Employers could do well to stop behaving like scammers themselves, especially HR departments. We got a random email from RandomCompany telling us our employer (not named) wanted us to register with them. I sent it straight to IT as 'scam' and deleted it.
Turns out it was legit. HR had been using a third party to check DBSes or something, which unsurprisingly most of us ignored, so HR-junior had to email everyone instead. But being a poorly trained numpty, HR-JuniorBCCed everyone using her boss's name - a boss we'd never heard of, so most of us refused to follow instructions in that too. HR numpty didn't know how to use Mail Merge or that her "you rush rush do thing" tone was also very scammy looking.
I didn't get a bollocking from my boss cos I explained these are all scammy behaviours and they cannot have it both ways. I'd rather get a personalised bollocking for refusing to comply with crappy HR crap than fall for a phish and be shamed by the employer for it. I give no fucks about HR and their lack of staffing or planning is an employer problem not a me problem.
I can imagine a lot of organisations with sensitive data also don't staff their IT/HR properly so they do dodgy shit like this.
Our IT is taking cybersecurity really seriously, to the point where they just locked loads of people out of their long-term systems including building-management with no warning to "meet their certification", so IT are understandably unpopular as they didn't give anyone time to rejig systems appropriately, or create siloed systems to enable building management to keep managing their buildings. Apparently it's cost the employer over a million more in wasted energy cos they can't turn stuff on/off properly months down the line.
It all ends up turning into top trumps, cybersecurity, eco-management, disability-accessibility, wanky-manager's-flagshit-project...