Something that I have to consider from time to time - both in my role as a consultant, and as a trainer - is whether or not I'm assuming something is 'common knowledge' for my students or clients, when it isn't. Experts often forget what a beginner, or just a non-expert, doesn't know. I was reminded of this during a phone conversation with a client last week.
I was a bit confused at first (and so was she) because her screen had both a spyware popup, made to look like a Windows alert - claiming "You have been infected with spyware!" (no kidding) - and a genuine alert from her antivirus software (because the spyware had just attempted to install a trojan.)
It struck me that one of the reasons that the fake spyware alerts are effective at fooling the average computer user is that they may not be sure what a genuine alert from their antivirus software looks like! Especially in a business environment, the end user may not have installed the software themselves, and quite possibly couldn't tell you which software is installed - or where to find the controls.
HOW DO YOU GENERATE A VIRUS WARNING without actually loading a virus on the computer? By using a file that the antivirus software vendors have generally agreed to treat as a virus, even though it isn't. The folks at EICAR (European Institute for Computer Anti-Virus Research) have a collection of files available to test your software. Try it yourself, and if you support a network, use it to educate your users!
(I know the EICAR test file is detected by Trend, Symantec, McAfee, Panda, and Kaspersky antivirus software. If your software doesn't detect the file as a virus, you might want to verify that your 'real time protection' is active. You do have antivirus software, don't you?)
Don't make the mistake of thinking someone's an idiot for clicking on a spyware popup if you've never showed them what a real virus warning looks like.