Why not have both? That is, plan to provide a real bonus and amount, even if it's just 100 bucks. Beforehand, send out said phishing email, and collect data. Provide the bonus to everyone. Once the holiday is over, notify employees who failed the test of how easy it is to prey on people's emotion and to be careful, that email was in fact in no way tied to the bonus.