Yes, okay… 99 out of 100 phishing emails might get caught by your spam filters, but there’s always that one that sneaks through. Andd there’s always that one employee who’s overworked, under pressure, and eager to help. 
All it takes is one click… details submitted… a 404 error… They think “Huh, strange,” and before they can process it, PING 
, another email grabs their attention.
The damage is done.
Phishing simulations are a little bit like Marmite for IT managers, you lot either love them or hate them and I do totally get both sides.
I often hear from our clients “I can spot a phishing email a mile away. I’m expecting your test every month, so it doesn’t catch me off guard, phishing sims are pointless.”
Newsflash: That’s exactly the point.
If your team is always on the lookout for a simulation, they’re also on the lookout for the real thing.
Yes okay, I’ve seen phishing simulations done horribly wrong. But when they’re done right, they can have a lasting impact on your human security posture. 
On a less serious note here my awful attempt at creating a image for this post and then giving it to ChatGPT (which of course smashed it out of the park)… to be honest I kinda like the ‘authenticity’ lets say of mine 
