One of the great things about awareness training is not only do staff become more aware and prevent incidents, but they start reporting attacks also, they become human sensors. Today I got just such an email from an employee reporting a phishing attack (click on email for larger view). The email was all about clicking on the link right away, play an interactive online game, and claim your free USB stick if you are one of the first 250 people to register. This email hits just about every hot button you can find about phishing emails. So the employee was spot on to report it. However the email is legitimate, even worse its sent out by Symantec, a company that is supposed to promoting security, not confusing people. At first I did not believe it, but if you do a whois on the domain name 'BeSureItsSecure.com", yup its Symantec. Someone from their security team needs to have a chat with their marketing team.