I just listened in on a great webcast by John Strand, one of SANS' lead instructors on their penetration testing courses. John spends an hour discussing the latest tools and techniques in conducting human based penetration testing, specifically phishing and spear phishing. If you are involved in penetration testing and/or awareness training this is a great resource. What I found most valuable is half way through. John focuses on the different levels of human testing (he breaks it down into three levels) stresses the importance of starting with the basic level. I could not agree more, I find this point key. If you spend enough time and research targeting an individual or organization, you can craft the perfect email that will fool anyone. No one learns from such an event. John explains why its important to start with basic emails, one that almost anyone should detect (but still don't). For example, whenever I craft phishing emails as part of an assessment, I make sure there are at least three ways people could have easily figured it out (and no, analyzing email headers is not considered an 'easy' way to figure it out). Then I make sure to point these 'faults' out after the assessment so people can learn.
Anyways, listen to the webcast yourself. You can grab the webcast archive from the Core Security website.