The point of phishing awareness testing is to get people to question sources, question claims, heighten vigilance, and thus reduce successful phishing attacks. Hatred of your company for mocking you by toying with your compensation expectations runs counter to those goals. 1/6

It's hard: one must mimic realistic scenarios, but not make people sad or feel overly foolish. Looking at the brouhaha over the GoDaddy phishing exercise, a "Year end bonus" phish is really not out of the realm of likelihood. But it clearly will alienate your staff. 2/6

On one hand, it's true: criminals don't play nicely with others. But of course people feel sad and angry after being subjected to the message they got. How could GD have known? Well, the approach has burned KnowB4 as a footgun in the past. It is known bad. 3/6

It's in fact repugnant that Knowb4 keeps running this gag. Knowb4 seems to like it because it is effective and "shows value". Recipients loathe it because it rams home their vulnerability as employees. Knowb4 knows this (see, eg https://twitter.com/justin_fenton/status/1308851669397053440). 4/6

Would criminals try it? Sure. Is it fair game? If you're a sociopath, yes. If the goal is education I can't believe there aren't as-effective ways that don't undermine confidence in company leaders the way this did. This is CTF, not training. Winning is LEARNING, not clicks 5/6

If you are planning to phish your workforce, work on a trick that is plausible but not prima facie humiliating; NYPD once ran one that was a link to a "voicemail message". Remember the purpose is to educate. Students who detest you for mocking them likely won't get the lesson. 6