Roughly 500 employees failed the test, which claimed they would receive a $650 bonus.
“2020 has been a record year for GoDaddy, thanks to you!” the email read.
Sent by Happyholiday@Godaddy.com, tucked underneath a glittering banner of a snowflake and stamped with the words “GoDaddy Holiday Party,” the Dec. 14 email to hundreds of GoDaddy employees promised some welcome financial relief during an otherwise stressful year.
“Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!” the email read. “To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th.”
But, two days later, the company sent another email.
“You’re getting this email because you failed our recent phishing test,” the company’s chief security officer Demetrius Comes wrote. “You will need to retake the Security Awareness Social Engineering training.”
Phishing tests are sent by companies to gauge their employees’ susceptibility to phishing attacks, where people outside the company will attempt to disguise themselves as trusted sources to gain access to sensitive information, like usernames and passwords.
The follow-up email from Comes said that roughly 500 GoDaddy employees clicked on the holiday bonus email and “failed the test.”
Scottsdale-based GoDaddy, the world’s largest domain registrar and web-hosting company, did not respond to repeated requests for comment about the emails. The emails were forwarded to The Copper Courier by three GoDaddy employees.
Earlier this year, Forbes reported that 28,000 GoDaddy customers were impacted after a data breach compromised their account usernames and passwords.
Despite the company surpassing 20 million customers this year and reporting “record customer growth,” the company laid off or reassigned hundreds of employees during the coronavirus pandemic, including in Arizona, Iowa, and Texas.
GoDaddy is not the first company this year to trick employees into falling for phishing scams by dangling the carrot of a potential bonus.
In September, Tribune Publishing, which owns several major newspapers around the country, sent a similar email to its employees.
The email, circulated by several furious Tribune employees on Twitter, said the company was giving out targeted bonuses of $5,000-$10,000, only to later reveal itself as a phishing test sent by the company.
“The level of cruelty is actually stunning,” Tribune reporter Danielle Ohl wrote at the time.
A Tribune spokesperson later told Vice News that the exercise was part of a regular, internal test to assess phishing risks and said that it had no intention of offending its employees. “In retrospect, the topic of the email was misleading and insensitive, and the company apologizes for its use,” the statement read.
Want to talk about phishing tests you’ve received from your employer? Reach the reporter at firstname.lastname@example.org or 480-243-4086.