Employees are often the first line of defence against cybercriminals, but despite in-house anti-phishing training in an increasing number of companies, many keep clicking. Why is that? In most cases it is not a deliberate action on the part of the employee, unless they are an aggrieved former employee that still has access to the company system. It just means the in-house training, or in many cases, random email warnings, have failed to hit home.