Internet domain registration service GoDaddy was frowned upon by conducting a phishing test that caused employee anger. Before Christmas Eve, he sent a temporary bonus of $650 to the company’s email address and requested a reply to the email that he filled out as necessary for the bonus payment. But what they received later was that they were asked to take a security class because they failed the phishing test. The contents are like this. We can’t celebrate our annual holiday party together, but we would like to thank all of our employees for contributing to this year’s record-breaking achievements, and we’re paying a special $650 bonus. The person who sent the email is the company account ( Happyholiday@Godaddy.com ). The email came from an email address that used her company’s domain, and included a statement explaining that she needed to definitely receive a one-time bonus before Christmas holidays, and a form asking her to fill in and return information about herself and her job.
From the employee’s point of view, it was nice to see the end of the year, and 500 of the employees who received the e-mail responded by filling in the necessary information.
However, the result was a notification to take a security class. It’s not uncommon to send fake phishing emails in-house from time to time to boost employee security awareness. However, what was sent at the end of the year to an employee who overcame the difficult situation of the Corona 19 epidemic and contributed to attracting record new customers in the recent settlement of accounts was bad. Some employees tweeted out of their anger, and some users said they would switch to server hosting that they had left to go.
In the end, God-Dee made a statement on December 24 (local time) and apologized to the employee. Although he says he is serious about maintaining the platform’s security, he also knows that some employees are insensitive and resentful in measuring and testing anti-phishing consciousness. He announced that he would do it together.
Phishing tricks are aimed at the time when the other person is most likely to get caught. The test is not wrong from a security point of view. However, it is difficult to say that it wasn’t too much when you think about the heart of the staff. As such, it has become a problem, and it may be an opportunity for both sides to further strengthen security awareness and deliver security services to users.
For reference, in November, Kododi accidentally transferred the rights to manipulate the domain of its hosted cryptocurrency trading platform, liquid.com, to the site attacker, allowing access to internal storage and in-house email information. did. In addition, NiceHash, which performs cryptocurrency mining, has reported problems one after another, such as changing the settings of the domain registration record for GodDee. Godadi acknowledges that a social engineering attack aimed at all employees was the beginning. In ancient times, in an attack targeting an employee, employee qualification information was leaked to the outside. Related information can be found here .