I disagree. There are services that regularly send fake phishing emails on a regular basis. If they click a link or fail to flag enough emails, their boss gets notified that more training is necessary.

At the bank that I see this used at, the employees are far less trusting of emails and such.

Training works if it's done right.

Yes, I've been involved with such a program before, and it definitely helps a lot. Phishing email click rates go way down.

This is carefully planned phone-based spear phishing, though, and that's a lot tougher to protect against. It can be easy for a skilled con artist to gain someone's confidence over the phone, no matter how much you warn about vishing (voice phishing). I'm sure training can still help there, but attackers just keep trying again and again until they find someone it works on.

Same principle can apply though. If email phishing can be simulated and used as training, voice can be added to that training drill.

Any successful attack vector can be turned into a training scenario and repeated until better responses are trained into the target group.

Military casualty drills are very effective at instilling near instinctive responses... same principle applies.

Absolutely. It's just that highly motivated, targeted, and sophisticated social engineering is really tough to totally prevent. It just takes one person to fall for it, and the attackers can keep cycling through people (quickly, to get ahead of company-wide warnings about the social engineering attempts) until they succeed.

Training does work to reduce the amount of succesful untargeted attacks. For spear-phishing it's hit and miss on how good the attack is, but a good enough attack will work against almost anyone. As someone that sees really well crafted phish, I can tell you I myself will fall for a good phish. It has to do with eliminating the element of surprise, if I didn't expect the email I will assume it's a phish. But if rapport is built and the subject is something very specific only a few people are privy to then my guard will be lowered. Business email compromise comes to mind, they just reply to an existing thread with a link to a trusted site like onedrive

Fake phishing emails work to remind users to check emails. Ask me how I know :-)

I also believe if a real phishing email makes it to a user then there’s a problem. Some of the real ones I get were easy to spot, “we tried to deliver a package” or “your order is on its way” type stuff. Spam filters should’ve picked them up.

I think badrabbit should have said "even some infosec people think training will stop this".

As-is the grammar is ambiguous whether badrabbit meant "some" or "all".

I meant many not all

Maybe infosec company is different than infosec at $bigcorp. I worked at a few places and the sentiment is the same.