phishing-simlisted

# Phishing Simulation > **Awareness goal + ethical template**: phishing sims aim to improve organizational awareness, not to ridicule individuals. No ad-hoc spear phishing against specific people without written sign-off from management AND HR. No pretexts that fundamentally sow mistrust (family emergencies, illness of a colleague, fabricated HR disciplinary actions). NL/EU context: employee monitoring falls under the AVG (GDPR) plus labor law; consultation with the works council and/or employee representation is usually required before campaigns. This skill structures; legal review belongs with legal/HR/DPO. ## When to use Phishing sims are the standard for organizational awareness and initial-access testing in red-team engagements. They are also the easiest path to becoming a source of distrust if executed poorly. Discipline on pretext choice, opt-out, and post-campaign feedback is not extra — it is the campaign. Triggers on: - A question like "design a phishing campaign", "which pretexting patterns are reasonable", "SPF/DKIM/DMARC for our sending infra", "click-rate baselines", "post-campaign debrief", "how do we do this AVG-correctly". - A red-team engagement where initial access via phishing is needed and the RoE explicitly permits credential harvesting or malware delivery. - A security-awareness program with periodic (quarterly/half-yearly) sims as a training vehicle. - A handoff from `recon-agent` (employee OSINT output as input for the target list). - A complianc