Should We Warn Colleagues About Phishing Test Campaigns?

We all know by now that social engineering and phishing are among the biggest threats in cybersecurity. Every year, we typically take mandatory security awareness training to fulfill compliance requirements, which often includes a quick test. Many organizations also run internal phishing simulation campaigns or hire external companies that specialize in testing employees' susceptibility to phishing attacks.

But here’s the question: Should we alert our colleagues when we know a new phishing test campaign is coming up? Or should we warn them with phrases like "be careful, that email might be phishing"? It’s an interesting dilemma, and it’s worth asking—should upper management be the ones rallying the team to stay alert, or would this undermine the true purpose of these tests?

The intent behind phishing simulations is clear: they exist to gauge an organization's readiness to identify and resist phishing attempts. If we tip people off ahead of time, doesn’t that defeat the purpose? The goal is to assess real-world reactions and identify employees who might need more training, especially those who are repeat offenders in falling for such scams.

Phishing simulation campaigns are not just a compliance checkbox; they are a way to uncover vulnerabilities that could cost the company real dollars. If everyone knows a test is coming, they may be extra cautious for a short time, but that won’t reflect their actual behavior during a genuine attack. As a result, the company may end up with skewed data that paints a rosier picture of security than is true, potentially leaving the organization exposed.

Realistically, what we want from these tests are accurate failure rates so that we can target training and coaching toward the employees who need it most. If we start warning people before these campaigns, we risk missing the very insights we need to improve overall security posture.

So, the question remains: Should employees be warned, or should the tests be conducted discreetly to maintain their effectiveness? Ultimately, the answer may come down to how much emphasis an organization places on creating a culture of security awareness versus fulfilling compliance.

I’ll leave this as an open-ended question: What do you think? Should we focus on alerting colleagues to help them pass the test, or should we prioritize uncovering genuine weaknesses to ensure the company is fully prepared for real threats? The balance between educating employees and collecting untainted data is a fine line, and every organization must weigh the costs and benefits carefully.

Comment on this article or contact me if you’d like to discuss further or share your experience. Let’s connect!