iiiiiiitttttttttttt

Companies are damned if they do and damned if they don't. All the best security on the world will never prevent an attack from the universally weakest link - humans.

Best you can do is identify the humans that are likely to fall for it and remind them to be extra careful when clicking links in emails.

We also have anti fishing campaigns in our company and usually I do pretty well with those, but last year because of a running event they sent a mail out in regards to free T-shirts for the event. Most of the company including me failed gloriously.

This likely had several warning signs that can be used for even personal emails. 1) is it too good to be true? Definitely in this example. Give me a gas card physically and I might believe it. 2) look at the actual link before you click. If it's not part of the main domain for the company you're expecting, or not within the intranet at work, it's an automatic nope. 3) any oddities in the message or images that seem wrong. Misspellings, pixelated logos, etc. This is the smallest red flag, as often times getting a perfect email without any grammar or spelling issues means it didn't come from a manager, that seems to be a requirement.

I think this story may be told by an unreliable narrator.

We have no evidence that the email actually came from their job - that misidentification by Ki might be the problem that IT hopes training will solve.