Some might say it was a case of poor timing. Others might call it a lesson in tough love despite the seeming cruelty. But one thing is clear. The near-ubiquitous warnings about the dangers of email “phishing” scams don’t always sink in.
Such was the case this month when the Arizona-based internet domain company GoDaddy reached out to their employees in a holiday email. As reported by local media, hundreds of company employees received an email on December 14 that thanked them for a record year.
“Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!,” the email stated. It then asked employees to provide personal details in order to receive the bonus.
Phishing Remains a Significant Cyber Threat
Employees who responded to the email received a follow-up message two days later. The second email informed them that they “failed our recent phishing test” and that they would be required to retake the company’s “Security Awareness Social Engineering training.” About 500 employees failed the test, the email added.
Phishing tests are a common way for IT administrators to test employee knowledge about one of the most common forms of cybercrime. Spear-phishing in particular poses a significant threat because attackers use fraudulent emails from seemingly legitimate sources to gather personal information.
A Symantec internet security report from 2019 found that 65 percent of all known cybercrime groups that carry out targeted attacks used spear-phishing emails. The report further noted that human intelligence, in which end users report suspicious email activity, is still the best defense against phishing attacks.
A Timely but Tone-Deaf Lesson in Cybersecurity
In late 2019, GoDaddy suffered a data breach that was later found to have compromised about 28,000 user accounts. Earlier in April 2019, scammers used hundreds of compromised company sites to hawk “miracle” products. They also used 15,000 compromised domains to redirect visitors to spam pages.
The company’s holiday phishing expedition sought to address an important security threat. But using the false promise of a cash bonus at a time of unprecedented financial insecurity brought on by the COVID-19 pandemic didn’t sit well with employees. So much so that the company issued an apology on Christmas Eve. “While the test mimicked real attempts in play today, we need to do a better job and be more sensitive to our employees,” the statement said.
GoDaddy isn’t the only company to fail on the messaging front. In September, Tribune Publishing also faced harsh criticism from staff members after it sent out similar phishing emails touting executive bonuses of up to $10,000. The campaign coincided with steep employee pay cuts and buyouts.
Strengthening End-User Security
Employees are an organization’s front line of defense against cyberattacks. The better educated end users are about the type and sophistication of these kinds of threats, the better able organizations are to defend against them. Recent statistics on phishing campaigns in 2020 suggest that one successful attack can cost an organization as much as $1.6 million, and that a high percentage of end users still have trouble identifying phishing emails.
SecureData prides itself on providing innovative solutions for secure data storage and data recovery services. Our award-winning SecureDrive® external storage devices offer unparalleled data security, while our Remote Management License gives you total control over who accesses data, when they access it, and where.
When data loss does strike, our certified experts at Secure Data Recovery Services have the expertise and the tools to resolve even the most complex data loss scenarios. SecureData understands that organizations face unprecedented cybersecurity threats.
Phishing attacks are only one of many potential threat vectors. We offer our customers total security solutions for maximum flexibility and protection. Call us at 1-800-520-1677 to find out more about how we can help keep you better protected against cyberattacks.