They blast us with the dumbest most obvious phishing simulations. Then send out legitimate "register for this new app" email, which large numbers of people report and the director gets pissed, despite the fact it meets the bulk of the "signs of a phishing email". Then a month later we get hit by a phishing attack that automated software blocked.