There are a lot of ways you can test your employees for their vulnerability to a phishing email attack. But you should approach it as a coaching opportunity; avoid using the testing process to punish those who fail, because that could create a negative attitude towards what could instead be a positive learning experience.