Someone told me they did the same thing at his company, send out fishing emails to see who fell for it.
Those who did (management was disproportionately represented) had to attend some training lessons.
They resent another phishing email a few months later.
Most people who fell for it the first time, fell again, despite the training.
I don't think an additional training is needed, at least in an IT company. The fake-phishing success should be enough to make everyone who fall curious enough to at least research the subject.
What company has to make sure to communicate clearly is that the failure in the fake phishing test would not affect the employee's status in the company at all. But eventual failure in a real phishing event would have at least some consequences.
For non-IT companies the training should begin and end with the message above and in between should be short and concise with ideas how and where to learn more about the subject.
Someone told me they did the same thing at his company, send out fishing emails to see who fell for it. Those who did (management was disproportionately represented) had to attend some training lessons.
They resent another phishing email a few months later. Most people who fell for it the first time, fell again, despite the training.