Full disclosure, my old employer was very serious about phishing prevention (we sat on a ton of IP and people were out to get it) and did testing of this type as well. I did fall for a phish test around last review season because the phishing email had something about reviews in it.

Let's be adult about it - it was a good test and I failed it because I wasn't vigilant enough.

The fact that GoDaddy's email was "tempting for people around holiday season to click on" is - guess what - exactly what a moderately-sophisticated phishing attack would look like.

One of the things IT teaches employees to look for in phishing emails is language that either doesn't make sense or seems designed to "get your guard down and act on it."

In GoDaddy's case it included language like "it's free money, claim it now." Really - if you slowed down for a sec and thought about security, is this the language in which your employer emails you? Also, why does your employer need you to fill out any forms about your location - they know where you are.

For all the talk on HN about security and companies not taking it seriously enough, here's a great example of a company taking it seriously (to the point of discomfort) to teach their staff about what phishing could look like, and HN is somehow objecting.

PS: I bet there are no consequences for failing this test other than needing to retake the training which is right because the people who fell for it do need the reminder. If this was a real phish they'd have leaked real data. Perhaps even your data.

Invoking and then revoking a bonus email in a year where folks are already hard hit financially and mentally under the guise of “education” is lazy and any security leader who does it is a fool.

Effective security culture builds rapport with business units. This type of nonsense does the exact opposite.

Yes you may have proven a tactical point, but you have just set yourself up to lose the war.

you glossed over this point, but it is nonobvious. how exactly does making your users skeptical of email "lose the war"? are they going to type in their passwords out of spite now?

the gp is exactly right. if you have a line you wont cross to train your users, then youre leaving a vulnerability. if you want to make the argument that the vuln is worth not "being mean" to your employees, then make that argument, but don't pretend its more secure.

No, they’re going to quit, or put less effort into their job (which is often worse for the employer than quitting), or tell other people not to work there, or—as in this case—tell everyone on the internet what you did and then your company’s reputation takes a well deserved hit.

This is not a good scam. People fucking notice when they expect a 650 dollar bonus and it doesn't come. It's not some arbitrary "check out this cool link" style email that an employee might click and then forget they've ever engaged with.

Not to mention that it caught nearly 10% of the fucking company - That's an insanely high click through for any phishing test I've ever seen at a software company. And I don't even know if they sent it to all 7k employees (my guess is no). So either GoDaddy has incredibly incompetent employees, or this looked fairly real (and the email does actually look pretty damn good for a phishing email - custom image, no spelling mistakes, internal domain, aware of different geos the company operates in)

So you pissed of 10% of your company with an email that wouldn't ever be sent as a real scam (because a week later the employee is going to ask where the 650 bucks is and alarm bells will go off).

I don't have the context of a Godaddy employee, so maybe there's an obvious mistake in there, but general speaking - this was a dumb play by the security team. It's now also losing them goodwill in public.

Phishers can easily get what internal company emails look like. Send an email that looks like "Hey, we're giving you a $900 bonus. Make sure to fill out these forms on workday", with a link that is a Phishing website that looks exactly like workday.

Fill in your credentials - hey, also need your 2factor code - and bam, hackers have an in to the system. It doesn't matter that the employee realizes 10 days later they were phished.

In the 10 days or 1 day that it takes between realizing they were phished, all sensitive information they can get access to can be stolen. Furthermore, more sophisticated phishing links can then be sent from their account. After all, who's going to suspect an actual email send by a colleague as a phishing attempt?

A holiday bonus type of phishing attack absolutely can work, and be extremely effective at credential theft. It may not be effective at literally scamming money from the employee, but who cares.

Know what doesn't build better security culture? Trying to trick your users. Know what does? Working with them closely to help them understand security, finding out when and how people get tricked, and working to solve those issues.

The anti-phishing efforts I've seen so far have been lame and ineffective. Rather than trying to find new ways to make people fail, security teams should be finding new ways to prevent people from falling victim.

I don't think GP was ambiguous at all, to be honest. This point was extremely clear. It feels like you came to the discussion with an axe to grind.

And people will treat you like that, most often behind your back.

How about a phishing test that downloads something that nukes your hard drive?

> How about a phishing test that downloads something that nukes your hard drive?

The phishing weakness opens that possibility. The act of wiping the HD does nothing to improve behavior or identify weakness.

They didn't feel they had any choice but to hire about 50 temp folks from a local contracting company and run through the entire desktop environment and pull drives, re-image, reinstall. They did this over the course of a weekend and on Monday when employees came back they found their desktops wiped clean. Within an hour the site lead started getting calls and visits from panic stricken employees that had kept all sorts of personal info on those machines...photos, emails, documents, etc.

All gone.

They ended up missing one machine that got powered up that Monday and re-infected the entire campus. Had to do the same thing again.

The fact that employees are failing this proves the point, and until we can show that they are no longer falling for it, it shows how vulnerable we remain from an infosec posture.

The only reason you would have to send something like this is because you are lazy, need to generalize quickly, and blast it to the company. And you will teach a lesson. And you will kill any goodwill to the security team as a byproduct.

