[vitus]

> You shouldn’t fail by clicking a link sent by an internal email address.

I disagree in making this broad of a claim -- insider threats are certainly an issue. And as a sibling commenter points out, email headers are easily spoofed.

I'm not condoning GoDaddy's pentest (agreed with everyone else who sees this as a cruel prank), but also, um, why would you click a link if your company is telling you they're going to pay you a bonus? Wouldn't that just go through payroll as with everything else?

edit: it looks like the phishing email provided the bonus as an opt-in? yeah, that ought to raise red flags that it's not just being applied across the board, but still, it's been a tough year, so people might not think as hard about it.

[michaelt]

> email headers are easily spoofed.

Not if they've properly deployed DKIM and SPF - which, if they have a phishing problem, should have been among their top priorities.

[vitus]

should have been != was

I don't know what the security situation is like at Godaddy, but I'm sure there's some amount of investment needed to roll that out broadly without accidentally breaking existing employee workflows.

And my point still stands re: insider attack. At least at Google, anyone could ostensibly register HappyHolidays@google.com (or some variation if it's already taken) as an alias or a mailing list, which removes the need for spoofing.