A better approach is to implement anti-phishing measures way up in the chain -- at the MTA level itself. Simpler ideas like: stripping URLs' from mail, stripping attachments if email origin is outside the organization, converting HTML email to plain-text, disallowing HTML email, yield substantial benefit in stopping phishing.
Basically, don't try to solve a problem by humans when it can be solved more efficiently by technology!
Phishing exercises are absolutely pointless in my experience and contribute zero to increasing the awareness. Shaming does not address the underlying human weaknesses that make us fall for phishing, they simply make the IT Guys look cooler, and increase CISOs' and Red Team budget. :-(
The best security is multi-layered. The human layer is the weakest part of any security system, and both technical and human measures must be taken to achieve defense in depth.
Some technical measures used here were requiring 2FA for all internal services, and scoping keys/POLP to limit the damage from one compromised key.
The purpose of exercises like these is not to shame someone who "fell for it", but to educate workers about phishing attacks and strengthen the human security layer.
Two decades of experience suggests that "strengthening human security by training" ain't happening, no matter how hard/smart you try. The technical controls have to be beefed up to a point where that human-weak-link is eliminated.
These tests are nothing but CISOs'(and Red Teams, and the whole industry around it) justifying their existence, and potentially doing a song-and-dance about it at the quarterly all-hands. Nothing more, nothing less. We can come back to this thread in another year/two years/five years/decade, and I can bet dollars-to-doughnuts, the industry will still be training humans, and claiming these pointless statistics about phishing. ;-)
Basically, don't try to solve a problem by humans when it can be solved more efficiently by technology!
Phishing exercises are absolutely pointless in my experience and contribute zero to increasing the awareness. Shaming does not address the underlying human weaknesses that make us fall for phishing, they simply make the IT Guys look cooler, and increase CISOs' and Red Team budget. :-(