That said, I do agree with you that money is better spent elsewhere. A company with > 1000 employees should just assume there's an infected machine in their network 24/7. Defense in depth stipulates that this should not matter for their security.

I also prefer my security measures procedural, technical and layered. Like I said before, phishing simulations don't really work for me at all... Currently many places where I do some work the security department have a large say in what happens, regardless of goodwill. Security measures always suck, are less efficient and cause no end of headaches, you mostly have 0 goodwill anyway.

Isn’t your job to make sure security measures don’t suck, aren’t less efficient, and don’t cause headaches?

This seems to be a very defeatist attitude to take.

From my personal experience one of the following happens when a security team takes your perspective: 1.) users work around security mitigations, causing worse security issues 2.) workers quit the company due to friction when working 3.) the security manager gets fired because they won’t ever compromise

The real thing happened, was detected and shut down. Then they did some trainings over the course of a year, and had us test the same thing again next year. Results were not particularly good, and people got upset that they did not receive the promised Christmas gifts.

Afaict, these trainings stop being effective at around 10%. That is, 10% of all people being phished like this will do everything you tell them to. Up to and including sending your their password and installing malware on their machines following your e-mail instructions.

I agree this shouldn't need to be a "gotcha stunt" though but if this would be to you then yes you're doing it/communicating it/following it up wrong. It should be an awareness call that phishing is going to target you in very thoughtfully real and meaningful ways, not just boring fake tickets/issues or the like. If you can't find a way to send that message in your org then again I claim your org already has bad culture as it can't talk about or examine real security issues and instead has the first reaction to a real risk that you're just trying to improve your reporting numbers again.

Also a small year end bonus being not only considered exciting but not existing at all is probably the real callousness problem in the org, not that one points out the allure of money is used by malicious actors to get people to click things. But that's separate from the whole role of security discussion.

At the end of the day if you've got a threat vector you're too afraid to actively measure it doesn't matter how much you message other departments about it you'll never know how big of a risk it is or if appropriate action was taken unless you are compromised by it a later date. This is true of human risk monitoring as much as it is of technological risk monitoring.

1) An uptick in phishing emails (both user reported and data analyzed) was noted with a few patterns of attack in particular being on the rise in the last month.

2) Communications about the attack profiles were sent out company wide followed by invitations to material (written and short video form optional for low risk groups in the org based on use of email and HR training courses for those with heavier/job required use patterns that fit the attack profile, usually IT).

3) About a month time pass, user based reporting numbers were looking better and communication to leadership that a test email was going to go out to users matching the attack pattern to see what click through rates would look like on a well tailored email that wasn't quickly removed from inboxes. Leadership approves.

4) Click troughs result in dropping at an internal landing page hosting links to the above communications and adds the HR training course to the users profile.

For more detail on step 4) the opening of the landing page is a forgiving style not a scolding style, think "Oh no, this could have been from one of the phishing attacks we've been experiencing lately. Don't worry, it was just an example attack from us - but did you notice any of signs of a...".

It's also worth noting as part of 2) it was discussed the official communications on end of the year packages would be sent out _before_ the security test, not sure if that was the case in GoDaddy's scenario. This year didn't include cash bonus at Christmas (we did one in the summer for COVID) but did include unlimited PTO rollover and similar non-cash perks given the situation (and explained there would be no cash bonus).

3) Can be tricky when trying to fend attacks on the leadership level, it usually uses a modified approach to this list where lower management of each department is involved instead.

As far as the numbers themselves the higher the click through rate the WORSE the score the security group gets, it's a score for the amount of improvement from the planned action not a score for how many people you could trip up before you get a pat on the back. At the same time it was modeled after the COVID related phishing emails we had been getting, not something someone made up because it seemed easy or hard to pass.

It's a very large org and in the end this went well for all teams (even though improvements weren't quite as good as we had hoped they were still pretty darn good numbers) and we were able to show with data we had improved security against a real threat. I'm sure there were a few (given numbers) that were a bit let down after clicking it but given the approach and planning I don't think that was a failure of the test approach (though we're always open to refinement when an opportunity is brought up. Part of the training material is freeform feedback on how you think the org could better handle the challenges from your PoV).

.

Anyways the point is it shouldn't have to be "tackle real risks or have other groups hate security", you need to find a way to do both at your place (which may be different than how to do both at another place). And that should be true regardless if GoDaddy managed to implement the test poorly this time or not.

The most good-faith reading of this whole tire fire that I can manage is that if you're going to pull this, you had absolutely and without question better have actual bonuses, of no less and frankly probably more than the phishing attempt, in the pipeline for every employee.

If you don't, you should be fired because it is inhumane to act this way to other people. It is, and I do not use this word lightly, evil.

What is bad about a company culture where going for maximum emotional impact over a weighted approach causes an uproar? (I'd be much more wary about one where it doesn't, because it tells me employees expect the company to yank their chain, and expect bad treatment from other teams, and know complaining about it won't help. that's a broken environment.)

I disagree that one can characterize the simulation of a specific scenario as "lazy." Is it unusually attractive to the target? Yes. Lazy? No.

