[lopmotr]

Just wondering if employees failed the test just by clicking on the link or if they had to actually enter some passwords or confidential information on the fake survey site. I wouldn't think clicking a link then looking at the address bar and seeing the domain name is wrong, then closing the page would be a problem, would it?

[SaltyLemonZest]

We got judged on both. Most security teams in my experience feel that even clicking on the link is a big risk, although I've never read a more detailed explanation of why than "oh there might be a 0-day".

[souprock]

I've seen that. It was funny.

The corporate security team sent out the email. It had a link with no actual content, giving an error, but that got you on the list of people with bad security behavior.

The trouble at my office was that most employees were highly capable security researchers. These are people who reverse engineer malware for pay and for fun. Of course they eagerly attempted to download from the link! They wanted fresh new malware. People would typically download via wget in a virtual machine on a PC without important data.