It's great that our users are apparently very good at ignoring phishes. Unfortunately, this has the small side effect that they're also very good at ignoring our plaintive requests to change their Unix passwords because their Unix passwords are so old that they're using old-school 'descrypt' format encrypted passwords (8 characters maximum and all that fun).
(The alternate interpretation is that they're very good at ignoring everything 'we' send them, which is perhaps not wrong either.)