Specifically, you would have to prove that sending phishing training emails with more neutral topics (e.g. a package arrived, IT policy change - ACTION REQUIRED) is less effective than sending the more potentially harmful.

Something like: “SECURITY INFORMATION: Phishing emails target holiday bonuses to increase engagement. Always be on alert” along with a few points on what you are likely to see in a phishing email, how you could spot one, and what to do if you get phished.

Are you sure about that? Is there any evidence that supports this claim?

It certainly fails the sniff test. Behavioral science does not hold setting you up for failure as an effective learning contingency. I mean try teaching your dog that way, see how far you’ll go. You will also teach your workers that phishing emails come from internal so there is no need to report it.

When I was working as a life guard we never went into training situations unknowingly. There is a reason for that, a) it is dangerous as workers might act irrationally creating a dangerous situation, b) it is stress invoking and not healthy for anyone, especially those that have underlying stress issues or conditions, and c) there is no evidence that live training is any more effective or teaches you anything more than traditional training does.

Result at my work. Email is completely ignored by most everyone. All communication is via Slack, even when not appropriate.

I check my email about twice a week, and by the end I’m usually browsing job boards out of disgust.

But these emails presumably weren't even coming from the company's domain, since they were phishing emails.

Go look at the image in the article.

I don't work there so maybe something in it should have set off red flags for employees, but generally speaking - That's a very high quality phishing attempt.

> Sent by Happyholiday@Godaddy.com

1. "Claim your check now! $1.50 is waiting for you" Apparently a legitimate email refunding me for one time the vending machine failed to read my card properly (but had my work ID scanned).

2. "You could be earning an additional $1000 per week– find out before it's too late" Something about our 401k but included a link to some survey that HR required we fill out.

3. "Reminder: Claim your wellness check now" I expected this to contain a link to the health survey we're supposed to complete which gives me a $5/week discount on the health insurance I get through the company. Turns out this was actually related to some other company wellness incentive which gave us gift cards for participating in various events (bike to work month, etc.).

I could probably dig out more but I passed all of those along to the corporate email check to make sure and each was verified as legitimate. I'm sure plenty of other companies have made attempts to increase "social engagement" without realizing the consequences it has for security.

1. Employees and customers are who the company should be serving. It isn't "employees at the cost of customers", or vice versa. If your business can't do both it shouldn't exist. In this case the thought was "It's worth making employees upset because this addresses a real customer concern".

2. Phishing tests are silly. You should just assume someone will get phished. If you want to do trainings, do trainings. Or, better yet, make phishing pointless - at my company anything important is gated by a U2F token, among other things. We are simply 'immune' to most types of phishing - the one major source left being wire transfer fraud, which is fairly easy to avoid.

We only do phishing training for compliance purposes.

3. This is the wrong kind of security. It's "blame the user" security. It's a silly, backwards, outdated, ineffective attitude.

If the goal is "Make sure people report phishing", you can do that without trickery. Just send an email and request that users report it to whoever is responsible - you'll soon find who does or does not know how to do so.

4. (Editing in) Security teams should be aware of how what they're going to do is impacting the company. The impact of this phishing test has had public impact on the company - that's a disaster. A security team is about managing risk, and here they've instead subjected the company to concrete, public scrutiny. This was simply the wrong call.

Having trust in your security team is really important. Security teams need to do outreach, they need to be friendly, and be people who everyone feels good about going to with a problem. Building animosity for the sake of phishing protection is far more dangerous.

> If this was a real phish they'd have leaked real data. Perhaps even your data.

That's the security team's problem, not the victims!

Of course, ideally the IT team has screened out the phishing attempt and secured systems as much as they can.

If they do it perfectly, then your comment applies and nothing else matters.

If, however, the security team cannot be perfect, some amount of bad stuff will land with the users. This seems realistic.

So training people to be security-minded is useful. It's the next line of defense.

How do you train your users? "Just send an email and request that users report it to whoever is responsible" as you mention is one thing. But you can also imagine someone complying with that but then falling for a well crafted phish (that happened to me, as I mention elsewhere in this thread.)

Being confronted with falling for something makes people take the threat more seriously. It takes someone's attitude from "it can't happen to me" to "oh, it did happen to me."

>> at my company anything important is gated by a U2F token, among other things. We are simply 'immune' to most types of phishing

I don't know your business' threats but that seems naïve. Imagine your sales team gets a phish email asking them to list your biggest customers, including contact info and revenue "so that we can send them an appropriate thank you gift for the holidays." If someone replies to this/fills out the form, you have leaked critical information even though nobody has penetrated your system (so your tokens don't help.) Even if this type of thing isn't a problem for your business, you can imagine it is for many.

For me the term that comes to mind is: Security at the cost of quality of life.

Sometimes security is redundant, that is fine. Sometimes it is unessisary, that could be fine as long as it is not harmful. Phishing training should be redundant at worst and unessisary at best. But these types of phishing training definitely has negative effects on the trainees. You are invoking a sense of failure and unessisary stress. Some people will have underlying stress issues, perhaps they are having a bad day, perhaps they are experiencing PTSD, and then seeing they failed a phishing test could be disastrous. Definitely not worth putting your workers at this risk for supposed (and unproven) security.

