Whenever I get some breathless email about security from my organization I send a phishing report for it even if I think it is real. All the messages about mandatory password resets and the like just increase the surface area for phishing. There should be a policy like "we will never send you an email about the security of your account" See

https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/201...

a policy that's been talked about for more than 10 years and that the industry is almost catching up to.