At my company, they announced that in the upcoming month there would be an internal phishing sensibility campaign.
Then, in the same month, they started sending out incredibly dodgy looking emails to "security training" provided by an external website.
Of all emails, those looked the most like phishing but they are not. I decided that I refuse to do this training completely because to me it seems crazy how that was coordinated. I would never lose my job over this but it is amusing that I get an "Urgent: security training still outstanding" about once a week which just goes straight into the trash.
My company uses an outside vendor for security training that requires us to login using company credentials.
The outside security vendors also run phishing security campaigns that they send out from their own domain, and that have "phishing" URLs that point to the same domain we do the training on.
I got reported as being phished for following a link that goes to the SAME domain as our required security training. Our security compliance team got my point when I reported every required training reminder as coming from a known phishing domain.