Perhaps my least favorite phrase in security, used constantly to justify weak, meaningless, or harmful work as "another layer".

U2F is just one layer. It's a real, meaningful layer - it addresses real threats in a non-phishable way. Gating access by device, acls, etc, or locking down sharing permissions, are other real and meaningful layers.

> some amount of bad stuff will land with the users

That's the security team's problem to solve.

> But you can also imagine someone complying with that but then falling for a well crafted phish (that happened to me, as I mention elsewhere in this thread.)

I can just assume that one person will fail the phishing test already, and work from that angle. Way better than assuming I can teach an entire company to be untrickable.

> Is there no data that humans can leak out by entering it in the wrong place?

Wire transfers were one example - there are others, and we have other ways to mitigate those without assuming users should bear the responsibility.

By 'most types' I mean either phishing for credentials or as a delivery mechanism for malware - these would both be extremely difficult to do, or otherwise mitigated by other policies.

> but you can imagine that in many businesses there is.

That's their security team's problem to solve.

Feel free to train users, I have no problem with it. We do it for compliance purposes, but it's also a fun opportunity to engage with people about security, including meaningful security. And you do want people to be able to spot and report phishing, it's just not something you should ever rely on, or compromise for.

I used to work as a life guard and we would conduct training scenario every month at least. And we would never do live training (i.e. training scenario without knowing it is training). There are several reasons, first is safety. You would be putting workers in an unessisary risk. Second is stress, and third is that there is little evidence that we would walk away from the training having learned anything.

So if you believe phishing is a serious threat to your security, that is still no excuse to deliver fake phishing emails to your workers.

I would turn down a position reporting to someone with this combination of attitudes - I'm pretty sure my hands would be tied, only there to take them blame when the inevitable happened.

Yes, some things are the security team's problem - as in, security teams are responsible for managing risk. My expectation is for them to do so.

Again, you can perform phishing tests, but I think they're mostly a waste of time, a terrible substitute for real mitigations, and should never come at the cost of your employee's sanity - a security team must build trust with other teams first and foremost, not burn it because "real attackers are mean too".

> dismiss standard methods and models

My opinions are hardly controversial.

I do agree with this part.

I would argue that live training with a “set up for failure” is non-standard.

A standard training has the trainee knowing they are in a training situation. I have never seen this type of training used for any situation other then phishing training. And before you say “fake firedrill”, no I have never seen those outside of the movies, and I would believe a Simpsons type situation where you are actively putting workers at risk is the reason for that.

I agree you can't expect people to provide full defense, and it doesn't sound like you disagree that helping people act more securely is important.

In my example, there's a difference between whether one sales person leaked their business numbers, or the entire 100 person department did. You train users to minimize the vulnerability even if you can't fully solve it.

If you agree that far - then I am not sure where we're disconnecting on this question.

As in, is the cost of:

1. Losing the trust of your coworkers 2. Causing public reputation damage 3. Potentially harming coworkers emotionally

worth the gain of having a slightly more effective phishing training? I would argue no.

I would also say that it isn't nearly as important as implementing other measures - U2F being a big one that I'd mentioned, but there are plenty of others. It's certainly not where I'd recommend anyone start.

If your assumption is that users will fall for phishing tests then it follows that they will present their U2F token or simply take some action on behalf of the attacker directly.

Here's a good blog on the topic: https://dropbox.tech/security/introducing-webauthn-support-f...

Or 'I'm on vacation and left my laptop, could you just run this command on the prod cluster for me so we can avoid downtime over the holidays?'

U2F tokens are a second factor for authentication, meaning that to log into your account you need your password and the token.

Further, the token takes the domain into account when it's generating the key. That means that you can't just give me a fake Twitter page and then forward the creds/token, it won't be valid.

U2F mitigates this entire class of phishing attack.

Beyond that, we also only allow logins to sensitive services from employee laptops, validated by a TPM, and multiple other controls, but that's not really the point.

> Or 'I'm on vacation and left my laptop, could you just run this command on the prod cluster for me so we can avoid downtime over the holidays?'

Right, so this would work, but it's a huge gap between "Hey run this command for me" and the attacker being able to run arbitrary commands. It's a reasonable thing for your security team to consider and attempt to mitigate in other ways.

Yes. Friendly language is becoming common in corporate emails.

“Also, why does your employer need you to fill out any forms about your location - they know where you are.”

They very often do, because things aren’t wired together within the company - and because many schemes are administered by a third party. Filling out forms with details that ‘the company knows’ is commonplace.

Companies even add ‘Warning: External email’ to subject lines of emails from outside the company, but then fail to whitelist trusted third parties, so employees get used to flagged emails actually being legitimate ... and then getting used to ignoring the warnings.

Will they next send employees emails claiming their loved ones are in danger, because that is something real hackers might do? Would you consider that ethical behavior? It's actually a pretty common scam, at least in my country (normally done to defraud old people, not to steal company secrets, but still).

