KABOOM!
I know there have been companies that treated their employees worse, but still, this story is truly horrible.
Internet service and website company GoDaddy apologized to its employees for not having a Christmas party this year—pandemic you know—but announced with a cheery card that the company would make it up with a holiday bonus instead.
Who wouldn’t prefer a bonus to a party? All they had to do, they were told by the email from HappyHoliday@GoDaddy.com,
…was to click on a a link asking them them to verify their identity by entering their company login credentials. About 500 eager employees signed up.
A few days later, they received another email from the company informing them that they had flunked a company phishing test. The bonus offer was fake, and because they had fallen for it, they would have to attend a remedial class on Internet security.
If fact, GoDaddy didn’t give out any bonuses this year.
What’s wrong with GoDaddy’s conduct?
How about…everything?
This is signature significance for a corrupt and Machiavellian organization. I am filing this under Ethics Dunce, Worst Employers Of The Decade, and Maybe Marx Was Right After All.
Let’s see…
1. The company lied to its employees.
2. It promised them money, during the time of year when money is especially tight and concen over finances cause a lot of stress.
3. It used a fake apology for the absence of a holiday party to bait the scam, meaning that the apology was a lie as well.
4. It exploited the Christmas holidays, not to embrace the spirit of Christmas, but to use it to suck in those who trusted their superiors and their good will.
5. It then punished the employees who believed the company’s communication.
6. Management demonstrated an ethics vacuum, showing no concern for human beings (a Golden Rule breach,) using people as a means to an end, and showing that the company’s management believes the ends justify the means.
7. GoDaddy, in short, proved itself completely untrustworthy with dead ethics alarms, so untrustworthy, in my view, that the SEC should investigate its operations with special zeal. A company the would treat its own employees like lab rats is capable of anything.
8. After the company’s employees expressed their anger at the stunt, GoDaddy apologized. That’s a perfect example of an apology that must not be accepted unless it is accompanied by reparations. I’d say twice the promised bonus might do it. Otherwise, employees should assume the company is just sucking them in to harm them later.
If I worked for a company that did this to me, or was an executive who learned that the company pulled such a despicable cheat on some of its employees, I would quit. I would quit even if the company relented and paid a bonus. Continuing to work for an abusive, untrustworthy company is the equivalent of a spouse who was beaten up by his or her partner continuing in the relationship. If one stays after that kind of treatment, he or she surrenders dignity, self-respect, autonomy and safety.
____________________________________
Pointer: Rick McNair
Ethics Alarms 
I saw a problem the minute the header of the email used the singular Happy Holiday.
Yes, there are companies with employees that cannot spell, but it jumped out at me as being either blatantly incompetent or a test.
And, yes, it was a terrible thing to do to the employees.
I think on the balance GoDaddy here is very unethical. But I’ll play the nuance game here and decide that had a few things been different this wouldn’t have been as bad (rationalizations aside).
1) Did the actual email address after you hover over the “sender’s card” reveal an actual internal company address or an external address? I’ve received dozens of phishing scams but not a single one of them have been able to fake an internal email address. They can fake the identity label on top, but when you hover over it, it always reveals a fraudulent address.
If they sent it from an internal address then definitely an ethics cheat here. If they sent it from an external address, then that does fall under the category of “drill”.
2) The great reveal at the end of “it was us you dummies!” should not have happened. The company should have reserved the results for an internal analysis of how ready their work force is to scrutinize questionable emails and never revealed directly that it was a test.
Rather early on revealed that a phishing scam has been discovered and mediated.
Though smart employees would know that you don’t really resolve that kind of breach easily.
3) There should never have been a massive group humiliation and remedial training. If it turns out a huge swathe of employees fell for it, that’s the fault of the company’s lack of preparing its work force…management should take the blame for that and prepare better internal education that doesn’t hint at which employees goofed.
If it turns out a small segment of employees fell for it, then management can quietly focus on whether or not any particular employee is not being as attentive as they ought to be. And again that must be a private discussion, not a public humiliation event.
4) The “sorry for no party here’s a bonus” is the kicker. Most phishing scams don’t really know the internal goings-on of a company and it would be vanishingly unlikely that they’d know whether or not a company had a Christmas party or not.
The “test run” should have involved a different “bait”.
That being said…ALL those 4 aspects of the internal test would have to change before we could decide if such a test is actually ethical or not. If even one of those factors doesn’t change, then the ethical analysis stands – this was a dirty rotten technique.
(and any time a company runs a drill of any sort – generally heads ups are given. “Expect a fire drill in the next month” or “expect an inspection in the next two months” etc. Snap surprise drills are, while seemingly useful, are great ways to demoralize and unduly stress a work force)
“4) The “sorry for no party here’s a bonus” is the kicker. Most phishing scams don’t really know the internal goings-on of a company and it would be vanishingly unlikely that they’d know whether or not a company had a Christmas party or not.
The “test run” should have involved a different “bait”.
This was my thinking, too, Mike. Phishing emails are generally generic “IT is running an update; your account will be locked if you don’t (click on the link, provide your credentials”, etc). The likelihood of scammers knowing the party had been canceled was slim and served to add credibility to the message.
Agreed.
Several phishing attempts directed to us fall under the guise of being our vendors claiming our accounts are coming up on renewal or that we’ve missed the annual renewal deadline and need to do it.
