I work at a firm that creates and sends these phishing tests for our clients. Prior to doing this type of work we always assess the "tone at the top" regarding the culture of the workplace, to assess the suitability of doing these tests.
However, if there are staff that repeatedly fail these tests and receive constant training, then that's a question for the business in how willing they are to accept the risk.
Given that there are tools that can quite often successfully block these types of emails before they get to the end user. Most often when we are crafting these emails we need to ask the IT teams to unblock the domain.
In my opinion I think in most cases no, however depending on the industry and the strike rate you might have a case for it at some point.
However, if there are staff that repeatedly fail these tests and receive constant training, then that's a question for the business in how willing they are to accept the risk.
Given that there are tools that can quite often successfully block these types of emails before they get to the end user. Most often when we are crafting these emails we need to ask the IT teams to unblock the domain.
In my opinion I think in most cases no, however depending on the industry and the strike rate you might have a case for it at some point.