I'd expect to see a very convincing study that would show that this type of emotional response is crucial for accurately training people to recognize real phishing before I accepted in any way that this was ethical. Absent strong evidence in this regard, this is utterly disgusting.

However this one makes you feel, how would you feel if this was the real phish and you were the one who leaked sensitive customer data because you fell for it?

Note: I'm not against testing your employees for phishing attempts. That is extremely valuable. I'm against using something with an emotional impact as the pretext of the phish, when I believe a more neutral pretext will do just as well.

A separate note is that according to the pictures shown, it seems this is also a particularly bad example, as the email has legitimate headers, showing that it's coming from godaddy.com - so it would only rely on employees distrusting the contents to recognize it as phishing, which is a bad lesson to teach.

It's ok for company to prepare its users for phishing, except for the kind of phishing where the attackers:

(a) devised an emotional hook (b) put in effort to make it look legit.

You can see how that creates a vulnerability, right, because a moderately sophisticated phisher would aim to do (a) and (b) every time.

If instead of christmas bonus, it was death of a loved one, would you still consider it acceptable (both meet your criteria)? Would it be acceptable to test employee susceptibility to extortion by taking compromising photos and then threatening them with it?

In my opinion no. Any sort of experimentation on employees needs to be ethical. If you screw people over in the name of security, you have now become the security risk. Making the security team be the enemy that the employees hate because they have been hurt by them, will lead to very poor outcomes.

It's ok for companies to prepare their employees for phishing, except that (a) they are not allowed to inflict emotional harm on their employees, and (b) the email should include the correct examples of phishing markers.

A good example would be an email coming from a realistic-looking but fake external email; or an email with faked internal-looking headers that are highlighted by the company's email system.

A bad example would be an email coming from the company CEO's real email address, claiming that the employee was promoted, with no warnings from the email system that the headers are faked. That would not teach a useful lesson, and it would inflict some emotional damage on your employees.

Note: the lesson is not useful since, if the attackers have managed to corrupt the email system well enough to send emails from internal addresses without getting flagged, they will most likely have no need to phish for further access.

(edit): And by study I mean show me that fake phishing emails are more effective then traditional training where workers know they are in a training situation.

You don’t train your employees on active shooter drills by having a guy barge in shooting blanks.

Source: was in the army.

The tradeoff here is an idiotic one.

You don't set your own building on fire in order to test fire safety.

You don't destroy company morale to test phishing security.

It's really that simple.

You ain't comparing the same thing. Temporary discomfort is not the same as this boneheaded move that wrecked their morale.

It's trained them not to believe their company when they offer a bonus.

Which might stop the same email from working tomorrow, but not the one saying "This needs to be filled out by Friday!" or "Class action settlement against GoDaddy over fake bonuses"

You put people in unnecessary danger by putting them in an unpredictable situation. That is why training sessions are varied and thoroughly debriefed so that participants can know how what they learned in the current session can be applied at different settings.

Source, anecdotal: I’m a former life guard that had regular drills, and never entered one unknowingly.

Given how the world has been this year and what some employees maybe have gone through the employees that will fall for this particular phishing emails may actually need more support from their employer.

Either way, this isn't a vacuum and we are talking about a test that is unnecessarily cruel.

Edit: just to make this more constructive, there are always alternatives. Instead of relying on emails only employees could be informed to check in via a second channel in all matters relating to money or a company's IP.

If it was just a notification "btw you'll find a little extra something in your check this month" without requiting any weird action from the employee (which btw is how this would look if it was real) then it's a totally different thing.

That is the weakest part of your argument. Companies are notoriously incompetent, yes, even domain registrars or whatever you categorize GoDaddy as.

And what if they used better language? What then? Would you simply move the goal post to another way to victim blame?

I know to avoid a lot of things because of experience, I know a lot of legitimate things act like illegitimate things. And a lot of illegitimate things can masquerade adequately as competent legitimate things.

For example: I know to look at the DKIM and SPF headers in an email, specifically because email clients do not show you when someone is spoofing an email address with the exact same domain name. Not a phishing domain name, the exact same one. This is a real, ongoing UI problem.

And there are other flaws out there too.

- I’m never going to get bonus - regardless of what they promised me

- don’t trust security team: they are cruel and they will probably hurt me and my family in order to get promoted

Sure security team did a great phishing job. Did they improved security? Nope.

1. It’s a good test 2. It’s a bad test

That’s the thing that gets me. Are people (HN readers, other people) generally able to only see one of those points — or do they see both but dismiss one?

In your case, @xyzelement, do you see both? I know you see what’s good about the test, but do you also see why it’s a bad test?

Here it seems an excellent test, but you will probably upset a large part of your employees.

People seem to take sides first, and then try to fully ignore the the positives of the other side, and negatives of preferred side, in a way to convince the other party how wrong they are.

One side: it's a terrible test and is inhumane

Other side: excellent test and people need to grow up.

But of course you will never convince the other party like that.

It sounds like “maturity” and “coddling” etc have a specific meaning in your value system.

If someone else sees the benefit of this test but considers it needlessly harmful/cruel (and disproportionately so for different people) — I wouldn’t guess that “immaturity” is in the top 5 of the reasons why they would think that. So I found that surprising.

