After several years of running phishing programs and working with other organization's on theirs, I'm starting to notice a trend. Sooner or later everyone falls victim to a phishing assessment. Heck, even I fell victim to a phishing assessment once, and it was my own assessment (happy to share that story, but the price is a beer at a local con). Here is the interesting part though, most people only fail once. It is almost as if failing a phishing test is a rite of passage, once you fall victim you truly remember the incident, rarely to ever fall victim again. The majority of people who I see falling victim each month are new hires. As they are new to the organization and new to awareness, they too have to experience failure to learn and grow from the experience (and change their behaviors).
So next time you run a phishing assessment, check to see how many of those people that fell victim are new hires. If they did fall victim, in some ways its a good thing as they are far less likely to fall victim again in the future.