So, yesterday afternoon I received a phishing scam in my inbox.
Problem is, it was a fairly convincing one: the email address had been spoofed and looked more-than-reasonably legitimate, the text was clear and simple and didn't have a lot of typos (some, but not many, and nothing that was obviously a non-native English speaker). The only real "tell" was that if you hovered over the link, it went to something random and definitely not anywhere on our site/network.
And I looked at that and thought, "Holy hell! If I got this, then other people are getting it too, and it's too good - somebody's going to fall for it." So I immediately stopped what I was doing, and composed a warning by forwarding the thing with the link removed and a big note at the top that said:
This is not from Information Technology. This is a phishing scam.
Do not click on the link, do not fill anything out. If you already did, please contact the help desk immediately.
Being the good little IT person that I am, I sent the warning to everybody in the organization.
...And immediately got a visit from the Director of IT, because apparently this was a test they were running on the IT staff and I'd just spoiled it.
I make no apologies for this.