Cheers.

Let's assume that phishing is a real threat, and testing like this moves the needle on people's vigilance (as it has for me when I failed something like it last year.) Let's also assume that if this was a real phish, there would be really bad emotional and financial consequences. EG: imagine being the one who fell for a real phish and actually caused a huge data leak that ended up in the news and put your company out of business.

Regardless of how we feel about it, the above threats are real. So we can either chose to be "nice" but increase people's vulnerability to real painful consequences , or we can chose to be "tough" because we realize that in the long run it creates greater actual security for everyone. To me that's "tough love" - harsher short term decisions to help everyone in the long run.

It indeed feels adult and mature to take the tough and unpopular decision that aims to address the real risk, and conversely irresponsible to say "we can't deal with the problem because it'll be unpopular and someone may get upset."

There's maturity on the flip side too. When I failed the phishing test, it was a wakeup call. In retrospect I should have caught it but I wasn't careful enough. So I am grateful the company did it because it taught me a valuable lesson that will keep me safer in the future. If my response was instead "those fuckers tricked me" or whatever, it would have been childish, because it ignores that the risk is real and that it's really I who has the power to do better.

I'm astonished how nobody at GD could predict what emotional harm would such a trick cause. There's a lot of ways to test it without such a cruel method. Even reviews - that you mentioned - would work as well without being cruel.

Second security should not fail on a successful phishing attempt. If a worker opens a phishing email and it compromise your security, you’ve got bigger problems.

Thirdly, don’t discount workers experience of having failed a task. It is extremely unpleasant and stressful. Workers health matters, and to subject us to unessisary stress levels is simply evil. There is no excuse. Find a better way to secure your system.

pff, this happens all the time (although not for bonuses, but for things like branded cloths or surveys). you can't expect HR to automate this kind of stuff every time. it's much easier to just design a google form than to make a script that calls APIs.

If my employer pulls this prank on me, they can either give a formal apology to everyone, give me the actual bonus, or find another developer.

Digital forensics and incident response professional (and risk management expert) Leslie Carhart: This is one of the cruelest and most counterproductive moves I have ever heard of inside our industry... stunningly unethical... objectively negative as it spoils the fragile relationship between infosec and staff for future IR, reporting, and policy adherence. https://twitter.com/hacks4pancakes/status/134218618971823718...

CEO of social engineering training company SocialProof Security, Rachel Tobac: They have to trust you as a helper so you can support and keep them safe... if it’s a pretext that makes them feel you and your team are insensitive or rude. They’ll just remember they distrust you personally more — when you need their trust! https://twitter.com/RachelTobac/status/1342194628024406016

I disagree in making this broad of a claim -- insider threats are certainly an issue. And as a sibling commenter points out, email headers are easily spoofed.

I'm not condoning GoDaddy's pentest (agreed with everyone else who sees this as a cruel prank), but also, um, why would you click a link if your company is telling you they're going to pay you a bonus? Wouldn't that just go through payroll as with everything else?

edit: it looks like the phishing email provided the bonus as an opt-in? yeah, that ought to raise red flags that it's not just being applied across the board, but still, it's been a tough year, so people might not think as hard about it.

Not if they've properly deployed DKIM and SPF - which, if they have a phishing problem, should have been among their top priorities.

I don't know what the security situation is like at Godaddy, but I'm sure there's some amount of investment needed to roll that out broadly without accidentally breaking existing employee workflows.

And my point still stands re: insider attack. At least at Google, anyone could ostensibly register HappyHolidays@google.com (or some variation if it's already taken) as an alias or a mailing list, which removes the need for spoofing.

But a cash bonus? That's the epitome of something that 1) should go through payroll and 2) should just get direct-deposited into your bank account as is the case with your regular paycheck. There's no reason why you'd need to provide any additional info.

https://imgur.com/a/eqrijWx

https://imgur.com/a/anfsAsa

I can't access wfaa.com ("Access denied" errors even on /), perhaps they are blocking European traffic?

I wouldn't attach any value to the address even with SPF and DCIM, which are often mis-configured.

https://imgur.com/a/eqrijWx

source: https://www.wfaa.com/article/news/godaddyunderfireforfakebon...

I sent a note to the security incident report address for the bank, telling them they're training their users to click on phishing emails. They sent back some noncommittal answer.

Once in a while you'll see a follow up email from the sender saying that they are aware of many people reporting the email as a phishing attempt and that reporting the email was wrong and that link to that particular website is a company approved tool and that employees are required to complete the survey at the link for some department or center's benefit.

This wouldn't be a problem if we had internal websites with standard tools like a survey builder and such, but getting our IT contractor in my org to do the basic functions of their jobs takes a herculean effort, getting them to support a basic internal tool would be a multi-year campaign. I can appreciate how much easier (and cheaper) it can be to use external tools and train users to disobey IT and security recommendations about phishing.

The problem with bureaucracies and hackers is that both will take the path of least resistance, and the hard problem of IT security in large orgs is how to separate the two into distinct categories.

