All good advice that I incorporated into the computer security training course that I created while working at the pharma company years ago. All employees, including the CEO, were required to go through the training and all new hires were required to take the course before they logged on to corporate computers for the first time. After implementing this, we went from having to remove malware on a weekly basis to zero malware infections. Unexpected emails were singled out for deep scrutiny, as were any unexpected browser pages asking for logon credentials.
The slogan associated with the training was "Don't be quick to click" and I encouraged employees to forward suspicious emails to me (they would even dig them out of their junk folder) along with stating the reasons why they thought the email was bogus (this was after Microsoft fixed the Outlook issues with bad stuff being launched just by viewing emails in the preview pane).
The ironic thing at the time was that the consensus in the cybersec community was that training end users to avoid infection was a fool's errand because they were just too dumb when it came to using computers. Eventually they came around when it was actually tried and found to be one of the most valuable defenses available to IT.
A key element of the training was that it was positioned as showing the employees how this training could keep them from getting hacked in their personal life. Dr. Dave was fortunate that it wasn't worse; folks' private lives have been devastated by financial and reputational ruin associated with hijacked accounts and identity theft that could have been avoided by knowing what to look for and getting in a hurry.
Over the span of my career I have watched malicious actors go from hacking for bragging rights or monkey wrenching, to today, where we have organized criminal gangs that actually have board of directors, business plans and generous budgets, along with state sponsored groups that have even more resources. This really took off back in 2003 - in the aftermath of the collapse of the Soviet Union there was a large number of furloughed programmers that had lost their jobs and were recruited by criminal organizations who understood the advantages of stealing money while sitting behind a computer instead as opposed to the risks of getting shot at while running guns and drugs.