Security awareness training as a defense against phishing is dead. It has been dead for a while. The industry never held a funeral because the training budget is comfortable, the compliance box gets checked and no CISO wants to tell the board that the program everyone funds does not work.
The premise was simple. With enough education, users would learn to spot the tells. Misspelled words. Awkward phrasing. Sender domains that looked almost right. URLs that revealed something suspicious on hover. We trained a generation of employees to play Where’s Waldo with their inbox, scanning for the one visible artifact that would mark a message as malicious.
Those artifacts are gone. AI-generated attacks are fluent. The infrastructure behind them looks legitimate. The surface signals we trained users to rely on no longer exist. Even if they did, the model would still depend on something humans cannot deliver. Sustained vigilance across hundreds of messages a day, every day, with one lapse leading to compromise. No human attention system works that way.
