[Workaccount2]

The problem is that if you click one of the links, you need to do (well sort of) the hour long phishing class and testing again. But of course, nowhere in the class do they say anything about not trusting e-mails from a known safe domain.

Whats funny though is that if you click the link in a phishing test, they will e-mail you to complete the training. But there is no enforcement (general management doesn't care), so you just get a daily e-mail telling you that you are overdue. It also however stops them from sending the fake phishing emails. So a bunch of us clicked the phishing link, marked the "do your training" e-mail as spam, and now never get bothered.

[arcfour]

Where I was, they tracked who didn't do it, and came down on them, then their manager, and then it became an HR issue. Only one or two people went down the HR path, and then they did the training pretty quickly. Of course it didn't start harsh, just "hey, a reminder, we are tracking this and you need to do it" but when you blatantly ignored it the response got more firm.

Also, the last one I took they talked about phishing using a malicious Google docs link IIRC.

Anecdotes don't mean you know everything about a system.