersecurity training and are explicitly told to watch out for this stuff.
No doubt this test would have been better received if they actually got bonuses, and if the company is doing well they deserve to be criticized for that part at least, whether or not they had this test. It makes me wonder what to do though, what if this phishing test offered more than the real bonus was, is it still cruel? Is it a realistic test if it offers less or the actual amount? I don't like having to deal with these tests personally either, but I don't have a solution, unless we come up with some perfect email filtering system.
Real phishing is only going to get more sophisticated and employees getting baited during the holidays is a real possibility, all the hackers aren't taking a break to go on vacation after all. From that example, you could see the sender was "gocladdy" instead of "godaddy" right off the bat, before even getting disappointed about reading the bonus. Keep in mind these employees no doubt have gone through yearly cybersecurity training and are explicitly told to watch out for this stuff.
No doubt this test would have been better received if they actually got bonuses, and if the company is doing well they deserve to be criticized for that part at least, whether or not they had this test. It makes me wonder what to do though, what if this phishing test offered more than the real bonus was, is it still cruel? Is it a realistic test if it offers less or the actual amount? I don't like having to deal with these tests personally either, but I don't have a solution, unless we come up with some perfect email filtering system.
It is heartless, but it's sadly in touch with the times. Scammers are going to strike when people are most vulnerable, and there's probably no better time than now.
If this was done properly such that employees should have reasonably been able to identify it as fake, which it seems to have been unless I'm missing something, I think it's fair game. This is the type of thing scammers pull so training against it should be similar.
Our company sends us fake phishing emails on a semi regular basis. So I could believe it it was one of those, but the subject matter was in very poor taste here.
Fuuuuuuuck whoever came up with this absolutely heartless idea. This needs to be blasted on every news outlet until they're basically shamed into actually giving those people a bonus for screwing with them like that. Seriously, this would be horrible enough even during the best of times, but now? During Christmas AND a pandemic when a lot people are struggling? There's no way the fuckwads that thought this up wouldnt be cognizant of this. It wouldn't shock me if they did it just to be evil, since they could have done it in a million other ways rather than hanging a bonus they were wanting over them.
I also want to say I'm surprised that anyone could find this even remotely defendable, but that's just be a lie at this point.
I also want to say I'm surprised that anyone could find this even remotely defendable, but that's just be a lie at this point.
Damn.
I know a few folks in the IT business that would pull a stunt like this.
You do want to use current events and whatnot for security awareness testing to accurately simulate how phishing is socially engineered to be most effective...
but to do this is just scummy. Like, read the fuckin' room.
I know a few folks in the IT business that would pull a stunt like this.
You do want to use current events and whatnot for security awareness testing to accurately simulate how phishing is socially engineered to be most effective...
but to do this is just scummy. Like, read the fuckin' room.
The employees should send out a test email to all of their domain owners that says their system has been compromised, all of their personal informational has been leaked.
And then 3 days later tell them it was just a prank bro.
And then 3 days later tell them it was just a prank bro.
I'm in the "this is heartless" camp for sure. The last thing anyone needs right now is false hope in anything, including monetary bonuses that could boost people's morale in tough times.
Seriously. A lot of us are beaten down at this point, even if we're still afloat. We don't need the bullshit.
That said, I've started getting phishing emails saying that I can claim my "stimulus payment." Scammers are out there preying on vulnerable people. It's a real thing that we need to continue to resist. GoDaddy has the right idea but the wrong approach.
Seriously. A lot of us are beaten down at this point, even if we're still afloat. We don't need the bullshit.
That said, I've started getting phishing emails saying that I can claim my "stimulus payment." Scammers are out there preying on vulnerable people. It's a real thing that we need to continue to resist. GoDaddy has the right idea but the wrong approach.
Almost an infinite number of scenarios you can use for simulated phishing and they pick the absolute shittiest one. I can't imagine someone high up on their cyber team justifying this because it's likely to get people to click on it. Fuck everyone involved in this.
Target does phishing emails all the time and somehow they've managed to do it without ever promising fake bonuses.
I'm in Cybersecurity too, and it's a no from me (although we all joke about doing it, likewise at start of COVID).
It's terrible for morale, and ultimately you're never going to stop everyone from clicking on realistic phishing emails.
It's terrible for morale, and ultimately you're never going to stop everyone from clicking on realistic phishing emails.
