Earlier this year, employees at a prominent media company received a strange email asking them to reverify their accounts. These emails didn’t come from a web hosting company or a cloud service provider—instead, they came from an attacker trying to find vulnerabilities in their network. But the attacker wasn’t the Syrian Electronic Army or Russian criminal gangs. Instead, the employees of Atlantic Media (publishers of, among others, The Atlantic and Quartz) were phished by their CTO , Tom Cochran.

People are more apt to learn from an experience than listen to a recommendation or policy. Just like a regular office fire drill, senior leadership should be running random phishing drills to give them that experience.

Cochran was trying to identify which employees would be most susceptible to spearphishing attacks similar to those which took down huge targets like The Guardian and The Onion over the past year. Nearly half of Cochran’s employees opened the email with the phishing link, and 58% of those clicked on the link itself. In an email to Fast Company, he said “I wish I could say I was surprised, but being in the industry and role I am in, I’m well aware of the ease in which one can be phished. I’ve been phished before (and subsequently spent a couple hours changing every single password I use). So, I wouldn’t say surprised as much as slightly disappointed that it was in fact that easy to dupe someone. On the positive side, tricking people that easily made it a much more compelling ask to push the whole company to use two-step authentication, which was my ultimate objective.”

Fast Company did something very similar in August. Following the August hack of Outbrain (a Fast Company partner company which is responsible for our “You Might Also Like…” links), CTO Matt Mankins conducted an impromptu security audit. Our employees were emailed by an address which faked the name of a high-level Fast Company editor and asked to click into a site that looked like one of ours–but wasn’t. Nine employees, ranging from editors to advertising team members to corporate, all clicked on the link and gave our hacker login information. But luckily, it was just a drill.

Mankins told me that he felt the wake of the Outbrain attack “was a good time to run a similar attack and see how we did. I setup a Google Form, downloaded our login page, and put it on a similar, but fake domain that we own. I then connected the login form not to our CMS, but to the Google form so that whenever someone entered their password they would go directly to the Google Form. Anyone who entered their login and password would have known pretty quickly that something wasn’t right. I sent the fake email to the staff without telling anyone (except Executive Editor Noah Robischon who was in on the project). I then watched to see what would happen. I wanted people to make noise and contact or warn each other, which is basically what happened. Within minutes someone from my Dev team had alerted myself and the rest of the group, so I had to let them in on the secret so we could watch what the others did.”

State-associated hackers such as Outbrain-hack perpetrators Syrian Electronic Army and the accused Chinese military-related cyber break-in teams all use phishing attacks to break into targeted governments and corporations. It isn’t too much of a guess to assume America’s cyberwarriors spearphish, too. Employees at Atlantic Media were sent an email shortly after the surprise security audit informing them of the result, and warning them—for the good of corporate security—to be more vigilant in the future.

Cochran, the former Director of New Media Technologies for the White House, said in a writeup the fake hack attack “attained the crucial buy-in of employees; now that they personally understand the dangerous implications of not following the rules, they’re more willing to take data security seriously. People are more apt to learn from an experience than listen to a recommendation or policy. Just like a regular office fire drill, senior leadership should be running random phishing drills to give them that experience. And, the experiential learning doesn’t stop with these emails.”

Atlantic Media and Fast Company aren’t the only organizations conducting fake hacks of their own employees to find security holes. Due to the discretion the topic usually receives–no company wants to announce their own employees will click on any file labeled “Spreadsheet” or “Meeting Agenda” from any Gmail address–it’s hard to find companies going on record to talk about this.