https://www.bleepingcomputer.com/news/security/how-end-user-phishing-training-works-and-why-it-doesnt/

It always takes two for a phishing attack to work – an attacker to send the bait and an insider to take it. Almost every organization carries out some form of security and awareness training (SAT) to try and tip this balance in favor of the employees in their organization.

Because if we can train end-users on the tell-tale signs of a phishing email, they’ll stop clicking on them, right? IT security teams know this is rarely true.