I'm not sure if it's configuration-dependent, but the emails should be realistic and reflect the tools/services your org uses. Sending them Zoom-branded emails foe example while the org has never used Zoom is pretty pointless. The ones I've experienced unfortunately can be spotted from a mile away due to how low-effort they were (something an actual targeted attack will never do - a targeted attack email would look perfect with the exception of the factors they can't fake such as the "From" address).
> Without embarrassing or punishing them
At the end of the day, the objective is that they don't engage with suspicious e-mails - whether they do that out of concern for security or out of fear of embarrassment/losing their paycheck is irrelevant.
You want people to be afraid to fall for an attack. The fear should be about negative consequences to the organization and the general unpleasantness that comes out of it, but fear of embarrassment works too.
I'm not sure if it's configuration-dependent, but the emails should be realistic and reflect the tools/services your org uses. Sending them Zoom-branded emails foe example while the org has never used Zoom is pretty pointless. The ones I've experienced unfortunately can be spotted from a mile away due to how low-effort they were (something an actual targeted attack will never do - a targeted attack email would look perfect with the exception of the factors they can't fake such as the "From" address).
> Without embarrassing or punishing them
At the end of the day, the objective is that they don't engage with suspicious e-mails - whether they do that out of concern for security or out of fear of embarrassment/losing their paycheck is irrelevant.
You want people to be afraid to fall for an attack. The fear should be about negative consequences to the organization and the general unpleasantness that comes out of it, but fear of embarrassment works too.