Hacker News new | ask | show | jobs
by agotterer 2001 days ago
I was thinking the same thing. You shouldn’t fail by clicking a link sent by an internal email address. If the link took you to an external site and you entered your GoDaddy credentials or provided personal information, that might be a different story.
2 comments
vitus 2001 days ago
> You shouldn’t fail by clicking a link sent by an internal email address.

I disagree in making this broad of a claim -- insider threats are certainly an issue. And as a sibling commenter points out, email headers are easily spoofed.

I'm not condoning GoDaddy's pentest (agreed with everyone else who sees this as a cruel prank), but also, um, why would you click a link if your company is telling you they're going to pay you a bonus? Wouldn't that just go through payroll as with everything else?

edit: it looks like the phishing email provided the bonus as an opt-in? yeah, that ought to raise red flags that it's not just being applied across the board, but still, it's been a tough year, so people might not think as hard about it.

link
michaelt 2001 days ago
> email headers are easily spoofed.

Not if they've properly deployed DKIM and SPF - which, if they have a phishing problem, should have been among their top priorities.

link
vitus 2001 days ago
should have been != was

I don't know what the security situation is like at Godaddy, but I'm sure there's some amount of investment needed to roll that out broadly without accidentally breaking existing employee workflows.

And my point still stands re: insider attack. At least at Google, anyone could ostensibly register HappyHolidays@google.com (or some variation if it's already taken) as an alias or a mailing list, which removes the need for spoofing.

link
chris11 2001 days ago
Entering personal info might also be understandable. My employer gives a Christmas gift. This year they asked us to update a form with our temporary address if we were in a different location.
link
vitus 2001 days ago
Absolutely, in the context of a physical item being shipped to you (especially if they can't just distribute it at the office), if it's not through payroll. (e.g. we had site-specific fun events in lieu of the annual holiday party)

But a cash bonus? That's the epitome of something that 1) should go through payroll and 2) should just get direct-deposited into your bank account as is the case with your regular paycheck. There's no reason why you'd need to provide any additional info.

link