Email-delivered cyber-attacks which penetrate first-line algorithmic defenses must then face a human operator’s decision: engage, or ‘reject and report’ the threat. Relatively little research exists into the factors that affect these outcomes, and what does is contentious to conduct; naturalistic studies into cyber-attack can easily invade individual privacy. The development of our Email Testbed (ET), a simulator for clerical email tasks, is described and forwarded as an easy and ethical solution to these difficulties. In two experiments undergraduates first screened, then used the ET to send and receive workplace messages. They were concurrently delivered rare malicious emails. Half received cyber-defense training, and performed significantly better than their untrained peers. Without training, performance was poor enough so as to engender concern regarding real-world risks. Discussion of the process of validating the testbed, of the implications of the findings, and of future directions are provided.