They don’t tell us they are testing, it’s done at random. Reporting is policy, it needs to be done with every phishing mail that gets past the filters. It’s one of the big ways a company is vulnerable, an employee clicks on a link in a mail, opens something they shouldn’t and before you know it there’s been a databreach. I don’t think they are especially worried about the employee leaking his personal info, they are worried about targeted attacks and corporate espionage.
I’m sure there are a lot of false positives. Even though I work in a technical company, we have plenty of people who aren’t as handy with tech. People get training regularly and if one person reports a lot of useless I’m sure they will train that person extra. I think for a lot of people except maybe sales something like 80% of all mail is internal. And the other part is probably 50% repeating automated mails. So the number of mails that could even be phishing are limited. It’s a mid sized company with about 1000 employees.