Welcome to the Next Generation of Corporate Phishing Scams

All it takes is for one employee to open and click on a bogus email to compromise a company’s corporate security.

Despite analyst estimates that companies will cumulatively spend more than $120 billion a year on cybersecurity, corporations are still facing an increase of hacking attacks and data breaches.

The problem, according to cybersecurity strategist Adenike Cosgrove of Proofpoint, is that much of this security spending is on technology products that aim to “secure” corporate networks and devices. What these tools can’t prevent is a random worker from being tricked by phishing attacks, she explained on Wednesday during Fortune’s Brainstorm Finance conference in Montauk, N.Y.

With companies spending more on cybersecurity products guarding corporate networks, criminals have wisened up and realized that they would be more successful if they were to individually target employees with scam emails, Cosgrove said. In some cases, these hackers know that certain employees based in company branch offices might have access to sensitive corporate systems, and so they plan their phishing scams accordingly.

Even worse, hackers are updating their phishing tactics to target even more workers, said Amy Chang, the head of strategic intelligence and cybersecurity operations for JPMorgan Chase.

Chang said that hackers were able to compromise an unnamed financial institution by calling an employee under the guise that the call was legitimate, a tactic known as vishing, as in “voice” and “phishing.” After building trust with the worker, the scammer directed the employee to open and click on a bogus email, thus compromising the company’s security.

“The evolution is definitely happening, and they incorporating a lot of new techniques,” Chang said about more sophisticated phishing scams.

It’s not all hopeless, however. Teaching employees how to recognize phishing and other cyber scams is very helpful, as long as the training is ongoing and not relegated to a one-time session, Cosgrove said.

But what about the poor employees who can’t catch on to scams? Should companies fire these untrainable workers because they pose a security risk?

“I think it’s too early to be at the point to say we fire people,” Cosgrove said.

More must-read stories from Fortune Brainstorm Finance:

—Brainstorm Finance 2019: Watch the livestream of the inaugural conference

—Bank of America CEO: “We want a cashless society”

—Tala CEO: How Facebook’s Libra cryptocurrency can help companies scale

—Charles Schwab CEO: Actually, we’re killing it with millennials

—Listen to our new audio briefing, Fortune 500 Daily

Sign up for The Ledger, a weekly newsletter on the intersection of technology and finance.