When does phishing education go too far?

I am currently working in the computer security team at my workplace in a high level role. Recently, I helped management design phishing / social engineering training campaigns, where IT security would send phishing test emails to see how well employees are doing. of the company were aware of detecting these emails.

We have adopted a very focused strategy based not only on the role of the user, but also on the content that may be viewed by these employees. The content has been varied to include emails requesting sensitive content (for example: updating a password), fake social media posts, targeted ads.

End users are not able to say that they have no way of distinguishing a legitimate email that they would receive from day to day truly malicious phishing emails. They were asked to reduce the difficulty of these tests of our team.

Questions

  1. When does phishing education go too far?

  2. Does refoulement on the part of end users demonstrate that their awareness is still lacking and requires additional training, especially the inability to recognize legitimate malicious e-mails?