A Reminder on Phishing Tests


It can be sometimes easy to forget about the side-effects of phishing tests on peoples' morale. I have a personal policy at work that I will never use things like bonuses or time off in phishing campaigns. (I do consulting work. The only phishing I do is to employees' emails with the permission of their employer.) The reason comes from a news story I read while in college.

You can find a link to Business Insider's report here: https://www.businessinsider.com/godaddy-disguised-a-phishing-email-test-as-holiday-bonus-announcement-2020-12

Here's a short version of it:

So, they had a difficult test when morale was already low. This isn't to say that you can't use bonuses or similar in phishing tests. They can still be very effective. But you shouldn't accidentally promise something you can't deliver on.