22

Recently, GoDaddy executed a self-phishing test against its own employees. The message that employees received said that they could claim their holiday bonus by submitting their contact details on some website:

From: [email protected]
Date: Mon 12/14/2020
Subject: 2020 Holiday Party

Happy Holiday GoDaddy!

2020 has been a record year for GoDaddy, thanks to you!

Though we cannot celebrate during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus! To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th.

(Link for US)

(Link for EMEA)

Any submittals after the cutoff will not be accepted and you will not receive the one-time bonus of $650 (free money, claim it now!)

We look forward to celebrating with you again, in person next year!

The company is making the ~500 employees who followed the link retake their Security Awareness Social Engineering training, and presumably not paying out.

So, does that constitute a breach of contract? There was an offer, acceptance, and consideration (the victim submitted personal information). The only thing that makes this exchange not routine is that the transaction happened on a medium that the employer deemed inappropriate. But that's an arbitrary designation on the part of the employer that can't invalidate the contract, right?

The difference between usual phishing and this situation is that you usually can't pin down the identity of the scammers, and therefore can't enforce compliance. But the company, in their follow-up e-mail, has pretty much admitted to having authored the offer and confirmed that they received the payment request from victims:

“You’re getting this email because you failed our recent phishing test,” the company’s chief security officer Demetrius Comes wrote. “You will need to retake the Security Awareness Social Engineering training.”

Sure, the victim employees will now have to retake a training course, but they should be eligible for the $650 bonus now, and could sue for breach of contract to claim it, right? Is there any flaw in this reasoning?

Improve this question
5
  • 4
    I’d be more annoyed at having been deemed to have fallen for a phishing scam, when everything you’ve posted (the message in context, the from address) makes this seem legit. I wonder if the links led to an obviously fake URL or if it was a godaddy.com address.
    – Darren
    Commented Dec 26, 2020 at 7:51
  • 1
    Note that it's possible no-one with the authority to actually offer such a bonus was involved with the crafting of the email... or may not have been a company employee (ie, a contractor was hired to create and run the test).
    – Clockwork-Muse
    Commented Dec 26, 2020 at 8:24
  • 11
    @Darren that's exactly why it's a good test, spoofing email addresses is not difficult so you can't trust something simply because the address looks legit. also the email really doesn't sound legit at all -- what company gives out bonuses out of the blue but only if you reply within 4 days. "You must respond immediately" is a classic scam technique, this was well done.
    – eps
    Commented Dec 26, 2020 at 22:41
  • 1
    Does this imply the GoDaddy is acknowledging they have serious problem with data loss and breaches? I lost a valuable domain that was held by GoDaddy, and they claimed it couldn't have possibly been their error (which was obviously a lie).
    – End Antisemitic Hate
    Commented Dec 26, 2020 at 22:45
  • 2
    @RockPaperLz-MaskitorCasket "Does this imply the GoDaddy is acknowledging they have serious problem with data loss and breaches?" No. It only evidences that the company is taking steps to prevent further data loss & breaches. This matter does not constitute acknowledgment, although it could be useful for proving your claim that the company is liable for losing the domain you had there.
    – Iñaki Viggers
    Commented Dec 27, 2020 at 10:22

2 Answers 2

Reset to default
22

Could the GoDaddy employee self-phishing test constitute a breach of contract?

No. There is no contract. It was only the announcement of a gift. That gift might have been unexpected, especially if no similar bonus was given in previous years.

The employee's act of filling in his information does not seemingly amount to "consideration". Filling the data was portrayed as the step to facilitate the delivery of the bonus. Your description --or the article you shared-- has no indication that the employee's fill-in details were devised to benefit the company.

Had the company's message been drafted in a way that qualifies it as an offer of contract, the description would be inconclusive because there are no details about:

  • The exact URLs for "(Link for US)" and "(Link for EMEA)": If the URLs were an alteration of the company's domain, it would be unreasonable for the employee to presume that the offer was legitimate.

  • What data the "failed" employees filled in: Being asked to provide information unrelated to the alleged bonus should have raised suspicions.

  • The contents of the Security Awareness training and what alertness could be reasonably expected from the email recipients even if no training were provided. In the case of companies such as GoDaddy (being in the business of web domains and hosting), one would expect many of its employees (except janitors, etc.) to be more careful or judicious on matters of social engineering than in other industries with less exposure to Internet scams.

