A take which I consider to be ice cold but which will be unbearably spicy to a lot of folks:

If you find out about someone clicking on a phish from a user report,

or if it matters -at all- that they clicked on a phish,

then you have failed to protect that user.

Saying that the user, who uses the system YOU set up, bears any responsibility in this scenario is purest DARVO.

Also, seriously, what kind of chucklefuck puts the boundary at "clicking on the phish"

It's 2024. Browser one-click system hijacks aren't a thing anymore now that there's an actual fucking security model in the major OSs now - and ain't anyone using zero-days on commercial customers anyway.

Your vuln surface is "putting the credentials in" and that's been covered for -years- now by, holy shit, MFA and credential managers.

This is not difficult. All of the issues around phishing are -extremely- solvable on the systems architecture and administration end; if phishing -matters- to your org then your org is set up wrong.

And yes, wrong. There is clearly a right way to do this.

@munin What about phishes that ask you to actually do the harmful action (e.g. wire money, reveal confidential information, ...) instead of getting you to provide credentials so that they can do the action?