One of my former employers used a security company to regularly send out very well designed phishing emails with personalized links. Clicking a link or opening an attachment got you a call with IT plus a mandatory class in how to avoid phishing.

The success rate of those simulated attacks dropped drastically after the first few tries. Maybe if more companies did this it would also help fewer people to fall for it outside of work.