Although phishing tests can be helpful to protect users, using questionable tactics has the potential for harming relationships between a company and its employees. The authors suggest that managers avoid this damage by employing phishing tests with three criteria: Test teams, not individuals; don’t embarrass anyone; and gamify and reward.
Last December, the website hosting company GoDaddy.com sent 500 employees an email offering a $650 holiday bonus. Unfortunately, the bonus emails were not sent in appreciation for their record year, as indicated by the email — it was a phishing test. Those who clicked the link were rewarded, not with a …