If the users are trained, or to use a stronger term, conditioned to spot random abnormalities, there is a greater chance that a passive Phishing attack will fail. But no one is perfect, and targeted Phishing attacks will succeed eventually.
This is why users should be encouraged to report not only the attempt, but any failures as well without the fear of punishment. This engagement will help lower the time it takes to address the incident, and in some cases, it could actually prevent an incident from exploding into a monumental disaster.
Users are often snickered at for trading their passwords for candy during social engineering experiments. However, this willingness to do a task that takes little effort in exchange for something of value works both ways.
The user who will trade access for sugar is also someone that can be trained to spot attacks for gift cards, and financially, that's affordable when compared to the cost of mitigating a data breach.
Sign up for Computerworld eNewsletters.