Comment by DyslexicAtheist

Human Research Protection Program Plan & IRB determines if something is unethical. and while these documents are based on opinions they have weight due to consensus.

The way these (intrusive) tests (e.g. anti phishing) are performed within organizations would be with the knowledge and a very strongly worded contract between the owners of the company and the party conducting the tests.

It is illegal in most of the world today. Even if you disagree with responsible disclosure you would be well advised not to send phishing mail to companies (whether your intention was to improve their security or not is beside the point).