The URLs include some unique identifier that’s traceable to you. As far as my company is concerned, merely clicking it is grounds for security training.
Edit: I guess the argument is any page could contain an RCE.
Wow. If a single click is enough for a RCE, you've got bigger problems, IMHO. Basically, each and every website can hack into your infrastructure.
I'm not sure whether there are policy recommendations about phishing, but as far as I'm concerned a target would have failed if they entered private data somewhere, or opened downloaded documents or executables.
Edit: I guess the argument is any page could contain an RCE.