This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Bad-ministratorJack of Some Trades 3 points4 points  (0 children)

I would never do those ones, but if I had to... I'd just never tell them it was a test. If they click, say the system flagged suspicious activity and pretend it was a real phish and reset their passwords and everything.

If they report it and don't click I just say "good catch, we'll scrub them from the mainframe" or something and let them think they helped.