Phishing Paranoia

[Dana Kilcrease <danak () DANAK DEV>]

We run regular security awareness training focused largely on simulated phishing campaigns.  Overall, the response has 
been great, and awareness has gone up over the years.  However, we have a growing number of users who continue to over 
report "suspicious" emails, to the point that any corporate communications are typically followed by dozens of phone 
calls to our Helpdesk reporting these communications as suspicious, even if they do not contain any of the red flags we 
teach through our training.

Has anyone faced this with their training campaigns?  Any insight as to how to strike the best balance to ensure users 
are reading emails critically, rather than blindly reporting anything that is remotely outside of their day-to-day?

Dana Kilcrease
Director, Information Security
Berkeley College

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community