I disagree in making this broad of a claim -- insider threats are certainly an issue. And as a sibling commenter points out, email headers are easily spoofed.

I'm not condoning GoDaddy's pentest (agreed with everyone else who sees this as a cruel prank), but also, um, why would you click a link if your company is telling you they're going to pay you a bonus? Wouldn't that just go through payroll as with everything else?

edit: it looks like the phishing email provided the bonus as an opt-in? yeah, that ought to raise red flags that it's not just being applied across the board, but still, it's been a tough year, so people might not think as hard about it.

Not if they've properly deployed DKIM and SPF - which, if they have a phishing problem, should have been among their top priorities.

I don't know what the security situation is like at Godaddy, but I'm sure there's some amount of investment needed to roll that out broadly without accidentally breaking existing employee workflows.

And my point still stands re: insider attack. At least at Google, anyone could ostensibly register HappyHolidays@google.com (or some variation if it's already taken) as an alias or a mailing list, which removes the need for spoofing.

But a cash bonus? That's the epitome of something that 1) should go through payroll and 2) should just get direct-deposited into your bank account as is the case with your regular paycheck. There's no reason why you'd need to provide any additional info.