Improve this answer
10
  • 6
    @davidgo The idea is that the email was composed in a way that would have allowed the employee to identify it as illegitimate (and thus void). The employee should have had no expectations of it being a valid offer. Likewise, if on April 1st a USA based business sends a message stating "April's fool" promising everybody a Ferrari, the employees could not say that it "looked like an offer of contract". The fact that GoDaddy owned the URLs should not be relevant, what should matter is that those were not the "official" URLs and should have been identified as such.
    – SJuan76
    Commented Dec 26, 2020 at 10:18
  • 6
    @davidgo The concept of social engineering (see full name of the course) encompasses tactics such as impersonation. Hence, the fact that the email came from a GoDaddy.com address does not justify clicking blindly on extraneous links therein and/or providing information (perhaps unrelated to a "bonus") without --at least-- first inquiring of their managers. Nor does the email need to say it is a scam. The email was devised as a test of whether the employees internalized the teachings from the security course. Clarifying beforehand that it was a scam would defeat the purpose of that test.
    – Iñaki Viggers
    Commented Dec 26, 2020 at 12:14
  • 6
    @SJuan76 Something like that has happened! A Hooter's employee won a sales contest for what she had been led to believe was a new Toyota, but the prize was actually a "new toy Yoda". The employer tried to play it off as an April Fools' joke. She sued, and they settled out of court, so no precedent was set, but there is some merit to the argument that it was a breach of contract.
    – 200_success
    Commented Dec 26, 2020 at 15:51
  • 6
    @IñakiViggers Is it possible to impersonate yourself? They crafted the message to simultaneously look legitimate and illegitimate, and 500 people believed it was legitimate. In the end, they've admitted that they did write it, which proves that it was, in some sense, "real", even though they tried to make it illegitimate?
    – 200_success
    Commented Dec 26, 2020 at 15:56
  • 3
    @200_success "the prize was actually a "new toy Yoda". The employer tried to play it off as an April Fools' joke". That is materially different because the matter leading to "toy Yoda" certainly constituted a contract, and a company is not allowed to shortchange its employee by belatedly making it look like April's Fool prank. The effort and profit that a sales contest entails is very different from GoDaddy's asking its employees something akin to "just fill in your data so I can make you a gift".
    – Iñaki Viggers
    Commented Dec 26, 2020 at 19:53
2

No

It lacks one of the fundamental requirements of a contract: there is no intention on the part of GoDaddy to form a legal contract. Without that, GoDaddy is not making an offer that is subject to acceptance.

Now, if they had made this offer to the general public, then they may have fallen foul of other laws and been forced to honour their commitment but in the context of the pre-existing contractual relationship between them and their employees this is a non-issue.

Improve this answer
12
  • 18
    Wait… if intent to deceive can be a valid way to back out of any "offer", then that could lead to all sorts of chaos!
    – 200_success
    Commented Dec 26, 2020 at 4:41
  • 1
    @200_success you mean, like the fraud sort of chaos? Intent to deceive for the purposes of financial gain or to cause detriment is a problem; otherwise it’s just lying. As I said, in the context of the existing relationship, this is not a problem. In other relationships it could be.
    – Dale M
    Commented Dec 26, 2020 at 5:33
  • 12
    This doesn't seem to make sense. Suppose I meet a stranger and I intend to scam him. So, I give him a document which says, "I'll give you $10 if you throw your hat on the ground and step on it." He reads the document, and throws his hat on the ground and steps on it. Since my intent was to scam the guy rather than to form a contract, does that mean that no contract was formed, and so I don't have to lay up? I'm guessing that it means so such thing—but then what is the significant difference between my scenario and the GoDaddy scenario?
    – Tanner Swett
    Commented Dec 26, 2020 at 7:10
  • 10
    @TannerSwett No contract is formed. But you have committed fraud because you intended to cause the stranger loss. This is a crime and a tort - for the crime, the police can arrest you and have you charged, for the tort the stranger can sue you for the value of the hat.
    – Dale M
    Commented Dec 26, 2020 at 8:13
  • 14
    I don't know about US law, but I can tell you that in Germany the hidden intention not to honor a contract does not make the contract invalid (§116 BGB). So the answer to this question might be very location-dependend.
    – DonQuiKong
    Commented Dec 26, 2020 at 20:07

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .