How would this other form of exercise you propose demonstrate that the staff isn't vulnerable to a fictitious promise of a bonus sent by a malicious outside actor?
I disagree that one can characterize the simulation of a specific scenario as "lazy." Is it unusually attractive to the target? Yes. Lazy? No.
Ask yourself what the purpose of proving this point is other than a vanity metric. Then ask yourself whether that should be the actual goal. Because it seems to me the actual goal is to have a workforce with generally high awareness and caution around phishing risks in general - and that can be built without goodwill-destroying tactics like this.
Hey, I'm all for making it better if it's possible! But the evidence isn't clear that other forms of training are effective in stopping an attack that involves this sort of messaging. If there are, great - but we need to prove that out first.
No - since you are planning to inflict some harm to your employees, the onus is on you to prove that the harm is warranted.
Specifically, you would have to prove that sending phishing training emails with more neutral topics (e.g. a package arrived, IT policy change - ACTION REQUIRED) is less effective than sending the more potentially harmful.
In fact you should first show that fake phishing email are more effective then traditional non-phishing emails that simply warns you about the risk of phishing and gives a clear example of a phishing email without any trickery.
Something like: “SECURITY INFORMATION: Phishing emails target holiday bonuses to increase engagement. Always be on alert” along with a few points on what you are likely to see in a phishing email, how you could spot one, and what to do if you get phished.
I disagree that one can characterize the simulation of a specific scenario as "lazy." Is it unusually attractive to the target? Yes. Lazy? No.