The weakest point of security in any organisation is the users, either due to a lack of awareness or security fatigue. Attackers know this, and they target users through email because with a working email address, a malicious but well-crafted attack could easily get in front of a vulnerable employee.  Attackers are also very determined, so they will continue to pursue a target-rich environment until they find a gap in defenses.  A recent Consumer Affairs article reports that as many as one-third of AV scanners failed to find malware samples in a two month test.  That's why attackers keep trying, even when they know a company has anti-virus protection in place. Read article