22

Recently, GoDaddy executed a self-phishing test against its own employees. The message that employees received said that they could claim their holiday bonus by submitting their contact details on some website:

From: Happyholiday@Godaddy.com
Date: Mon 12/14/2020
Subject: 2020 Holiday Party

Happy Holiday GoDaddy!

2020 has been a record year for GoDaddy, thanks to you!

Though we cannot celebrate during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus! To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th.

(Link for US)

(Link for EMEA)

Any submittals after the cutoff will not be accepted and you will not receive the one-time bonus of $650 (free money, claim it now!)

We look forward to celebrating with you again, in person next year!

The company is making the ~500 employees who followed the link retake their Security Awareness Social Engineering training, and presumably not paying out.

So, does that constitute a breach of contract? There was an offer, acceptance, and consideration (the victim submitted personal information). The only thing that makes this exchange not routine is that the transaction happened on a medium that the employer deemed inappropriate. But that's an arbitrary designation on the part of the employer that can't invalidate the contract, right?

The difference between usual phishing and this situation is that you usually can't pin down the identity of the scammers, and therefore can't enforce compliance. But the company, in their follow-up e-mail, has pretty much admitted to having authored the offer and confirmed that they received the payment request from victims:

“You’re getting this email because you failed our recent phishing test,” the company’s chief security officer Demetrius Comes wrote. “You will need to retake the Security Awareness Social Engineering training.”

Sure, the victim employees will now have to retake a training course, but they should be eligible for the $650 bonus now, and could sue for breach of contract to claim it, right? Is there any flaw in this reasoning?

200_success
  • 858
  • 1
  • 8
  • 20

2 Answers2

22

Could the GoDaddy employee self-phishing test constitute a breach of contract?

No. There is no contract. It was only the announcement of a gift. That gift might have been unexpected, especially if no similar bonus was given in previous years.

The employee's act of filling in his information does not seemingly amount to "consideration". Filling the data was portrayed as the step to facilitate the delivery of the bonus. Your description --or the article you shared-- has no indication that the employee's fill-in details were devised to benefit the company.

Had the company's message been drafted in a way that qualifies it as an offer of contract, the description would be inconclusive because there are no details about:

  • The exact URLs for "(Link for US)" and "(Link for EMEA)": If the URLs were an alteration of the company's domain, it would be unreasonable for the employee to presume that the offer was legitimate.

  • What data the "failed" employees filled in: Being asked to provide information unrelated to the alleged bonus should have raised suspicions.

  • The contents of the Security Awareness training and what alertness could be reasonably expected from the email recipients even if no training were provided. In the case of companies such as GoDaddy (being in the business of web domains and hosting), one would expect many of its employees (except janitors, etc.) to be more careful or judicious on matters of social engineering than in other industries with less exposure to Internet scams.

Iñaki Viggers
  • 45,677
  • 4
  • 72
  • 96
2

No

It lacks one of the fundamental requirements of a contract: there is no intention on the part of GoDaddy to form a legal contract. Without that, GoDaddy is not making an offer that is subject to acceptance.

Now, if they had made this offer to the general public, then they may have fallen foul of other laws and been forced to honour their commitment but in the context of the pre-existing contractual relationship between them and their employees this is a non-issue.

Dale M
  • 237,717
  • 18
  • 273
  • 546