Well, it was one example. If it looks like it's coming from a position of authority and looks like it's your style of writing and mentions things that are typically in the messages you exchange, it would seem more likely that you should just click on it. They can use pressure. We'll see sometimes formatting problems, misspelled words, but you have to look. How often do we just pull out our devices and work really quickly to click through the messages?
A bit of training, though, and awareness around spear phishing can help, and you can't just do it once. You actually have to do it several times. One of the ways to do that is to do an anonymous type of analysis spear phishing campaign and you actually send almost everyone in the organization a spear-phishing type of email. You're the ethical person, so it's okay. There's a link, and if they click on it all it will do is register anonymously that someone clicked on it. At the end, you end up with a statistic of how many people clicked on it. And it's not going to be good the first time. Then you say, “By the way we ran a spear-phishing campaign. Come and visit at lunch and learn and we'll explain why you shouldn't have clicked on it.” So many people did. The next time you do that, because you do it a second time and a third time, the awareness gets raised. You start raising this awareness with your users and then your users are much better. They're never going to be 100%, but getting the percentage a lot lower is much better.