I wonder what sociopath came up with this idea for a phishing test. It seems incredibly insensitive given the minute amount of difference it is likely to make - the way to tell a phishing email from a non-phishing email depends much more on the metadata than the actual contents, so there's no reason to play with people's emotions like this. Even the employees who immediately recognized it as phishing will have felt the disappointment.
> the way to tell a phishing email from a non-phishing email depends much more on the metadata than the actual contents
this is true, but people are also much more likely to skip the rational analysis step if the contents elicit an emotional response. it's hard do to an effective test without some sort of emotional and/or time sensitive call to action.
I certainly agree it is cruel to tease employees with a fake bonus. but if they turned around and actually paid a holiday bonus in the same amount, I would say no harm was done ultimately.
