I had a staff member text me tonight asking for help regarding a suspicious email that she received. She also works for another company in the evenings so she called them first since the email came in on their system. Their helpdesk told her it was an email they intentionally sent out to see how many staff would click the suspicious link.
Wait… What, you phished your own users?
I can’t think of a better way to betray their trust. Staff and students need to be able to trust their IT department, and activities like this are wreckless if you ask me.
Educate them, don’t spear phish them.
UPDATE: I have done some research about this program, and have since decided to become a paying customer of KnowBe4. Once I was informed that it is an education program, followed up by testing of your users I felt better about it. I still stand by what I said, educate them, don’t spear phish them.