Given that we don’t have to renew our accounts annually, those are easy not to fall for. Though some vendors that we haven’t used in a while will perk my concern and I have to be on alert. Though we only renew accounts physically…by fax or in person…never by email.
I work for a company that does have vendors with annual renewals, and these phishing test emails have caused me not to open any email that doesn’t come from someone I directly work with. Any legitimate information requests, or information updates get deleted immediately without my even opening them. Management then wants to know why people don’t read their emails.
1) It almost certainly came from an outside email. These tests are routine (and obnoxious), and always have an external address. Unfortunately, these are also usually plausible addresses, and it would not be unreasonable for an outside vendor to be distributing the bonuses. (I have “fallen” for these things repeatedly, because I scour the email, and correctly conclude they are safe, only to go through the dreadful “retraning” anyways).
2) They had to do an “It was us!” reveal, otherwise, people would be asking for their bonuses.
3) These kind of tests have to reveal that it was a test, or at least reveal that a test recently occurred, but they virtually never reveal who failed except in broad generalities. Usually it is an email directly to those who failed, informing them thusly that they must take the remedial course.
4) The test designers do try to use hot topics as a way of building urgency. Usually the test is something vague enough to plausibly apply to a particular company. The deadline to register for your bonus is perhaps the only indication this email is suspect, along with the strange “Happy Holiday GoDaddy!”. The deadline tries to induce panic, bypassing your skepticism. Of course, in this case, the bait is just excessively mean. The bait here “no party, here’s a bonus” is sui generis awfulness.
2) It’s why I caveated the only plausible way out is for the company to internally reveal that a phishing attempt was discovered, that it was a fraudulent claim, and that it was addressed.
But that’s where it’s extra devious and dishonest, because the fooled employees are still let down by the lack of a bonus AND they’re kept in the dark that their own company was lying to them for the double whammy.
My employer is especially bad about things like this. I get e-mails all the time telling me not to open some obvious phishing e-mail. However, there is almost certainly an e-mail under it requiring me to click on a link and login to answer some question or fill something out. What makes this worse is that our system is set up to recognize external v internal e-mail addresses (to help identify spam and phishing) and it labels all e-mails from our administrators as from external e-mail addresses.
But, wait, there was no phishing. The people who clicked on the link were correct. They were responding to a company-sanctioned communication. They should get the bonus they were promised.
-Jut
That’s right. Fake phishing isn’t phishing.
But was it really phishing? What if the company sent out the e-mail by mistake. What if they were planning on having Christmas bonuses, set up the system to do it, and then decided against it. The e-mail was sent out anyway and they contrived the whole ‘phishing’ scheme to get them out of it?
Perhaps I have seen too many stupid managerial schemes in my life.
Given their advertising history, I can’t work up any surprise that they would titillate their employees in a sleazy way that ended up leaving them empty and unfulfilled.
Correctamundo, Isaac. That GoDaddy guy who also sells golf clubs is a jerk extraordinaire.
And I mean…. I’d have to see more details, but it’s not phishing if literally everything involved is legitimate except for the intention of whatever asshat thought this was a good idea. I’ve never seen a phishing scam be able to emulate an internal email address. You’re boss sending you an Email asking what kind of anniversary gift you want from the tier list isn’t a phishing scam, it’s legitimate company business.
I think they should sue. Frankly, this is so egregious they’d probably have a case.
Finally, I am in a position to do something about this kind of nonsense. I have several domains that I do not use registered with GoDaddy. I have contemplated over the years of letting them go. This year there will be no contemplation. They are gone, and hopefully, they will ask why. I do not find exercises that potentially publicly humiliate people funny or productive in the least. The only thing I hate more is the employers that would use them.
Excellent.
Where I work they sometimes have people from management call employees at random, pretending to be customers who dialed a wrong number and acting dumb, to test people’s courtesy and patience. If you brush them off, you get a talking to or worse. I don’t like it at all, employees have duties to perform that are more important than engaging at length with wrong numbers, and definitely more important than playing management’s gotcha game with FAKE wrong numbers. Unfortunately, management has also made it clear that they reserve the right to test employees at any time, in any way, with or without warning, to keep everyone on their toes (and while you’re at it, are you signed up for the food drive yet? Management really wants 100% participation).
At our company, a few years back, our IT Manager sent out a memo to the corporation warning about opening suspicious e-mails, opening attachments or links from unknown sources, or providing personal information on unverified websites. He concluded with a promise to provide good training to employees for identifying fraudulent e-mails, etc.
A few days later, we all received a link to survey. The e-mail was badly worded without salutation, but instructed us to click on the link and take the survey to provide information that would help tailor the training. The link was to a non-corporate site and asked us to provide personal information. The e-mail itself was from a brand new corporate IT employee that no one had yet met. So my boss’s first reaction was to write back to the IT manager, asking, “Is this our training? Do we fail if we follow the link and take the survey?” There was some collective forehead slapping after that event…
GoDaddy also recently decided to kick a site popular with gun enthusiasts of its platform without giving notice, part of the great “Right-wing” purge targeting anyone who failed to denounce President Trump with sufficient zeal. Fortunately, AR15.com had a backup site prepared, so they weren’t entirely shut down the way Parler was.
… and Parler, not Parker…
Both issues fixed. But what they did to Parker was also unconscionable…
My reaction when I read it was management now gave every employee a valid reason for not responding to real company email. They can now claim they thought it was a phishing scam or phony email and thus did not read it or go further with it.
Bingo.