Lessons Learned from GoDaddy’s Email Phishing Simulation Debacle

Written By: Omer Taran, Co-founder & CTO, CybeReady

CISOs and security teams know that running phishing simulations is a tricky business. As security professionals who deal with employee training, one thing we can do to avoid taking the wrong turn is learn from each other’s mistakes. Above anything else, we should remember that there are people behind our security training goals - employees who learn, process and implement the training content in different ways than we may have initially intended.

Let’s look at the recent phishing test that made headlines: GoDaddy sent an email to its employees with an announcement of a $650 annual bonus, revealing two days later that it was in fact just a test and the only “bonus” awaiting those who tried to claim it was additional security training.

“It was just another phishing test” - or was it?

“The award for most evil company email” and “The cruelest prank you can make on employees” are just some of the headlines that have popped up over the past days, condemning the phishing simulation GoDaddy sent to its employees.

So, what went wrong here? Phishing simulation emails are routine in most companies as part of employee security training efforts. Why was this simulation met with such heated criticism? Was it the email content that was flawed? The timing of its sending? Or the nature and timing of the feedback that was provided to those who failed?

In this article, I analyze the key elements of GoDaddy's phishing test - based on the facts mentioned in the Copper Courier - and what we should learn from them.

Key takeaways from the GoDaddy phishing simulation email

There are three important factors to consider when analysing this phishing simulation. It’s important to say none of these are unique to GoDaddy and we’ve seen these practices utilized by multiple companies and training vendors:

1. The email domain - all too authentic

From the available email screenshot, the simulation was sent from a godaddy.com domain. CybeReady gets this request often - can we send out phishing simulations from the ‘real’ company domain? Technically it is possible, but not at all recommended, and here’s why:

• Hackers can spoof domains, but there are great tools in place to detect this. Naturally one can expect employees to go into email headers and look at the sending server IP or SPF validations, but it’s asking too much of employees. Employees expect, and rightfully so, that if an email is issued from a corporate owned domain, it has gone through some security validations. Detecting compromised corporate email accounts is a task for security teams, not end users. If hackers are able to send an email from an internal domain and get past the mail relay/gateway and land in employees’ inboxes, there is a security risk at hand - but one which employees shouldn’t be expected to detect or resolve.
• The use of internal domains for phishing tests also sends a message that every email can be a phishing email. While this may be technically true, it is also something that can lead to employees becoming wary of each other. This is where security training can change from being effective and meaningful (‘business enabler” to potentially harmful - ‘business disabler’). One of the goals of security testing is to allow ordinary employees to detect and deflect reasonable threats. Not every threat should be laid on top of the shoulders of employees.

2. The email content - context is key

The content in GoDaddy’s email became the main focus of most critics of this fiasco. It promised a $650 bonus and the general message was “Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!”

The phishing simulation contained a timeline - “To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th.” and an implied threat towards the potential loss - “any submittals after the cut-off will not be accepted and you will not receive the one-time bonus.”

Generally speaking, the content itself is quite good from a training perspective. It’s phrased as a ‘real’ phishing email, it has a good lure, and it is well written. However, looking at the content alone doesn’t provide the full picture on whether this content should have been used or not. While the ultimate goal of any security training is to teach employees, some common sense should always be used in the content-selection process, which will result in less negative backlash.

Whenever sending out phishing simulations, it is important to understand who our employees are, has the company undergone layoffs, what is the internal culture of the organization, etc. Content is never neutral; it’s always interpreted by employees based on multiple factors and security teams should consider these factors and think of them whenever advocating phishing tests.

3. The training feedback - two days too long

This brings us to the most critical factor of an effective (and fair), training program: the proximity of the training feedback to the test results. The major issue with the GoDaddy phishing test is that the feedback, along with the ‘real training’ arrived two days after the simulation was sent. For us, security folks, this might seem like a reasonable time span but for employees it was way too long.

Let’s look at this from the perspective of an employee falling for the lure: They came back home to their spouse, their kids, or their mom and dad, and shared that they have received a $650 bonus from their workplace! Mostly anyone can find a good use for an extra $650 - it's a pretty exciting and joyful way to end what’s been a challenging year for most people.

So, these employees are now deeply involved and emotionally attached to the “bonus” and go back home feeling very different about themselves and their holiday. They may have even stopped on the way home to buy themselves or their loved ones a little something, counting on that promised bonus! All of this to come back to the office a couple of days later and discover the real situation, which surely caused them much embarrassment and frustration.

And here lies the biggest issue with this specific phishing test - had the response about failing the simulation been immediate (what the industry refers to as “Just-In-Time-Training”), the overall response would have been very different.

“JIT Training '' in the context of phishing simulation, typically means a landing page that is generated immediately when employees have opened / clicked on the test email. It immediately informs them that they fell for a phishing simulation (and not a genuine attack) and ideally, also shows them exactly what they had failed to notice along with best practices to avoid falling for phishing emails in the future. In this preferred scenario, the “failure” remains only between the employee and the email, and the feedback is quick and effective - typically yielding engagement and a high learning curve.

If there’s a lesson here to all of us Infosec leaders and awareness trainers, it’s really this one: whatever you choose to do in your training program, provide immediate feedback to employees. It moves the needle in terms of learning effectiveness, improves employee performance and develops a more positive security culture - one that employees choose to participate in, as opposed to creating resentment, negative press and an overall training disaster.

About the Author

Omer Taran has more than 20 years’ experience in the information security industry. As Co-founder, he serves as CybeReady’s technologist-in-residence and his vision drives the company’s product roadmap. Omer has held vital roles in different organizations, including CyberArk (CYBR) and Ness (NESS), and led the development of the employee training program at Israel’s National Information Security Agency (NISA).