Barnes TechAs originally reported in the Copper Courier, GoDaddy sent an email to employees this last week, promising a $650 bonus. The email starts -
2020 has been a record year for GoDaddy, thanks to you!
Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!
To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th.
The email was sent from [email protected] and promised a small bonus in a year where everyone could desperately use some relief. Turns out, it was just an internal phishing test, and a few days later, another email was sent to everyone who clicked on the email from GoDaddy’s Chief Security Officer saying that they had failed a recent phishing test and will need to retake the company Security Awareness Social Engineering training.
There are many problems I have with all of this. I’ll start with the most obvious, that I hope everyone can agree on. While I am not going to argue that someone who was actually trying to be malicious might try to pull something like this, because we know they would, that doesn’t mean that GoDaddy should be so incredibly tone-deaf during such an awful year. It would be one thing if they did this, and it was a phishing email, but the bonuses were still handed out. I still think that’s an asshole thing to do, but at least they wouldn’t be dangling a small piece of financial security over people and then yanking it away just to make people take another training.
Additionally, the effectiveness of these kinds of tests are dubious at best. I have been in IT for many years, including managing many very large email deployments, and I would argue that this type of phishing email tests are absolutely useless. End-users need to be involved in security, absolutely, but this is not the right way to do it. You need users to understand the importance of security, know what to look for in emails that may potentially be malicious, and most importantly, you need them to buy into the overall security of your company. You need them to be invested in what’s best for the company. Purposely laying traps for your employees is not how you do that. That’s how you make your employees resent working for you, resent the security and IT teams, and just not want to engage in the company in general.
Additionally, it is definitely possible with the right tools in place to almost completely eliminate phishing and malicious emails for your domain, particularly people trying to spoof your domain. Spoofing your domain is when you impersonate a company domain, in this case potentially making your email look like it’s coming from godaddy.com when it would really be coming from somewhere else. Since it is possible (I’d even say not that difficult) to very effectively block these kinds of attacks, I think that it is safe for employees to assume a certain level of baseline security within their organization, and if they see an email that looks like it’s legitimately from godaddy.com, and it made it through any filters that are in place, I don’t think it’s inappropriate to assume that the Security team did their jobs and it’s safe to click on that link. This is a failure of the Chief Security Officer, not of the employees at GoDaddy.
I won’t name the company, but at a previous job, we were a subsidiary of a larger company. We had about 9,000 employees at the time, and our parent company reached out to us and told us that they wanted to do a phishing test, similar to this. It was not anywhere near this tone-deaf in its message, but regardless I pushed back for all of the reasons I listed above. I was told we needed to do it anyway.
There was a 3rd party security company that was actually sending the emails on our behalf, and (shocker!) our spam/phishing filters immediately blocked it 100%. I had been told that I can’t tell anyone else on the team about this email, because IT was being targeted for this test as well. So I was asked to specifically put this sender on the permanent “allowlist” so they could send it again. It went out and a few people manually marked it as spam, which triggered an internal IT ticket, and one of our IT employees reviewed it, determined that it was not legitimate, and triggered a script to remove it from all end-users emails again. Only one person had clicked on the link out of all 9,000 employees before this process was triggered. Naturally, the 3rd party company and our parent company weren’t happy about this (the parent company had done much worse in this test).
Eventually, we had to manually place the email in everyone’s inboxes manually, and essentially disable all of our security measures in order to allow the email to stay there. I had to let the IT team in on it to prevent our fail-safe processes from being triggered as well. Naturally, after disabling all of our security measures, many more people “fell for” the phishing email and were required to take security training courses. In this particular case, it reflected poorly on our own IT department, not even on the parent company or the other 3rd party “security” company that was running this test. To this day, that whole experience does not sit well with me.
As long as these kinds of “gotcha” security awareness, we aren’t going to solve anything. It’s demoralizing, and it does not encourage the kind of user buy-in that is needed to have effective security.