I use a pizza delivery analogy when talking about phishing messages. If a pizza was delivered that you hadn’t ordered, would you open the box and eat the pizza? If the box looked a bit like say Dominos but not quite, would you open it and eat the pizza? If the box looked exactly the same as Dominos but Dominos was spelt Diminos, would you even open it?
Here is a nice concise eye opener of an article in IT Pro – How Not To Get Hacked In 2019 – that has 2 main threads to its message; take care of the basics and don’t trust anything.