Attackers have also almost eliminated one of their most obvious weaknesses. Gone are the days of lousy spelling and grammar that made phishing emails relatively obvious.
"They're using spellcheck, and they hire organizations to proofread their emails," he said. "That was huge indicator in the past."
Finally, there is the rise of "vishing," in which an attacker makes a phone call, posing as someone from another department, to urge an employee to click on a link in an email without checking it thoroughly.
"This means sending the poisoned email to a secretary, and then calling her on the phone to 'confirm she received the email,' under pretense of having to communicate something important to the organization," said Mark Gazit, CEO of ThetaRay, "The adversary will typically stay on the line to make sure the employee launches the attachment."
Gazit said vishing attacks also include sending employees an SMS with a link to a phishing site or a spam message claiming that one of their payment cards has been blocked. "In the process of hastily responding to such a message, the victims end up divulging their banking credentials and PII to the attacker," he said.
The only effective "patch" for this rampant vulnerability, experts say, is better training. And that means changing the prevailing model that they say seems aimed more at "check-the-box" compliance than embedding continuous security awareness in employees.
"Training should not be an "event," Payton said. "We need to move from training to positive reinforcement. Candidly, most of the training we see falls into the 'they snooze, you lose' category of computer-based training."
She recommends creating a "feedback loop" for employees to, "tell us why our security protocols get in the way of doing your job; an emotional trigger, to let us show you how following our advice protects you at work and at home; and offering something more then a compliance exercise."
Hadnagy said effective training has to include "real-world" examples. "We do impersonations during business hours to gain access to the building," he said. "The goal is not to make people look stupid, but to show weak spots and what you need to do to strengthen them."
Gazit also said, "one-time, boot camp-style training for large groups," doesn't work. "These one-off blasts overload employees with information that they don't really relate to, so they tend to forget it as soon as they are back at their desks," he said.
And he agreed with fellow experts that employees need to feel that the training is relevant. "Executives, accountants, administrators and plant workers are not all subject to the same cyber threats, so training must help each group learn how to recognize and handle the specific threats they are most likely to encounter," he said.
Sign up for CIO Asia eNewsletters.