Fake Bonus - Has GoDaddy crossed the line? (1 Viewing)

GoDaddy’s security has been under the microscope lately, with two high profile security incidents reported by Krebs On Security on November 21 and on March 31. I wrote about the first incident, which involved an account held by Escrow.com. With many employees working from home because of Covid-19, it has likely become a much more challenging task to ensure GoDaddy employees use best security practices to avoid being hacked or having systems or accounts compromised.

According to an article in The Copper Courier, GoDaddy tested its employees by deploying an email promising a holiday bonus, but it was really a phishing test in disguise:

https://domaininvesting.com/godaddy-apologizes-for-insensitive-bonus-fakeout-phishing-test/

That's funny. Cruel, but funny. And very sad from the security perspective. And from the hiring perspective - shouldn't passing that test happen during the interview phase?? They just shouldn't have admitted to doing it as a test. They just should've said, "no that wasn't us, you fell for a scam and put our systems & customers at risk. Not only are you not getting a bonus, you're fired." I have to live up to my Grinch reputation after all.

Bonus or not, these Bad Actors often use some type of "honey pot" trap to lure their victims in, and employees are told that no matter what, confirm any email messages and sources first, instead of clicking on links or taking other actions.

Social engineering is a lot smarter now, and instead of Nigerian Princes giving away their riches to the first guy who sends his banking information, it's now "employee bonuses", "your boss needs Amazon gift cards", and "payroll problems".

Either way, you need to be smart and call up HR or talk to their supervisor, and not just start clicking and filling in info because some 3rd-world scammer fake-offers you a bag of cash.

Everything else aside, the info I'm missing here is, how many employees provided information on the link. It seems they tracked the clicking, but that's really just part of the phishing.

I saw on Twitter that a pile of Crypto-domains were stolen by scammers using social engineering techniques on GD staff, so the lesson was obviously not learned.

Quite a bit of detail here
https://coppercourier.com/story/godaddy-employees-holiday-bonus-secruity-test/

Wow, who is stupid enough to believe that your employer needs "further details" to pay you a Holiday bonus? If so, how do you get paid in the first place?

It's easy, you see crap like that, call HR or talk to your supervisor, but DO NOT under any circumstances just start clicking.

They should give everyone who failed the test a Winnie the Pooh patch to sew on their jacket, cuz they just can't resist them honeypots.