That's exactly what a spearphisher would say. Still not clicking a link. Of course, I would rarely read the company email anyway.

I've seen some wonky stuff being put out by them and they are oblivious. As their work often crosses the line into actual web-dev stuff that has security implications. ie, landing pages and emails. And not 2FAing the countless marketing tools they use nor letting the more experienced devs know what they are up to.

My company used to mandate all emails are signed with AD-registered certificates to lend credibility, but they've moved away from that. (I think the reasoning was that webmail clients don't have robust support for S/MIME certs, but I'm not sure.)

If I paste a URL urlscan.io and have a look at it, I can assess better whether it might be safe. Being told "url got hit, you compromised us" is really silly in my view.

Of course "click to fail" is silly. And, in some experimentations I did in the past, it's usually easy, in a large organization, to forge a 100% legit url (like somefileserver.organization.com/some_url_that_can_be_easily_edited_by_anonymous_users) and a 100% legit sender (because of some open relay that passes DKIM and/or SPF). So you just need an access to a minimal-security internal network (easily obtainable through spearphishing or malicious employees) to perform a good phish.

The obvious attack vector is to insert some JS in the webpage that performs a redirection to an external server holding malicious data. But the user would fail IFF they entered the data there, not just by clicking.

Feel free to provide me with a link that will "send stuff to an attacker" with only me clicking it and no other action.

Edit: I guess the argument is any page could contain an RCE.

I'm not sure whether there are policy recommendations about phishing, but as far as I'm concerned a target would have failed if they entered private data somewhere, or opened downloaded documents or executables.

THEN, without any clue about the irony, they'd send us "important" emails with something to click in them... employee surveys, links to benefits information, etc.

This must have been pointed out by other people than me, because once one of the emails had a line like, "AND YOU CAN CLICK ON THIS LINK, IT'S AUTHORIZED."

I don't miss working there (though I do miss a lot of the people).

Not sure how you inform people about benefits without giving a link, if the intranet isn’t easy to navigate, short of including everything in the email all the time. So how should it be done anyway?

That makes it actionable - if something looks nasty I can detect every recipient and have it deleted from their inbox. I can report block malicious URLs on the firewall and report them to Google Safebrowse, and so on.

They're not particularly convincing fakes either: "please update your password sent from @ourc0mpany.com" or "Dear Customer, your Worldwide Freight package has shipped" type things.

I had a package shipped from the US to the UK by my company's shipping provider a few months ago due to covid. I honest-to-god thought I was being phished. The email had one of those titles, a typo in the body, no tracking number, was sent from a third party domain. the template email told me to click a link to an external third party via a url shortner, and when you got there you had to enter your "email address and password" which turns out is actuallu my work SSO login and it checks via ldap. Insanity!

I also wonder if those gains transfer to real emails, or did the workers simply learn to recognize these particular fake phishing attempts.

In all seriousness how is a laymen supposed to know it's phishing? I assume Broadcom has specific places/processes to organize parties that people should know about?

This kind of email is especially clever as it plays on FOMO which so many people seem to have.

IANAL, but I could imagine a court interpreting this as a promise for compensation.

This is covered in first-year contract law.

That said, an employee might be able to recover from injuries on the basis of promissory estoppel if they relied on the promise of a bonus to their detriment.

Moreover, as labor-related/compensation, they are generally subject to administrative regulations that trump general rules of contract law.

They cover that your second or third year of law school, if you take employment law or administrative law.

would it change the legal perspective? I could totally see myself seeing such an email and making decisions based on the premise that I had additional income coming. I think I've read advice in the past that if a "reasonable person" would believe it, then it counts as an informal contract or something.

Obviously we could come up with details that make it sound completely ridiculous, or totally normal. If someone calls me and says they’ll share the bounty/award money for helping them fix a problem, that sounds normal. If a janitor offers to pay me money to throw away proprietary info without shredding it, that sounds suspicious.

But the point here is that an internal email about having to put in info for your bonus isn’t necessarily suspicious. I have my regular pay and my travel reimbursement deposited into two different accounts right now, so I wouldn’t bat an eye at needing to provide account info for a bonus.

a) Being gifted a TV by a friend

b) Someone telling you they'll help you steal a TV from your friend's house

To be the same thing? Because one involves a perfectly reasonable and legal promise, and one does not. If you can't tell the difference, remind me not to invite you over.

Yes, it's true that an undelivered gift is not a contract...but you seem to have forgotten (or possibly never learned) about promissory estoppel. If the giftee was told of the gift and reasonably acted upon the expectation of the gift, then the gifter could very well be obligated to actually deliver the gift. This is covered in first-year contract law. There are indeed a great number of cases on this point in which the gifter was required to provide the gift.

Also, generally employee bonuses are considered compensation for labor, not gifts. Labor laws trump contract laws. If a company tells an employee that they are getting extra compensation through an official means of communication (like an internal email), they may very well be bound to that, even if it turns out the email was just a phishing test sent by the IT department. You do not fuck with the Labor Board.

Whether or not a promise of a gift is a legally binding contract, there's a vast difference between a promise of a gift and a promise of a bribe.

