If you send out a phishing email to test your employees, and 500 fail, it probably means something is wrong with your organization, not with the employees.
Most organizations have HR departments that regularly send out emails to their employees telling them to login to systems for 401k management, sexual harassment training, information about bonuses, and so on.
If HR sends out emails that are indistinguishable from phishing, then there's no way for employees to reliably pass the test.
I have no problem with sending out an email to employees promising them a $650 Christmas bonus -- as long as it's clear to everyone (except the rare few) that it's bogus.
If people aren't getting tricked, it's not an issue.

But here, 500 people (according to reports) failed the test and were tricked.
Sure, getting their hopes up for a $650 Christmas bonus is a dick move, but so are most real phishing attempts. You can't train employee to recognize real vs. test phishing by "this is too much of a dick move if it were a test so that it has to be real".
You can follow @ErrataRob.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:

By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.