@boblord I'm not sure they are cruel but this one is. If you are going to throw out the bonus phishing simulation it had better be preceded by a bunch of other more gentle simulations, training and positive reinforcements. Ultimately social engineering works and attackers will keep using it it in some form. I think it is ridiculous for companies to punish users for clicking on a phishing simulation. That will never help your users come forward when they click on a real message. I had to learn that the hard way when I first got into this field. Something that seemed so obvious to me in retrospect was not to an employee just trying to do their job.