Enterprise users receive unfiltered phishing messages nearly every day of the week, and most of them are not properly trained to recognize or safely react to them, according to PhishMe.

More than two thirds (69%) of security professionals say they encounter phishing messages that get past anti-spam filters and reach users’ email boxes at least a few times a week, according to a survey of attendees conducted at Black Hat USA conference two weeks ago. Almost a quarter of the respondents said they see such messages in users’ mailboxes multiple times every day.

Spear phishing has become a popular method of infecting enterprises with malware. In the survey, more than one quarter (27%) of security professionals said that top executives or other privileged users in their enterprises have been compromised by spear phishing attacks within the last 12 months.

Another 31% of security pros said they weren’t sure whether their executives or privileged users had been hit with such attacks.

With so many unfiltered phishing messages getting through, it is up to the end user to decide how to react – whether to open the message, click on a link, or delete the message before it can do any damage.

Most end users receive only a bare minimum of security awareness training. Nearly half (49%) of the respondents said their users receive training only once a year; nearly one tenth (9%) said their organizations have no security training programs at all.

Among organizations that do provide security training programs, many rely heavily on scripted, delayed forms of instruction that do not provide metrics to program managers and administrators, the survey said. In fact, three of the top four training methods listed by Black Hat attendees – recorded video/computer-based training (39.4%), paper tests/quizzes (32.9%), and handbooks/printed guides (28.5%) – are largely unsuccessful. Only 16% of security professionals train their users via simulated attacks (multiple responses were allowed).