We do these "tests" on staff...
...and we use convincing imitations of banking, fast food, coupon, on-line email, HM Tax office, and auction site alerts. And of course Social Networking sites - both the usual "big" sites, personal and professional.
Don't work too hard to disguise the "from" address, and obviously the links don't even look a little bit genuine if you hover.
But clicking the links takes you to a semi-believable "login" type page that if interacted with generates an error (so you can't *actually* put in any credentials...).
All contracted out which makes things easier and saves us mocking up emails and websites...
We get details of who opens the email, who clicks the links, and who tried to interact with the fake page.
Everyone in our Government org has had to work through Cyber defence training courses EVERY year, but apparently some shallower areas of the gene pool cannot be educated about Cyber Security.
Anon because I still enjoy my job... and if you could work out who I work for, political masters would demand a spherical sacrifice.