A simulated phishing email emulating anti-phishing training...
Evil doesn't play a part in this equation. That implies a phishing program is designed to "get you" and not help you. This is no more evil than fire-team training the U.S. Marine Corps go through.
The malicious actors really don't care about your feels, and in order to condition/train individuals properly you need to utilize the same tactics that they are going to use... otherwise your security program is literally checking a box, and nothing to do with actual hardwning your userbase.
OH DEAR. THIS POST WAS SET TO SELF-DETONATE 💣 💥 🔥
Ą̷͇̀l̵̩̓̕l̸̩͘ ̸̭̪̈́ť̷̝̍̆h̶̡̛̰̯̏͌a̷͕̞͋̂t̵̩͙͑̈́͝'̵̛̍́ͅͅş̴̬̱͝ ̷̗̊͠l̵͚̕͠ē̸̻͓̐͝f̷̧͙̀̑͝t̶͓̓͊̚ ̶̜̱̓͌́a̴͉͊r̶̡̩͛̀é̵̦̞͕ ̶̮̾ṫ̷̡͈̍ḧ̸̛͍́̊e̴̫̅ş̶̥̰̓e̴̟̪͌͂̇ ̷̞̅͊̚h̷̰͕͈͂e̶̡̹̜̚ŗ̸̗͈̾̇e̴̩̍͐ ̷̪͉̩̀a̵̡̱̐͑͝s̴͎͖̈́h̸͈͌́͜e̴͕̝̐̌ś̶͓̆ͅ.̵̩̉ ̵̱͊͑̀
That is a problem, and a reason I stress in my programs that you need to create a reward-based program if you honestly want to protect your users.
Fear is a great motivator in many things, it's also the mind-killer. The point is not to be afraid, but to be confident in your ability to identify that not everyone in this world has your interest in mind and respond rationally and effectively to the threat.
OH DEAR. THIS POST WAS SET TO SELF-DETONATE 💣 💥 🔥
Ą̷͇̀l̵̩̓̕l̸̩͘ ̸̭̪̈́ť̷̝̍̆h̶̡̛̰̯̏͌a̷͕̞͋̂t̵̩͙͑̈́͝'̵̛̍́ͅͅş̴̬̱͝ ̷̗̊͠l̵͚̕͠ē̸̻͓̐͝f̷̧͙̀̑͝t̶͓̓͊̚ ̶̜̱̓͌́a̴͉͊r̶̡̩͛̀é̵̦̞͕ ̶̮̾ṫ̷̡͈̍ḧ̸̛͍́̊e̴̫̅ş̶̥̰̓e̴̟̪͌͂̇ ̷̞̅͊̚h̷̰͕͈͂e̶̡̹̜̚ŗ̸̗͈̾̇e̴̩̍͐ ̷̪͉̩̀a̵̡̱̐͑͝s̴͎͖̈́h̸͈͌́͜e̴͕̝̐̌ś̶͓̆ͅ.̵̩̉ ̵̱͊͑̀
It's also why I tell people not to utilize 3rd party phishing programs like KnowBe4.
KnowBe4 wants a paycheck, to do that they need to prove effectiveness. More often than not that means being really hard in the beginning, and then scaling back to coast easy mode.
Your phishing program should always reflect the same failures, because you should be raising the bar every phish as the education begins to sink in.
That's conditioning. You don't start at 200 lbs lifts then go to 10 lb lift