It can be sometimes easy to forget about the side-effects of phishing tests on peoples' morale. I have
a personal policy at work that I will never use things like bonuses or time off in
phishing campaigns. (I do consulting work. The only phishing I do is to employees' emails with
the permission of their employer.) The reason comes from a news story I read while in college.
You can find a link to Business Insider's report here:
https://www.businessinsider.com/godaddy-disguised-a-phishing-email-test-as-holiday-bonus-announcement-2020-12
Here's a short version of it:
- in June of 2020 (mid-pandemic), GoDaddy laid off 814 people (or 10% of their employees)
- in December of 2020, they did a phishing campaign announcing a $650 holiday bonus
- the email's sender was from the official "godaddy.com" domain
- this means that the most common security awareness
recommendation of "look at the sender" was useless
- the 500 people who failed the test were given extra work and told to re-take security awareness training
So, they had a difficult test when morale was already low.
This isn't to say that you can't use bonuses or similar in phishing tests.
They can still be very effective.
But you shouldn't accidentally promise something you can't deliver on.