You’ve Got Mail… and It’s From Your Boss… Pretending to Be a Scammer
Imagine this: It’s 10:42 a.m. on a Wednesday, you’re feeling the slump coming on and you’re seriously ready for lunch already… when a new email comes into your work inbox. You open it, and a smile lights up your face.
Well, you think, ‘how bout that? Ol’ HQ to the rescue! Wow, they really care about their employees.
Why wouldn’t you think that? After all, it’s clear as day that your generous, magnificent bosses just sent you an Uber Eats gift card. All you have to do is click a link and register. Free lunch? Yes, please.
Except… surprise! The whole thing was fake. Like, fake fake. Not like “oh no, the coupon expired” either. Noo, it’s fake like your own employer literally sent you a trap to see if you’d fall into it. If you clicked the link, congratulations: you’re now on The List of Employees Who Failed.
This very scenario recently played out at an electrical company right here in Georgia. The email looked completely real, offering an Uber Eats gift card to employees who couldn’t travel a thousand miles for the office party at headquarters. The tricky email was actually just a simulation created by the company’s cybersecurity department. The moment employees clicked the link, their names were logged, and the digital equivalent of a red “Gotcha!” stamp was placed on their personnel file.
Phishing Tests or Trust Tests?
Companies say these kinds of tests are necessary to teach employees how to spot real phishing emails that do try to steal logins, install ransomware, and drain bank accounts. In fairness, phishing attacks are no joke. According to the FBI’s Internet Crime Complaint Center most recent report, phishing was the most reported cybercrime in 2024, with almost 200,000 complaints and a loss of over $70 million dollars. (You can read the full report here).
Georgia is no stranger to cyber threats, especially in industries like healthcare, utilities, and finance. In fact, Georgia residents made up well over $4.2 million of the total loss amount – the 7th highest in the country. Not great, guys.
As if all that isn’t sticky enough, these simulated phishing emails often come with zero warning. They look very convincing, which is hard enough, but they also prey on basic human instincts, like jumping at the chance of a free lunch. In other words, they’re not just testing tech smarts; they’re also testing trust, naivety, and attention to detail.
The Fallout: Confused, Embarrassed, and Possibly Disciplined
For employees who fall for the bait, the consequences range from a mild slap on the wrist to mandatory retraining sessions or, in some cases, a performance flag. To be clear though, cybersecurity awareness is critical. But many employees, especially those in non-technical roles, feel these exercises are less about learning and more about catching people slipping.
It’s not unlike asking someone to spot a deepfake video after three hours of sleep and two kids fighting in the background. Then disciplining them when they miss the mark.
A Better Way to Test Trust
Experts say phishing simulations are most effective when they’re paired with education. That means clearly explaining to employees what phishing looks like, how scammers operate, and how to safely report suspicious emails. If companies do send out fake phishing emails, the tone should not be shameful and punishments shouldn’t be administered for “failing”. The purpose should always be simple: learning.
The Georgia Department of Labor and the Georgia Department of Administrative Services both provide guidance on workplace training standards. If you're concerned your employer's phishing tests cross the line into unethical or hostile territory, you can submit a complaint through the Georgia Office of the Inspector General at oig.georgia.gov.
How to Protect Yourself (Even from Your Boss)
If you receive a suspicious email, whether it’s from a Nigerian prince or the head of HR, take a breath, hover over the link before clicking, and ask yourself: Does this sound too good to be true? Would Susan from Payroll really gift me Uber Eats at random?
When in doubt, forward the email to your company’s IT team, or just delete it. If the food was real, someone will follow up. If it wasn’t, you just passed the test. Gold star for you.
Conclusion: Tech Smarts Are Good, But So Is Common Sense
The rise of internal phishing tests in Georgia reflects a growing tension between security and trust. Yes, companies need to protect their systems. But when those efforts start to feel like trickery, it can damage employee morale. Especially when it involves pretending to give away tacos.
Cybersecurity is a shared responsibility. Companies should aim to teach, not trap. And employees should stay sharp, even when the email says “free lunch.” Because as we’ve all now learned: If it smells too delicious, it’s probably bait.
For cyber awareness resources, you can visit the Georgia Cyber Center at gacybercenter.org or check out the Federal Trade Commission’s phishing tips at consumer.ftc.gov.