I guess that's subjective. In my old company, people generally just felt "yup, people are out to get us, and this test is making me realize how vulnerable I am to screwing it up and is therefore a good reminder."

However this one makes you feel, how would you feel if this was the real phish and you were the one who leaked sensitive customer data because you fell for it?

You are assuming that seeing real emotional stakes in the phishing exercise actually helps with recognizing the same in a real phishing email. I very much doubt the validity of this argument.

Note: I'm not against testing your employees for phishing attempts. That is extremely valuable. I'm against using something with an emotional impact as the pretext of the phish, when I believe a more neutral pretext will do just as well.

A separate note is that according to the pictures shown, it seems this is also a particularly bad example, as the email has legitimate headers, showing that it's coming from godaddy.com - so it would only rely on employees distrusting the contents to recognize it as phishing, which is a bad lesson to teach.

Sorry tsimionescu but I read your post as follows:

It's ok for company to prepare its users for phishing, except for the kind of phishing where the attackers:

(a) devised an emotional hook (b) put in effort to make it look legit.

You can see how that creates a vulnerability, right, because a moderately sophisticated phisher would aim to do (a) and (b) every time.

To what end?

If instead of christmas bonus, it was death of a loved one, would you still consider it acceptable (both meet your criteria)? Would it be acceptable to test employee susceptibility to extortion by taking compromising photos and then threatening them with it?

In my opinion no. Any sort of experimentation on employees needs to be ethical. If you screw people over in the name of security, you have now become the security risk. Making the security team be the enemy that the employees hate because they have been hurt by them, will lead to very poor outcomes.

My intention was to say:

It's ok for companies to prepare their employees for phishing, except that (a) they are not allowed to inflict emotional harm on their employees, and (b) the email should include the correct examples of phishing markers.

A good example would be an email coming from a realistic-looking but fake external email; or an email with faked internal-looking headers that are highlighted by the company's email system.

A bad example would be an email coming from the company CEO's real email address, claiming that the employee was promoted, with no warnings from the email system that the headers are faked. That would not teach a useful lesson, and it would inflict some emotional damage on your employees.

Note: the lesson is not useful since, if the attackers have managed to corrupt the email system well enough to send emails from internal addresses without getting flagged, they will most likely have no need to phish for further access.

It is not subjective! Do the study and get the data. Before you risk putting your workers in a harmful situation.

(edit): And by study I mean show me that fake phishing emails are more effective then traditional training where workers know they are in a training situation.