Like any business, phishing continues to evolve and adapt to maintain its profitability. The security professional's job just gets bigger and bigger. One finds only a few organizations are willing to spend the money on consultants or larger teams, so the security pros in these companies have to be jacks‐of‐all‐trades. Clearly, the best option is a phishing education and testing program facilitated by people who understand the ins and outs of the trade. After understanding the nature and scope of phishing, the ultimate goal is to develop a coherent program that regularly tests and educates the organization on identifying and properly responding to phish in the wild. Goal‐setting is a fundamental part of having a phishing program. Goal‐setting is highly dependent on the organization's culture and leadership. Good education has lots of benefits for both the employer and the employee.