We have been conducting phishing training for a while with good results. Some of our tests spoof real people in HR, Finance, etc., which mirror actual hacking events that we have experienced. These tests contain red flags but are difficult to distinguish from real messages.
We now seem to have gotten people so nervous that they often won’t open legitimate internal messages, especially those broadcast to a large audience (such as from HR).
Have you experienced this unintended consequence? Any advice, like maybe implementing standard message templates for internal broadcast messages?