If you send out a phishing email to test your employees, and 500 fail, it probably means something is wrong with your organization, not with the employees.
Most organizations have HR departments that regularly send out emails to their employees telling them to login to systems for 401k management, sexual harassment training, information about bonuses, and so on.
If HR sends out emails that are indistinguishable from phishing, then there's no way for employees to reliably pass the test.
I have no problem with sending out an email to employees promising them a $650 Christmas bonus -- as long as it's clear to everyone (except the rare few) that it's bogus.
If people aren't getting tricked, it's not an issue.

But here, 500 people (according to reports) failed the test and were tricked.
Sure, getting their hopes up for a $650 Christmas bonus is a dick move, but so are most real phishing attempts. You can't train employee to recognize real vs. test phishing by "this is too much of a dick move if it were a test so that it has to be real".
You can follow @ErrataRob.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.