It’s all just box ticking and CYA compliance.

“We got pwned but the entire company went through a certified phishing awareness program and we have a DPI firewall. Nothing more we could have done, we’re not liable.”

I agree, but I really wonder where on earth they find these people.

If you're talking about the companies who provide the "training", either they're the lowest bidder, closely linked to someone who is buddies with someone important in the company [0], or both.

[0] ...so the payments serve the social function of enriching your buddy and improving your status in the whole favor economy thing...

I once got a "log into phishing training" email which spoofed the company address. No one even saw the email, it instantly hit the spam filter.

Our infra guy then had to argue with them for quite a while to just email from their own domain, and that no, we're weren't going to add their cert to our DNS, and let a third party spoof us (or however that works, idk). Absolutely shocking lack of self awareness.

When they send out the phishing-simulation email campaign from the "compromised insider account" it's going to fool a lot more people!

If Kevin mitnick shows up or is referenced then I’m pretty sure it’s performance art

If only, it would've been an honour to get phished by Mitnick. Rest in peace...

Years of useless knowB4 trainings with him in the video have given me a twitch whenever I hear him referenced

I can't pass phishing training on my first try because it often has bad advice as answers they are convinced are correct. Reading headers is one of such gems.