If a company had a pen tester send what appears to be a perfectly legitimate message to employees offering them a company bonus for responding (during a worldwide pandemic where everyone is short on money), and then says it was a pen test and they've failed, that company is awful and heartless. There might not be a legal case against them, but the company is still deserving of public scorn and outrage.

If I put myself on the other side, I'd stop producing gross sexist ads, stop supporting overreaching internet legislation, and stop treating my employees like garbage.

A phishing email can come from the inside. But seeing whether employees will respond to a valid internal email is not a test of employee security. And in this case, it was as heartless as it was useless.

We HAVE to as an industry disavow & replace this behavior with techniques to build trust between the security team and the rest of the employees.

The people, not the technology are the real eyes and ears on the ground. They are a massively beneficial resource for a security team of any size. Why would you squander that relationship with cheap trickery and deceit?

A well made highly targeted phishing test gives you an indication of how good at make phishing emails you are.

The Board of Directors and Principal Shareholders shall meet shortly before the stroke of midnight on December 31st, 2020 to determine the fate of any other employees and to henceforth distribute The Employee Handbook, 2021 Edition.

Site seems down.

the simple matter is people click on stuff and while some attempts might be distasteful if not rude there does not seem to a good way to stop people from doing dumb things.

short of banning all non internal mail and not allowing access to the internet except approved sites on corporate computers; then not allowing access from non corporate computers.

all of our mail that comes from external sources is clearly marked yet people still click on enticing links. it is to the point it goes on your review if you fail too many phishing attempts and can requiring training and eventual termination

I have spoken with employees and supervisors at GoDaddy when reporting malware and ad fraud and they are the absolute worst.

I see that the latest SolarWinds hack used GoDaddy for their initial CnC as well.

The worst.

When they click on the (fake) phishing link, bring up a page that tells that them that it is a test and add some gentle instructions so they can avoid it next time.

What I do to confirm a non-obvious phishing email, is look at the real "From" address. The other day I got an email from "Accουnt-alert@amazon.com"

Looking at the actual email address revealed that it was from "remimbersrs-qwrdvcxwet-exp-2020-3111538818484262@legger-3.com"

Where/Why they failed is because times are tough and if all you had to do is fill out a form for 650$ would you really not do it?

It's not awareness it's people are effed and struggling

IIUC, a traditional phishing test involves:

(a) Prior training for what employees are supposed to look for, and how to respond if they think they're being phished.

(b) Unannounced drills to confirm that employees act in accordance to (a).

If some GoDaddy employees did not act in accordance to the training, how is that anything but a failed test?

[EDIT] I just realized that "how is that anything but a failed test" could sound reductive. FWIW, I would call this a test failure and also a really unwise test design.

Think about why we care about phishing: it’s mostly about people giving credentials to an attacker. Drop $20/person on some FIDO tokens and the risk factor drops considerably. Repeat for the risk of malware - if someone in accounting can run arbitrary software, they aren’t the root cause.

And it sounds like these employees were trained on this.

The thing I don’t like is the XMas bonus aspect. But the general idea doesn’t seem unreasonable.

I would certainly agree that the exercise could have some value but I think it would be wise to weigh that against the costs and especially to think about how you can make it supportive rather than punitive. In particular, most people are not only not given good tools for making untrained security decisions and many of them will be told to violate that advice regularly. For example, what percentage of vendors, outsourced HR, etc. will tell people to open unexpected attachments or click on links which are difficult to distinguish from phishing? SolarWinds was far from the only company training their customers to ignore security errors on installers, too.

This.

I've worked at careless companies who don't deal with their security very well.

I now work at a large health care company who takes security incredibly serious. All the USB ports are disabled. Nobody has admin rights on their laptops. You can't install any software unless you download and install from their internal app store which only allows apps that have passed a rigorous gambit of testing beforehand. And you have to put in a request for the software in the first place. It took me three months to get Photoshop approved because I was designated as a developer and not a web designer. It went through three escalations and took several debates between senior managers who finally approved my request.

We don't have "phishing tests". If something pops up on the security team's radar, then they push it out as an email alert company wide. That's about it. Maybe if GoDaddy put as much effort into securing their network as they do putting together these stupid tests, they probably wouldn't need them to prove that yes, humans are fallible.

And what was the cost to the company in having those debates between senior managers? Just to get a standard tool that they already approved onto a developer machine? Can you imagine the overhead that they are causing themselves?

Regardless of whether the employees actually need a bonus. Dangling the idea of a bonus as a test, shortly before the holidays and during a pandemic seems like a recipe for bad publicity or at least some frustrated employees.

Yes, the pentest surfaced security issues. It also underscored that GoDaddy isn't giving bonuses.

I think it was great security, but tonedeaf.

Greed

Lust

Fear

this is true, but people are also much more likely to skip the rational analysis step if the contents elicit an emotional response. it's hard do to an effective test without some sort of emotional and/or time sensitive call to action.

I certainly agree it is cruel to tease employees with a fake bonus. but if they turned around and actually paid a holiday bonus in the same amount, I would say no harm was done ultimately.