I use Sophos Phish Threat to test employee security awareness. Essentially, my clients utilize Phish Threat to ensure that users are not clicking on suspicious emails or links. It is a simulated campaign that I set up, so it is not a major threat, however, it allows me to identify vulnerable human resources within an environment.
Sophos Phish Threat effectively identifies susceptible employees. It depends on knowing my staff. For example, if I receive an email claiming my Facebook account is compromised, I immediately recognize it as suspicious, as I don't have Facebook. If I know my staff use LinkedIn, I utilize the LinkedIn simulation. Similarly, if they bank with Absa, I use the Absa simulation.
There isn't a single 'one size fits all' approach. Sophos Phish Threat ensures users do not click on dodgy emails or dodgy links within an environment.