There is wide acceptance within the IT security field that technical measures alone cannot stop all malicious email attacks, and that good training of staff is necessary.
[2] Phishing simulations are sometime compared to fire drills in giving staff regular practice in correct behaviour.
[7] The standard advice is that "failing" staff not be shamed in any way, but it is appropriate and reasonable to provide supportive followup training.
[8][9][10] Some techniques which might be effective and in use by malicious actors are normally avoided in simulated phishing for ethical or legal reasons.
Because organisations generally have a set of multi-layered defences in place to prevent actual malicious phishing, simulations often require some whitelisting to be put in place at email gateways, anti-virus software and web proxies to allow email to reach user desktops and devices and to be acted upon.