We ran a social engineering assessment last year for a logistics company that had completed two rounds of security awareness training in the previous 18 months. The training vendor had reported good completion rates. The company had recently passed an internal audit. Then we ran a targeted phishing campaign against 40 people and within the first six hours had valid credentials for three accounts, including one with access to the finance system.

This is not unusual. It happens at organisations with good security awareness programmes, with educated staff, with IT teams that are genuinely trying. Understanding why it happens is more useful than citing it as evidence that training does not work.

Training teaches recognition, not resistance

Security awareness training typically teaches people to recognise suspicious emails. Look for mismatched sender domains. Watch for urgency. Check links before clicking. This is useful knowledge, and people who have it do better on average than people who do not.

The problem is that targeted phishing does not look like the examples used in training. When we run campaigns, we spend time on pretext: understanding who is likely to receive a particular kind of message, what would make it plausible to them specifically, what internal language and context we can incorporate to reduce suspicion. Generic training teaches people to spot generic attacks. Targeted attacks are not generic.

The technical controls matter more than the human layer

The most effective thing an organisation can do to limit phishing impact is not training — it is multi-factor authentication and conditional access policies. If a user submits credentials to a phishing page, MFA means those credentials alone do not provide access. The attacker needs to also compromise the second factor, which changes the attack difficulty considerably.

This is not an argument against training. Training and MFA are not in competition. But if an organisation has budget for one and not both, MFA reduces the consequence of a successful phish far more reliably than training reduces the probability of one.

What assessments are actually for

A social engineering assessment does not measure how "secure" your staff are. It measures your current exposure given a realistic attacker model. The output is not a percentage to improve; it is a picture of the attack paths that currently exist and the controls that do or do not limit them.

The most useful post-assessment conversations are not about the click rates. They are about what happened after the click: did MFA prevent access? Did anyone escalate the suspicious email internally? Were the accounts that were compromised the ones with the most sensitive access? Those questions point to where the actual controls gaps are.

"The credential submission rate was not the interesting number. The interesting number was how long it took for anyone to report the email internally — and whether that report resulted in anything."

We always include a debrief that covers this. Not to assign blame to individuals who clicked, but to map the detection and response gaps that determine what an attacker could actually do after a successful phish.