My company created its own phishing e-mail and sent it to everybody to see how many people would fall for it.
The e-mail looked like it was coming from our own IT and said your password was compromised and click here to re-instate; phishing link then stole names and credentials of employees.
I'm not sure how I feel about this trickery, but I feel even less positive about how many people it apparently fooled. We just got an e-mail about it.
I didn't remember it at first, but it's in my deleted folder. I'm pretty sure I didn't click, but it was convincing.