Alt text: Michael Scott Handshake meme. Managers text: "My company Congratulating me on avoiding a phishing test email". Michael Scott text: "Me, terminally behind on answering email."
I created an inbox rule for these. The 3rd party phishing shame-and-train company my employer uses always has a certain domain in the email header (even though they always change the 'from' address). Has worked perfectly for over 6 months. I'm generally not dumb enough to click on them anyway. But anyone can have a bad day and/or get into a rush and make a mistake. And my boss is a sadistic prick who delights in making workers feel dumb. Yet I'm 100% sure he exempts himself from the phishing shit tests.
The point isn’t to be so tricky to make it too hard for end users to catch it. It’s to train them to start looking at things such as senders domain and to report messages and avoid the link, etc.