Where I work there is training software that is somewhat effective at preventing phising - it actually sends out phising emails itself. Then employees who fall for it are given extra training (in a no fault sort of way).
Perhaps, but im also wary of these types of things, because i worry that people will feel embarassed at being tricked, and will (maybe subconciously) see the internal security team as the enemy, which is also a bad outcome.
I also worry that the emails might not represent real attack emails, and we end up training users to identify the test emails but not real attack emails.
Nothing is 100% secure. Having users fail to spot a pishing mail, is a very good training on general awareness, but no guarantee, that they will not make misstakes under pressure.
